rack 1.3.6 → 1.3.7

data/COPYING

@@ -1,4 +1,4 @@
-Copyright (c) 2007, 2008, 2009, 2010 Christian Neukirchen <purl.org/net/chneukirchen>
+Copyright (c) 2007, 2008, 2009, 2010, 2011, 2012 Christian Neukirchen <purl.org/net/chneukirchen>
 
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to

data/KNOWN-ISSUES

@@ -1,3 +1,12 @@
+= Known issues with Rack and ECMA-262
+
+* Many users expect the escape() function defined in ECMA-262 to be compatible
+  with URI. Confusion is especially strong because the documentation for the
+  escape function includes a reference to the URI specifications. ECMA-262
+  escape is not however a URI escape function, it is a javascript escape
+  function, and is not fully compatible. Most notably, for characters outside of
+  the BMP. Users should use the more correct encodeURI functions.
+
 = Known issues with Rack and Web servers
 
 * Lighttpd sets wrong SCRIPT_NAME and PATH_INFO if you mount your

data/README.rdoc

@@ -1,4 +1,4 @@
-= Rack, a modular Ruby webserver interface
+= Rack, a modular Ruby webserver interface {<img src="https://secure.travis-ci.org/rack/rack.png" alt="Build Status" />}[http://travis-ci.org/rack/rack] {<img src="https://gemnasium.com/rack/rack.png" alt="Dependency Status" />}[https://gemnasium.com/rack/rack]
 
 Rack provides a minimal, modular and adaptable interface for developing
 web applications in Ruby.  By wrapping HTTP requests and responses in
@@ -27,8 +27,11 @@ These web servers include Rack handlers in their distributions:
 * Fuzed
 * Glassfish v3
 * Phusion Passenger (which is mod_rack for Apache and for nginx)
+* Puma
 * Rainbows!
 * Unicorn
+* unixrack
+* uWSGI
 * Zbatery
 
 Any valid Rack app will run the same on all these handlers, without
@@ -132,7 +135,11 @@ at my site:
 
 Testing Rack requires the bacon testing framework:
 
-    gem install bacon
+    bundle install --without extra # to be able to run the fast tests
+
+Or:
+
+    bundle install # this assumes that you have installed native extensions!
 
 There are two rake-based test tasks:
 
@@ -373,10 +380,99 @@ run on port 11211) and memcache-client installed.
 * October 17, 2011: Twentieth public release 1.3.5
   * Fix annoying warnings caused by the backport in 1.3.4
 
-* December 28th, 2011: Twenty third public release: 1.3.6
+* December 28th, 2011: Twenty first public release: 1.1.3.
   * Security fix. http://www.ocert.org/advisories/ocert-2011-003.html
     Further information here: http://jruby.org/2011/12/27/jruby-1-6-5-1
 
+* December 28th, 2011: Twenty fourth public release 1.4.0
+  * Ruby 1.8.6 support has officially been dropped. Not all tests pass.
+  * Raise sane error messages for broken config.ru
+  * Allow combining run and map in a config.ru
+  * Rack::ContentType will not set Content-Type for responses without a body
+  * Status code 205 does not send a response body
+  * Rack::Response::Helpers will not rely on instance variables
+  * Rack::Utils.build_query no longer outputs '=' for nil query values
+  * Various mime types added
+  * Rack::MockRequest now supports HEAD
+  * Rack::Directory now supports files that contain RFC3986 reserved chars
+  * Rack::File now only supports GET and HEAD requests
+  * Rack::Server#start now passes the block to Rack::Handler::<h>#run
+  * Rack::Static now supports an index option
+  * Added the Teapot status code
+  * rackup now defaults to Thin instead of Mongrel (if installed)
+  * Support added for HTTP_X_FORWARDED_SCHEME
+  * Numerous bug fixes, including many fixes for new and alternate rubies
+
+* January 22nd, 2012: Twenty fifth public release 1.4.1
+  * Alter the keyspace limit calculations to reduce issues with nested params
+  * Add a workaround for multipart parsing where files contain unescaped "%"
+  * Added Rack::Response::Helpers#method_not_allowed? (code 405)
+  * Rack::File now returns 404 for illegal directory traversals
+  * Rack::File now returns 405 for illegal methods (non HEAD/GET)
+  * Rack::Cascade now catches 405 by default, as well as 404
+  * Cookies missing '--' no longer cause an exception to be raised
+  * Various style changes and documentation spelling errors
+  * Rack::BodyProxy always ensures to execute its block
+  * Additional test coverage around cookies and secrets
+  * Rack::Session::Cookie can now be supplied either secret or old_secret
+  * Tests are no longer dependent on set order
+  * Rack::Static no longer defaults to serving index files
+  * Rack.release was fixed
+
+* January 6th, 2013: Twenty sixth public release 1.1.4
+  * Add warnings when users do not provide a session secret
+
+* January 6th, 2013: Twenty seventh public release 1.2.6
+  * Add warnings when users do not provide a session secret
+  * Fix parsing performance for unquoted filenames
+
+* January 6th, 2013: Twenty eighth public release 1.3.7
+  * Add warnings when users do not provide a session secret
+  * Fix parsing performance for unquoted filenames
+  * Updated URI backports
+  * Fix URI backport version matching, and silence constant warnings
+  * Correct parameter parsing with empty values
+  * Correct rackup '-I' flag, to allow multiple uses
+  * Correct rackup pidfile handling
+  * Report rackup line numbers correctly
+  * Fix request loops caused by non-stale nonces with time limits
+  * Fix reloader on Windows
+  * Prevent infinite recursions from Response#to_ary
+  * Various middleware better conforms to the body close specification
+  * Updated language for the body close specification
+  * Additional notes regarding ECMA escape compatibility issues
+  * Fix the parsing of multiple ranges in range headers
+
+* January 6th, 2013: Twenty ninth public release 1.4.2
+  * Add warnings when users do not provide a session secret
+  * Fix parsing performance for unquoted filenames
+  * Updated URI backports
+  * Fix URI backport version matching, and silence constant warnings
+  * Correct parameter parsing with empty values
+  * Correct rackup '-I' flag, to allow multiple uses
+  * Correct rackup pidfile handling
+  * Report rackup line numbers correctly
+  * Fix request loops caused by non-stale nonces with time limits
+  * Fix reloader on Windows
+  * Prevent infinite recursions from Response#to_ary
+  * Various middleware better conforms to the body close specification
+  * Updated language for the body close specification
+  * Additional notes regarding ECMA escape compatibility issues
+  * Fix the parsing of multiple ranges in range headers
+  * Prevent errors from empty parameter keys
+  * Added PATCH verb to Rack::Request
+  * Various documentation updates
+  * Fix session merge semantics (fixes rack-test)
+  * Rack::Static :index can now handle multiple directories
+  * All tests now utilize Rack::Lint (special thanks to Lars Gierth)
+  * Rack::File cache_control parameter is now deprecated, and removed by 1.5
+  * Correct Rack::Directory script name escaping
+  * Rack::Static supports header rules for sophisticated configurations
+  * Multipart parsing now works without a Content-Length header
+  * New logos courtesy of Zachary Scott!
+  * Rack::BodyProxy now explicitly defines #each, useful for C extensions
+  * Cookies that are not URI escaped no longer cause exceptions
+
 == Contact
 
 Please post bugs, suggestions and patches to
@@ -457,7 +553,7 @@ CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
 
 == Links
 
-Rack:: <http://rack.rubyforge.org/>
+Rack:: <http://rack.github.com/>
 Official Rack repositories:: <http://github.com/rack>
 Rack Bug Tracking:: <http://github.com/rack/rack/issues>
 rack-devel mailing list:: <http://groups.google.com/group/rack-devel>

data/SPEC

@@ -156,7 +156,9 @@ The Body must respond to +each+
 and must only yield String values.
 The Body itself should not be an instance of String, as this will
 break in Ruby 1.9.
-If the Body responds to +close+, it will be called after iteration.
+If the Body responds to +close+, it will be called after iteration. If
+the body is replaced by a middleware after action, the original body
+must be closed first, if it repsonds to close.
 If the Body responds to +to_path+, it must return a String
 identifying the location of a file whose contents are identical
 to that produced by calling +each+; this may be used by the

data/contrib/rack.svg

@@ -0,0 +1,150 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!-- Created with Inkscape (http://www.inkscape.org/) -->
+
+<svg
+   xmlns:osb="http://www.openswatchbook.org/uri/2009/osb"
+   xmlns:dc="http://purl.org/dc/elements/1.1/"
+   xmlns:cc="http://creativecommons.org/ns#"
+   xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"
+   xmlns:svg="http://www.w3.org/2000/svg"
+   xmlns="http://www.w3.org/2000/svg"
+   xmlns:sodipodi="http://sodipodi.sourceforge.net/DTD/sodipodi-0.dtd"
+   xmlns:inkscape="http://www.inkscape.org/namespaces/inkscape"
+   width="744.09448819"
+   height="1052.3622047"
+   id="svg2"
+   version="1.1"
+   inkscape:version="0.48.3.1 r9886"
+   sodipodi:docname="rack.svg">
+  <defs
+     id="defs4">
+    <linearGradient
+       id="linearGradient3837"
+       osb:paint="solid">
+      <stop
+         style="stop-color:#000000;stop-opacity:1;"
+         offset="0"
+         id="stop3839" />
+    </linearGradient>
+  </defs>
+  <sodipodi:namedview
+     id="base"
+     pagecolor="#ffffff"
+     bordercolor="#666666"
+     borderopacity="1.0"
+     inkscape:pageopacity="0.0"
+     inkscape:pageshadow="2"
+     inkscape:zoom="0.98994949"
+     inkscape:cx="230.49849"
+     inkscape:cy="656.46253"
+     inkscape:document-units="px"
+     inkscape:current-layer="layer1"
+     showgrid="false"
+     showguides="false"
+     inkscape:guide-bbox="true"
+     inkscape:window-width="1920"
+     inkscape:window-height="1056"
+     inkscape:window-x="1920"
+     inkscape:window-y="24"
+     inkscape:window-maximized="1">
+    <sodipodi:guide
+       orientation="1,0"
+       position="645.99255,757.10933"
+       id="guide2995" />
+    <sodipodi:guide
+       orientation="1,0"
+       position="488.40876,686.90373"
+       id="guide2997" />
+    <sodipodi:guide
+       orientation="1,0"
+       position="176.7767,748.52304"
+       id="guide2999" />
+    <sodipodi:guide
+       orientation="1,0"
+       position="355.71429,782.85714"
+       id="guide3005" />
+    <sodipodi:guide
+       orientation="0,1"
+       position="527.14286,642.85714"
+       id="guide3007" />
+    <sodipodi:guide
+       orientation="0,1"
+       position="431.42857,507.85714"
+       id="guide3009" />
+    <sodipodi:guide
+       orientation="0,1"
+       position="488.40876,783.57143"
+       id="guide3011" />
+    <sodipodi:guide
+       orientation="0,1"
+       position="505,372.85714"
+       id="guide3013" />
+  </sodipodi:namedview>
+  <metadata
+     id="metadata7">
+    <rdf:RDF>
+      <cc:Work
+         rdf:about="">
+        <dc:format>image/svg+xml</dc:format>
+        <dc:type
+           rdf:resource="http://purl.org/dc/dcmitype/StillImage" />
+        <dc:title></dc:title>
+      </cc:Work>
+    </rdf:RDF>
+  </metadata>
+  <g
+     inkscape:label="Layer 1"
+     inkscape:groupmode="layer"
+     id="layer1">
+    <path
+       style="font-size:medium;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;text-indent:0;text-align:start;text-decoration:none;line-height:normal;letter-spacing:normal;word-spacing:normal;text-transform:none;direction:ltr;block-progression:tb;writing-mode:lr-tb;text-anchor:start;baseline-shift:baseline;color:#000000;fill:#000000;fill-opacity:1;stroke:#000000;stroke-width:10;marker:none;visibility:visible;display:inline;overflow:visible;enable-background:accumulate;font-family:Sans;-inkscape-font-specification:Sans;stroke-opacity:1;stroke-miterlimit:30;stroke-dasharray:none;stroke-linecap:round;stroke-linejoin:round"
+       d="m 176.28125,201.03125 0,0.625 0,395.125 0,0.375 0.34375,0.0937 312.34375,91.6875 0.625,0.1875 0,-0.65625 0.125,-419.09375 0,-0.40625 -0.40625,-0.0937 -312.4375,-67.71875 -0.59375,-0.125 z m 1,1.21875 311.4375,67.5 -0.125,418.0625 -311.3125,-91.375 0,-394.1875 z"
+       id="path2985"
+       inkscape:connector-curvature="0" />
+    <path
+       style="font-size:medium;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;text-indent:0;text-align:start;text-decoration:none;line-height:normal;letter-spacing:normal;word-spacing:normal;text-transform:none;direction:ltr;block-progression:tb;writing-mode:lr-tb;text-anchor:start;baseline-shift:baseline;color:#000000;fill:#000000;fill-opacity:1;stroke:#000000;stroke-width:10;marker:none;visibility:visible;display:inline;overflow:visible;enable-background:accumulate;font-family:Sans;-inkscape-font-specification:Sans;stroke-opacity:1;stroke-miterlimit:30;stroke-dasharray:none;stroke-linecap:round;stroke-linejoin:round"
+       d="m 647.21875,206.59375 -0.6875,0.28125 -157.59375,62.21875 -0.3125,0.125 0,0.34375 0.1875,419.125 0,0.75 0.6875,-0.28125 156.0625,-63.1875 0.3125,-0.125 0,-0.34375 1.34375,-418.15625 0,-0.75 z m -1,1.4375 -1.34375,417.125 -155.0625,62.78125 -0.1875,-418.03125 156.59375,-61.875 z"
+       id="path2993"
+       inkscape:connector-curvature="0" />
+    <path
+       style="font-size:medium;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;text-indent:0;text-align:start;text-decoration:none;line-height:normal;letter-spacing:normal;word-spacing:normal;text-transform:none;direction:ltr;block-progression:tb;writing-mode:lr-tb;text-anchor:start;baseline-shift:baseline;color:#000000;fill:#000000;fill-opacity:1;stroke:#000000;stroke-width:10;marker:none;visibility:visible;display:inline;overflow:visible;enable-background:accumulate;font-family:Sans;-inkscape-font-specification:Sans;stroke-opacity:1;stroke-miterlimit:30;stroke-dasharray:none;stroke-linecap:round;stroke-linejoin:round"
+       d="m 355.6875,137.40625 -0.15625,0.0625 L 176.96875,201.0625 177.3125,202 355.75,138.4375 646.78125,207.53125 647,206.5625 l -291.15625,-69.125 -0.15625,-0.0312 z"
+       id="path3003"
+       inkscape:connector-curvature="0" />
+    <path
+       style="font-size:medium;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;text-indent:0;text-align:start;text-decoration:none;line-height:normal;letter-spacing:normal;word-spacing:normal;text-transform:none;direction:ltr;block-progression:tb;writing-mode:lr-tb;text-anchor:start;baseline-shift:baseline;color:#000000;fill:#000000;fill-opacity:1;stroke:#000000;stroke-width:10;marker:none;visibility:visible;display:inline;overflow:visible;enable-background:accumulate;font-family:Sans;-inkscape-font-specification:Sans;stroke-opacity:1;stroke-miterlimit:30;stroke-dasharray:none;stroke-linecap:round;stroke-linejoin:round"
+       d="m 355.71875,277.53125 -0.125,0.0312 -178.9375,47.96875 -1.8125,0.46875 1.8125,0.5 311.625,83.5 0.15625,0.0312 0.125,-0.0625 157.59375,-53.65625 1.5625,-0.53125 -1.59375,-0.4375 -290.28125,-77.78125 -0.125,-0.0312 z m 0,1.03125 L 644.3125,355.90625 488.375,409 178.71875,326 l 177,-47.4375 z"
+       id="path3015"
+       inkscape:connector-curvature="0" />
+    <path
+       style="font-size:medium;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;text-indent:0;text-align:start;text-decoration:none;line-height:normal;letter-spacing:normal;word-spacing:normal;text-transform:none;direction:ltr;block-progression:tb;writing-mode:lr-tb;text-anchor:start;baseline-shift:baseline;color:#000000;fill:#000000;fill-opacity:1;stroke:#000000;stroke-width:10;marker:none;visibility:visible;display:inline;overflow:visible;enable-background:accumulate;font-family:Sans;-inkscape-font-specification:Sans;stroke-opacity:1;stroke-miterlimit:30;stroke-dasharray:none;stroke-linecap:round;stroke-linejoin:round"
+       d="m 355.21875,240.9375 0,37.125 1,0 0,-37.125 -1,0 z"
+       id="path3017"
+       inkscape:connector-curvature="0" />
+    <path
+       style="font-size:medium;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;text-indent:0;text-align:start;text-decoration:none;line-height:normal;letter-spacing:normal;word-spacing:normal;text-transform:none;direction:ltr;block-progression:tb;writing-mode:lr-tb;text-anchor:start;baseline-shift:baseline;color:#000000;fill:#000000;fill-opacity:1;stroke:#000000;stroke-width:10;marker:none;visibility:visible;display:inline;overflow:visible;enable-background:accumulate;font-family:Sans;-inkscape-font-specification:Sans;stroke-opacity:1;stroke-miterlimit:30;stroke-dasharray:none;stroke-linecap:round;stroke-linejoin:round"
+       d="m 176.28125,202.65625 0,393.28125 1,0 0,-393.28125 -1,0 z"
+       id="path3019"
+       inkscape:connector-curvature="0" />
+    <path
+       style="font-size:medium;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;text-indent:0;text-align:start;text-decoration:none;line-height:normal;letter-spacing:normal;word-spacing:normal;text-transform:none;direction:ltr;block-progression:tb;writing-mode:lr-tb;text-anchor:start;baseline-shift:baseline;color:#000000;fill:#000000;fill-opacity:1;stroke:#000000;stroke-width:10;marker:none;visibility:visible;display:inline;overflow:visible;enable-background:accumulate;font-family:Sans;-inkscape-font-specification:Sans;stroke-opacity:1;stroke-miterlimit:30;stroke-dasharray:none;stroke-linecap:round;stroke-linejoin:round"
+       d="m 355.71875,409 -0.125,0.0312 L 177,455.8125 l -1.78125,0.46875 1.78125,0.5 L 488.28125,545 l 0.15625,0.0312 0.125,-0.0625 156.71875,-56.25 1.46875,-0.53125 -1.53125,-0.40625 -289.375,-78.75 -0.125,-0.0312 z m 0,1.03125 287.6875,78.28125 L 488.375,544 179.03125,456.3125 355.71875,410.03125 z"
+       id="path3021"
+       inkscape:connector-curvature="0" />
+    <path
+       style="font-size:medium;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;text-indent:0;text-align:start;text-decoration:none;line-height:normal;letter-spacing:normal;word-spacing:normal;text-transform:none;direction:ltr;block-progression:tb;writing-mode:lr-tb;text-anchor:start;baseline-shift:baseline;color:#000000;fill:#000000;fill-opacity:1;stroke:#000000;stroke-width:10;marker:none;visibility:visible;display:inline;overflow:visible;enable-background:accumulate;font-family:Sans;-inkscape-font-specification:Sans;stroke-opacity:1;stroke-miterlimit:30;stroke-dasharray:none;stroke-linecap:round;stroke-linejoin:round"
+       d="m 355.71875,544 -0.15625,0.0312 -178.5625,52.3125 0.28125,0.96875 178.4375,-52.28125 289.59375,80.25 0.28125,-0.96875 -289.75,-80.28125 -0.125,-0.0312 z"
+       id="path3023"
+       inkscape:connector-curvature="0" />
+    <path
+       style="font-size:medium;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;text-indent:0;text-align:start;text-decoration:none;line-height:normal;letter-spacing:normal;word-spacing:normal;text-transform:none;direction:ltr;block-progression:tb;writing-mode:lr-tb;text-anchor:start;baseline-shift:baseline;color:#000000;fill:#000000;fill-opacity:1;stroke:#000000;stroke-width:10;marker:none;visibility:visible;display:inline;overflow:visible;enable-background:accumulate;font-family:Sans;-inkscape-font-specification:Sans;stroke-opacity:1;stroke-miterlimit:30;stroke-dasharray:none;stroke-linecap:round;stroke-linejoin:round"
+       d="m 355.21875,374.34375 0,35.15625 1,0 0,-35.15625 -1,0 z"
+       id="path3025"
+       inkscape:connector-curvature="0" />
+    <path
+       style="font-size:medium;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;text-indent:0;text-align:start;text-decoration:none;line-height:normal;letter-spacing:normal;word-spacing:normal;text-transform:none;direction:ltr;block-progression:tb;writing-mode:lr-tb;text-anchor:start;baseline-shift:baseline;color:#000000;fill:#000000;fill-opacity:1;stroke:#000000;stroke-width:10;marker:none;visibility:visible;display:inline;overflow:visible;enable-background:accumulate;font-family:Sans;-inkscape-font-specification:Sans;stroke-opacity:1;stroke-miterlimit:30;stroke-dasharray:none;stroke-linecap:round;stroke-linejoin:round"
+       d="m 355.1875,507.03125 0,37.4375 1.03125,0 0,-37.4375 -1.03125,0 z"
+       id="path3027"
+       inkscape:connector-curvature="0" />
+  </g>
+</svg>

data/lib/rack/auth/basic.rb

@@ -41,7 +41,7 @@ module Rack
 
       class Request < Auth::AbstractRequest
         def basic?
-          :basic == scheme
+          !parts.first.nil? && :basic == scheme
         end
 
         def credentials

data/lib/rack/auth/digest/nonce.rb

@@ -38,7 +38,7 @@ module Rack
         end
 
         def stale?
-          !self.class.time_limit.nil? && (@timestamp - Time.now.to_i) < self.class.time_limit
+          !self.class.time_limit.nil? && (Time.now.to_i - @timestamp) > self.class.time_limit
         end
 
         def fresh?

data/lib/rack/backports/uri/common_18.rb

@@ -8,7 +8,21 @@
 
 module URI
   TBLENCWWWCOMP_ = {} # :nodoc:
+  256.times do |i|
+    TBLENCWWWCOMP_[i.chr] = '%%%02X' % i
+  end
+  TBLENCWWWCOMP_[' '] = '+'
+  TBLENCWWWCOMP_.freeze
   TBLDECWWWCOMP_ = {} # :nodoc:
+  256.times do |i|
+    h, l = i>>4, i&15
+    TBLDECWWWCOMP_['%%%X%X' % [h, l]] = i.chr
+    TBLDECWWWCOMP_['%%%x%X' % [h, l]] = i.chr
+    TBLDECWWWCOMP_['%%%X%x' % [h, l]] = i.chr
+    TBLDECWWWCOMP_['%%%x%x' % [h, l]] = i.chr
+  end
+  TBLDECWWWCOMP_['+'] = ' '
+  TBLDECWWWCOMP_.freeze
 
   # Encode given +s+ to URL-encoded form data.
   #
@@ -26,18 +40,6 @@ module URI
         '%' + $1.unpack('H2' * Rack::Utils.bytesize($1)).join('%').upcase
       end.tr(' ', '+')
     else
-      if TBLENCWWWCOMP_.empty?
-        tbl = {}
-        256.times do |i|
-          tbl[i.chr] = '%%%02X' % i
-        end
-        tbl[' '] = '+'
-        begin
-          TBLENCWWWCOMP_.replace(tbl)
-          TBLENCWWWCOMP_.freeze
-        rescue
-        end
-      end
       str.gsub(/[^*\-.0-9A-Z_a-z]/) {|m| TBLENCWWWCOMP_[m]}
     end
   end
@@ -48,22 +50,6 @@ module URI
   #
   # See URI.encode_www_form_component, URI.decode_www_form
   def self.decode_www_form_component(str, enc=nil)
-    if TBLDECWWWCOMP_.empty?
-      tbl = {}
-      256.times do |i|
-        h, l = i>>4, i&15
-        tbl['%%%X%X' % [h, l]] = i.chr
-        tbl['%%%x%X' % [h, l]] = i.chr
-        tbl['%%%X%x' % [h, l]] = i.chr
-        tbl['%%%x%x' % [h, l]] = i.chr
-      end
-      tbl['+'] = ' '
-      begin
-        TBLDECWWWCOMP_.replace(tbl)
-        TBLDECWWWCOMP_.freeze
-      rescue
-      end
-    end
     raise ArgumentError, "invalid %-encoding (#{str})" unless /\A(?:%[0-9a-fA-F]{2}|[^%])*\z/ =~ str
     str.gsub(/\+|%[0-9a-fA-F]{2}/) {|m| TBLDECWWWCOMP_[m]}
   end

data/lib/rack/backports/uri/common_192.rb

@@ -17,6 +17,19 @@
 require 'uri/common'
 
 module URI
+  TBLDECWWWCOMP_ = {} unless const_defined?(:TBLDECWWWCOMP_)  #:nodoc:
+  if TBLDECWWWCOMP_.empty?
+    256.times do |i|
+      h, l = i>>4, i&15
+      TBLDECWWWCOMP_['%%%X%X' % [h, l]] = i.chr
+      TBLDECWWWCOMP_['%%%x%X' % [h, l]] = i.chr
+      TBLDECWWWCOMP_['%%%X%x' % [h, l]] = i.chr
+      TBLDECWWWCOMP_['%%%x%x' % [h, l]] = i.chr
+    end
+    TBLDECWWWCOMP_['+'] = ' '
+    TBLDECWWWCOMP_.freeze
+  end
+
   def self.decode_www_form(str, enc=Encoding::UTF_8)
     return [] if str.empty?
     unless /\A#{WFKV_}=#{WFKV_}(?:[;&]#{WFKV_}=#{WFKV_})*\z/o =~ str
@@ -30,26 +43,10 @@ module URI
   end
 
   def self.decode_www_form_component(str, enc=Encoding::UTF_8)
-    if TBLDECWWWCOMP_.empty?
-      tbl = {}
-      256.times do |i|
-        h, l = i>>4, i&15
-        tbl['%%%X%X' % [h, l]] = i.chr
-        tbl['%%%x%X' % [h, l]] = i.chr
-        tbl['%%%X%x' % [h, l]] = i.chr
-        tbl['%%%x%x' % [h, l]] = i.chr
-      end
-      tbl['+'] = ' '
-      begin
-        TBLDECWWWCOMP_.replace(tbl)
-        TBLDECWWWCOMP_.freeze
-      rescue
-      end
-    end
     raise ArgumentError, "invalid %-encoding (#{str})" unless /\A[^%]*(?:%\h\h[^%]*)*\z/ =~ str
     str.gsub(/\+|%\h\h/, TBLDECWWWCOMP_).force_encoding(enc)
   end
 
-  remove_const :WFKV_
+  remove_const :WFKV_ if const_defined?(:WFKV_)
   WFKV_ = '(?:[^%#=;&]*(?:%\h\h[^%#=;&]*)*)' # :nodoc:
 end

data/lib/rack/backports/uri/common_193.rb

@@ -0,0 +1,29 @@
+# :stopdoc:
+
+require 'uri/common'
+
+# Issue:
+# http://bugs.ruby-lang.org/issues/5925
+#
+# Relevant commit:
+# https://github.com/ruby/ruby/commit/edb7cdf1eabaff78dfa5ffedfbc2e91b29fa9ca1
+
+module URI
+  256.times do |i|
+    TBLENCWWWCOMP_[i.chr] = '%%%02X' % i
+  end
+  TBLENCWWWCOMP_[' '] = '+'
+  TBLENCWWWCOMP_.freeze
+
+  256.times do |i|
+    h, l = i>>4, i&15
+    TBLDECWWWCOMP_['%%%X%X' % [h, l]] = i.chr
+    TBLDECWWWCOMP_['%%%x%X' % [h, l]] = i.chr
+    TBLDECWWWCOMP_['%%%X%x' % [h, l]] = i.chr
+    TBLDECWWWCOMP_['%%%x%x' % [h, l]] = i.chr
+  end
+  TBLDECWWWCOMP_['+'] = ' '
+  TBLDECWWWCOMP_.freeze
+end
+
+# :startdoc:

data/lib/rack/body_proxy.rb

@@ -5,6 +5,7 @@ module Rack
     end
 
     def respond_to?(*args)
+      return false if args.first.to_s =~ /^to_ary$/
       super or @body.respond_to?(*args)
     end
 
@@ -19,7 +20,16 @@ module Rack
       @closed
     end
 
+    # N.B. This method is a special case to address the bug described by #434.
+    # We are applying this special case for #each only. Future bugs of this
+    # class will be handled by requesting users to patch their ruby
+    # implementation, to save adding too many methods in this class.
+    def each(*args, &block)
+      @body.each(*args, &block)
+    end
+
     def method_missing(*args, &block)
+      super if args.first.to_s =~ /^to_ary$/
       @body.__send__(*args, &block)
     end
   end

data/lib/rack/builder.rb

@@ -38,7 +38,7 @@ module Rack
         end
         cfgfile.sub!(/^__END__\n.*/, '')
         app = eval "Rack::Builder.new {\n" + cfgfile + "\n}.to_app",
-          TOPLEVEL_BINDING, config
+          TOPLEVEL_BINDING, config, 0
       else
         require config
         app = Object.const_get(::File.basename(config, '.rb').capitalize)

data/lib/rack/cascade.rb

@@ -19,8 +19,19 @@ module Rack
     def call(env)
       result = NotFound
 
+      last_body = nil
+
       @apps.each do |app|
+        # The SPEC says that the body must be closed after it has been iterated
+        # by the server, or if it is replaced by a middleware action. Cascade
+        # replaces the body each time a cascade happens. It is assumed that nil
+        # does not respond to close, otherwise the previous application body
+        # will be closed. The final application body will not be closed, as it
+        # will be passed to the server as a result.
+        last_body.close if last_body.respond_to? :close
+
         result = app.call(env)
+        last_body = result[2]
         break unless @catch.include?(result[0].to_i)
       end
 

data/lib/rack/deflater.rb

@@ -45,6 +45,7 @@ module Rack
       when "identity"
         [status, headers, body]
       when nil
+        body.close if body.respond_to?(:close)
         message = "An acceptable encoding for the requested resource #{request.fullpath} could not be found."
         [406, {"Content-Type" => "text/plain", "Content-Length" => message.length.to_s}, [message]]
       end
@@ -64,6 +65,7 @@ module Rack
           gzip.write(part)
           gzip.flush
         }
+      ensure
         @body.close if @body.respond_to?(:close)
         gzip.close
         @writer = nil
@@ -90,9 +92,11 @@ module Rack
       def each
         deflater = ::Zlib::Deflate.new(*DEFLATE_ARGS)
         @body.each { |part| yield deflater.deflate(part, Zlib::SYNC_FLUSH) }
-        @body.close if @body.respond_to?(:close)
         yield deflater.finish
         nil
+      ensure
+        @body.close if @body.respond_to?(:close)
+        deflater.close
       end
     end
   end

data/lib/rack/head.rb

@@ -9,6 +9,7 @@ class Head
     status, headers, body = @app.call(env)
 
     if env["REQUEST_METHOD"] == "HEAD"
+      body.close if body.respond_to? :close
       [status, headers, []]
     else
       [status, headers, body]

data/lib/rack/lint.rb

@@ -528,7 +528,9 @@ module Rack
       ## The Body itself should not be an instance of String, as this will
       ## break in Ruby 1.9.
       ##
-      ## If the Body responds to +close+, it will be called after iteration.
+      ## If the Body responds to +close+, it will be called after iteration. If
+      ## the body is replaced by a middleware after action, the original body
+      ## must be closed first, if it repsonds to close.
       # XXX howto: assert("Body has not been closed") { @closed }
 
 

data/lib/rack/multipart.rb

@@ -12,7 +12,7 @@ module Rack
     MULTIPART = %r|\Amultipart/.*boundary=\"?([^\";,]+)\"?|n
     TOKEN = /[^\s()<>,;:\\"\/\[\]?=]+/
     CONDISP = /Content-Disposition:\s*#{TOKEN}\s*/i
-    DISPPARM = /;\s*(#{TOKEN})=("(?:\\"|[^"])*"|#{TOKEN})*/
+    DISPPARM = /;\s*(#{TOKEN})=("(?:\\"|[^"])*"|#{TOKEN})/
     RFC2183 = /^#{CONDISP}(#{DISPPARM})+$/i
     BROKEN_QUOTED = /^#{CONDISP}.*;\sfilename="(.*?)"(?:\s*$|\s*;\s*#{TOKEN}=)/i
     BROKEN_UNQUOTED = /^#{CONDISP}.*;\sfilename=(#{TOKEN})/i
@@ -31,4 +31,4 @@ module Rack
     end
 
   end
-end
+end

data/lib/rack/reloader.rb

@@ -101,7 +101,7 @@ module Rack
         return unless file
         stat = ::File.stat(file)
         return file, stat if stat.file?
-      rescue Errno::ENOENT, Errno::ENOTDIR
+      rescue Errno::ENOENT, Errno::ENOTDIR, Errno::ESRCH
         @cache.delete(file) and false
       end
     end

data/lib/rack/response.rb

@@ -74,9 +74,10 @@ module Rack
       if [204, 304].include?(status.to_i)
         header.delete "Content-Type"
         header.delete "Content-Length"
+        close
         [status.to_i, header, []]
       else
-        [status.to_i, header, self]
+        [status.to_i, header, BodyProxy.new(self){}]
       end
     end
     alias to_a finish           # For *response

data/lib/rack/server.rb

@@ -26,7 +26,7 @@ module Rack
 
           opts.on("-I", "--include PATH",
                   "specify $LOAD_PATH (may be used more than once)") { |path|
-            options[:include] = path.split(":")
+            (options[:include] ||= []).concat(path.split(":"))
           }
 
           opts.on("-r", "--require LIBRARY",
@@ -247,11 +247,14 @@ module Rack
         pp app
       end
 
+      check_pid! if options[:pid]
+
       # Touch the wrapped app, so that the config.ru is loaded before
       # daemonization (i.e. before chdir, etc).
       wrapped_app
 
       daemonize_app if options[:daemonize]
+
       write_pid if options[:pid]
 
       trap(:INT) do
@@ -274,7 +277,7 @@ module Rack
         options = default_options
 
         # Don't evaluate CGI ISINDEX parameters.
-        # http://hoohoo.ncsa.uiuc.edu/cgi/cl.html
+        # http://www.meb.uni-bonn.de/docs/cgi/cl.html
         args.clear if ENV.include?("REQUEST_METHOD")
 
         options.merge! opt_parser.parse!(args)
@@ -319,5 +322,28 @@ module Rack
         ::File.open(options[:pid], 'w'){ |f| f.write("#{Process.pid}") }
         at_exit { ::File.delete(options[:pid]) if ::File.exist?(options[:pid]) }
       end
+
+      def check_pid!
+        case pidfile_process_status
+        when :running, :not_owned
+          $stderr.puts "A server is already running. Check #{options[:pid]}."
+          exit(1)
+        when :dead
+          ::File.delete(options[:pid])
+        end
+      end
+
+      def pidfile_process_status
+        return :exited unless ::File.exist?(options[:pid])
+
+        pid = ::File.read(options[:pid]).to_i
+        Process.kill(0, pid)
+        :running
+      rescue Errno::ESRCH
+        :dead
+      rescue Errno::EPERM
+        :not_owned
+      end
+
   end
 end

data/lib/rack/session/cookie.rb

@@ -80,6 +80,15 @@ module Rack
 
       def initialize(app, options={})
         @secret = options[:secret]
+        warn <<-MSG unless @secret
+        SECURITY WARNING: No secret option provided to Rack::Session::Cookie.
+        This poses a security threat. It is strongly recommended that you
+        provide a secret to prevent exploits that may be possible from crafted
+        cookies. This will not be supported in future versions of Rack, and
+        future versions will even invalidate your existing user cookies.
+
+        Called from: #{caller[0]}.
+        MSG
         @coder  = options[:coder] ||= Base64::Marshal.new
         super(app, options.merge!(:cookie_only => true))
       end

data/lib/rack/utils.rb

@@ -5,11 +5,14 @@ require 'tempfile'
 require 'rack/multipart'
 
 major, minor, patch = RUBY_VERSION.split('.').map { |v| v.to_i }
+ruby_engine = defined?(RUBY_ENGINE) ? RUBY_ENGINE : 'ruby'
 
 if major == 1 && minor < 9
   require 'rack/backports/uri/common_18'
-elsif major == 1 && minor == 9 && patch < 3
+elsif major == 1 && minor == 9 && patch == 2 && RUBY_PATCHLEVEL <= 320 && RUBY_ENGINE != 'jruby'
   require 'rack/backports/uri/common_192'
+elsif major == 1 && minor == 9 && patch == 3 && RUBY_PATCHLEVEL < 125
+  require 'rack/backports/uri/common_193'
 else
   require 'uri/common'
 end
@@ -60,6 +63,7 @@ module Rack
       bytes = 0
 
       (qs || '').split(d ? /[#{d}] */n : DEFAULT_SEP).each do |p|
+        next if p.empty?
         k, v = p.split('=', 2).map { |x| unescape(x) }
 
         if k
@@ -315,16 +319,16 @@ module Rack
     def byte_ranges(env, size)
       # See <http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.35>
       http_range = env['HTTP_RANGE']
-      return nil unless http_range
+      return nil unless http_range && http_range =~ /bytes=([^;]+)/
       ranges = []
-      http_range.split(/,\s*/).each do |range_spec|
-        matches = range_spec.match(/bytes=(\d*)-(\d*)/)
-        return nil  unless matches
-        r0,r1 = matches[1], matches[2]
+      $1.split(/,\s*/).each do |range_spec|
+        return nil  unless range_spec =~ /(\d*)-(\d*)/
+        r0,r1 = $1, $2
         if r0.empty?
           return nil  if r1.empty?
           # suffix-byte-range-spec, represents trailing suffix of file
-          r0 = [size - r1.to_i, 0].max
+          r0 = size - r1.to_i
+          r0 = 0  if r0 < 0
           r1 = size - 1
         else
           r0 = r0.to_i

data/rack.gemspec

@@ -1,6 +1,6 @@
 Gem::Specification.new do |s|
   s.name            = "rack"
-  s.version         = "1.3.6"
+  s.version         = "1.3.7"
   s.platform        = Gem::Platform::RUBY
   s.summary         = "a modular Ruby webserver interface"
 
@@ -11,7 +11,7 @@ the simplest way possible, it unifies and distills the API for web
 servers, web frameworks, and software in between (the so-called
 middleware) into a single method call.
 
-Also see http://rack.rubyforge.org.
+Also see http://rack.github.com/.
 EOF
 
   s.files           = Dir['{bin/*,contrib/*,example/*,lib/**/*,test/**/*}'] +
@@ -24,7 +24,7 @@ EOF
 
   s.author          = 'Christian Neukirchen'
   s.email           = 'chneukirchen@gmail.com'
-  s.homepage        = 'http://rack.rubyforge.org'
+  s.homepage        = 'http://rack.github.com/'
   s.rubyforge_project = 'rack'
 
   s.add_development_dependency 'bacon'

data/test/builder/line.ru

@@ -0,0 +1 @@
+run lambda{ |env| [200, {'Content-Type' => 'text/plain'}, [__LINE__.to_s]] }

data/test/spec_auth_basic.rb

@@ -63,6 +63,14 @@ describe Rack::Auth::Basic do
     end
   end
 
+  should 'return 400 Bad Request for a malformed authorization header' do
+    request 'HTTP_AUTHORIZATION' => '' do |response|
+      response.should.be.a.client_error
+      response.status.should.equal 400
+      response.should.not.include 'WWW-Authenticate'
+    end
+  end
+
   it 'takes realm as optional constructor arg' do
     app = Rack::Auth::Basic.new(unprotected_app, realm) { true }
     realm.should == app.realm

data/test/spec_auth_digest.rb

@@ -152,6 +152,20 @@ describe Rack::Auth::Digest::MD5 do
     end
   end
 
+  should 'not rechallenge if nonce is not stale' do
+    begin
+      Rack::Auth::Digest::Nonce.time_limit = 10
+
+      request_with_digest_auth 'GET', '/', 'Alice', 'correct-password', :wait => 1 do |response|
+        response.status.should.equal 200
+        response.body.to_s.should.equal 'Hi Alice'
+        response.headers['WWW-Authenticate'].should.not =~ /\bstale=true\b/
+      end
+    ensure
+      Rack::Auth::Digest::Nonce.time_limit = nil
+    end
+  end
+
   should 'rechallenge with stale parameter if nonce is stale' do
     begin
       Rack::Auth::Digest::Nonce.time_limit = 1

data/test/spec_body_proxy.rb

@@ -45,4 +45,8 @@ describe Rack::BodyProxy do
     proxy.close
     closed.should.equal true
   end
+
+  should 'provide an #each method' do
+    Rack::BodyProxy.method_defined?(:each).should.equal true
+  end
 end

data/test/spec_builder.rb

@@ -148,5 +148,11 @@ describe Rack::Builder do
       Rack::MockRequest.new(app).get("/").body.to_s.should.equal 'OK'
       $:.pop
     end
+
+    it "sets __LINE__ correctly" do
+      app, options = Rack::Builder.parse_file config_file('line.ru')
+      options = nil # ignored, prevents warning
+      Rack::MockRequest.new(app).get("/").body.to_s.should.equal '1'
+    end
   end
 end

data/test/spec_cascade.rb

@@ -42,4 +42,12 @@ describe Rack::Cascade do
     cascade << app3
     Rack::MockRequest.new(cascade).get('/foo').should.be.ok
   end
+
+  should "close the body on cascade" do
+    body = StringIO.new
+    closer = lambda { |env| [404, {}, body] }
+    cascade = Rack::Cascade.new([closer, app3], [404])
+    Rack::MockRequest.new(cascade).get("/foo").should.be.ok
+    body.should.be.closed
+  end
 end

data/test/spec_head.rb

@@ -2,29 +2,41 @@ require 'rack/head'
 require 'rack/mock'
 
 describe Rack::Head do
+
   def test_response(headers = {})
-    app = lambda { |env| [200, {"Content-type" => "test/plain", "Content-length" => "3"}, ["foo"]] }
+    body = StringIO.new "foo"
+    app = lambda do |env|
+      [200, {"Content-type" => "test/plain", "Content-length" => "3"}, body]
+    end
     request = Rack::MockRequest.env_for("/", headers)
     response = Rack::Head.new(app).call(request)
 
-    return response
+    return response, body
   end
 
   should "pass GET, POST, PUT, DELETE, OPTIONS, TRACE requests" do
     %w[GET POST PUT DELETE OPTIONS TRACE].each do |type|
-      resp = test_response("REQUEST_METHOD" => type)
+      resp, _ = test_response("REQUEST_METHOD" => type)
 
       resp[0].should.equal(200)
       resp[1].should.equal({"Content-type" => "test/plain", "Content-length" => "3"})
-      resp[2].should.equal(["foo"])
+      resp[2].each { |b| b.should.equal("foo") }
     end
   end
 
   should "remove body from HEAD requests" do
-    resp = test_response("REQUEST_METHOD" => "HEAD")
+    resp, _ = test_response("REQUEST_METHOD" => "HEAD")
+
+    resp[0].should.equal(200)
+    resp[1].should.equal({"Content-type" => "test/plain", "Content-length" => "3"})
+    resp[2].each { |b| flunk "body should be empty" }
+  end
 
+  should "close the body when it is removed" do
+    resp, body = test_response("REQUEST_METHOD" => "HEAD")
     resp[0].should.equal(200)
     resp[1].should.equal({"Content-type" => "test/plain", "Content-length" => "3"})
-    resp[2].should.equal([])
+    resp[2].each { |b| flunk "body should be empty" }
+    body.should.be.closed
   end
 end

data/test/spec_multipart.rb

@@ -295,4 +295,24 @@ describe Rack::Multipart do
       message.should.equal "value must be a Hash"
   end
 
+  should "parse very long unquoted multipart file names" do
+    data = <<-EOF
+--AaB03x\r
+Content-Type: text/plain\r
+Content-Disposition: attachment; name=file; filename=#{'long' * 100}\r
+\r
+contents\r
+--AaB03x--\r
+    EOF
+
+    options = {
+      "CONTENT_TYPE" => "multipart/form-data; boundary=AaB03x",
+      "CONTENT_LENGTH" => data.length.to_s,
+      :input => StringIO.new(data)
+    }
+    env = Rack::MockRequest.env_for("/", options)
+    params = Rack::Utils::Multipart.parse_multipart(env)
+
+    params["file"][:filename].should.equal('long' * 100)
+  end
 end

data/test/spec_response.rb

@@ -250,4 +250,34 @@ describe Rack::Response do
     res.close
     res.body.should.be.closed
   end
+
+  it "calls close on #body when 204, 205, or 304" do
+    res = Rack::Response.new
+    res.body = StringIO.new
+    res.finish
+    res.body.should.not.be.closed
+
+    res.status = 204
+    _, _, b = res.finish
+    res.body.should.be.closed
+    b.should.not == res.body
+
+    res.body = StringIO.new
+    res.status = 205
+    _, _, b = res.finish
+    res.body.should.be.closed
+    b.should.not == res.body
+
+    res.body = StringIO.new
+    res.status = 304
+    _, _, b = res.finish
+    res.body.should.be.closed
+    b.should.not == res.body
+  end
+
+  it "wraps the body from #to_ary to prevent infinite loops" do
+    res = Rack::Response.new
+    res.finish.last.should.not.respond_to?(:to_ary)
+    lambda { res.finish.last.to_ary }.should.raise(NoMethodError)
+  end
 end

data/test/spec_server.rb

@@ -10,6 +10,13 @@ describe Rack::Server do
     lambda { |env| [200, {'Content-Type' => 'text/plain'}, ['success']] }
   end
 
+  def with_stderr
+    old, $stderr = $stderr, StringIO.new
+    yield $stderr
+  ensure
+    $stderr = old
+  end
+
   it "overrides :config if :app is passed in" do
     server = Rack::Server.new(:app => "FOO")
     server.app.should == "FOO"
@@ -71,4 +78,44 @@ describe Rack::Server do
     open(pidfile) { |f| f.read.should.eql $$.to_s }
   end
 
+  should "check pid file presence and running process" do
+    pidfile = Tempfile.open('pidfile') { |f| f.write($$); break f }.path
+    server = Rack::Server.new(:pid => pidfile)
+    server.send(:pidfile_process_status).should.eql :running
+  end
+
+  should "check pid file presence and dead process" do
+    dead_pid = `echo $$`.to_i
+    pidfile = Tempfile.open('pidfile') { |f| f.write(dead_pid); break f }.path
+    server = Rack::Server.new(:pid => pidfile)
+    server.send(:pidfile_process_status).should.eql :dead
+  end
+
+  should "check pid file presence and exited process" do
+    pidfile = Tempfile.open('pidfile') { |f| break f }.path
+    ::File.delete(pidfile)
+    server = Rack::Server.new(:pid => pidfile)
+    server.send(:pidfile_process_status).should.eql :exited
+  end
+
+  should "check pid file presence and not owned process" do
+    pidfile = Tempfile.open('pidfile') { |f| f.write(1); break f }.path
+    server = Rack::Server.new(:pid => pidfile)
+    server.send(:pidfile_process_status).should.eql :not_owned
+  end
+
+  should "inform the user about existing pidfiles with running processes" do
+    pidfile = Tempfile.open('pidfile') { |f| f.write(1); break f }.path
+    server = Rack::Server.new(:pid => pidfile)
+    with_stderr do |err|
+      should.raise(SystemExit) do
+        server.start
+      end
+      err.rewind
+      output = err.read
+      output.should.match(/already running/)
+      output.should.include? pidfile
+    end
+  end
+
 end

data/test/spec_session_cookie.rb

@@ -24,6 +24,17 @@ describe Rack::Session::Cookie do
     Rack::Response.new("Nothing").to_a
   end
 
+  before do
+    @warnings = warnings = []
+    Rack::Session::Cookie.class_eval do
+      define_method(:warn) { |m| warnings << m }
+    end
+  end
+
+  after do
+    Rack::Session::Cookie.class_eval { remove_method :warn }
+  end
+
   describe 'Base64' do
     it 'uses base64 to encode' do
       coder = Rack::Session::Cookie::Base64.new
@@ -57,6 +68,14 @@ describe Rack::Session::Cookie do
     end
   end
 
+  it "warns if no secret is given" do
+    cookie = Rack::Session::Cookie.new(incrementor)
+    @warnings.first.should =~ /no secret/i
+    @warnings.clear
+    cookie = Rack::Session::Cookie.new(incrementor, :secret => 'abc')
+    @warnings.should.be.empty?
+  end
+
   it 'uses a coder' do
     identity = Class.new {
       attr_reader :calls

data/test/spec_session_pool.rb

@@ -181,19 +181,19 @@ describe Rack::Session::Pool do
   end
 
   it "does not return a cookie if cookie was not read/written" do
-    app = Rack::Session::Cookie.new(nothing)
+    app = Rack::Session::Cookie.new(nothing, :secret => 'abc')
     res = Rack::MockRequest.new(app).get("/")
     res["Set-Cookie"].should.be.nil
   end
 
   it "does not return a cookie if cookie was not written (only read)" do
-    app = Rack::Session::Cookie.new(session_id)
+    app = Rack::Session::Cookie.new(session_id, :secret => 'abc')
     res = Rack::MockRequest.new(app).get("/")
     res["Set-Cookie"].should.be.nil
   end
 
   it "returns even if not read/written if :expire_after is set" do
-    app = Rack::Session::Cookie.new(nothing, :expire_after => 3600)
+    app = Rack::Session::Cookie.new(nothing, :expire_after => 3600, :secret => 'abc')
     res = Rack::MockRequest.new(app).get("/")
     res["Set-Cookie"].should.not.be.nil
   end

data/test/spec_utils.rb

@@ -1,6 +1,7 @@
 # -*- encoding: utf-8 -*-
 require 'rack/utils'
 require 'rack/mock'
+require 'timeout'
 
 describe Rack::Utils do
   def kcodeu
@@ -93,6 +94,14 @@ describe Rack::Utils do
     Rack::Utils.parse_query("my+weird+field=q1%212%22%27w%245%267%2Fz8%29%3F").
       should.equal "my weird field" => "q1!2\"'w$5&7/z8)?"
     Rack::Utils.parse_query("foo%3Dbaz=bar").should.equal "foo=baz" => "bar"
+    Rack::Utils.parse_query("=").should.equal "" => ""
+    Rack::Utils.parse_query("=value").should.equal "" => "value"
+    Rack::Utils.parse_query("key=").should.equal "key" => ""
+    Rack::Utils.parse_query("&key&").should.equal "key" => nil
+    Rack::Utils.parse_query(";key;", ";,").should.equal "key" => nil
+    Rack::Utils.parse_query(",key,", ";,").should.equal "key" => nil
+    Rack::Utils.parse_query(";foo=bar,;", ";,").should.equal "foo" => "bar"
+    Rack::Utils.parse_query(",foo=bar;,", ";,").should.equal "foo" => "bar"
   end
 
   should "parse nested query strings correctly" do
@@ -326,6 +335,10 @@ describe Rack::Utils, "byte_range" do
     Rack::Utils.byte_ranges({"HTTP_RANGE" => "bytes=499-499"},500).should.equal [(499..499)]
   end
 
+  should "parse several byte ranges" do
+    Rack::Utils.byte_ranges({"HTTP_RANGE" => "bytes=500-600,601-999"},1000).should.equal [(500..600),(601..999)]
+  end
+
   should "truncate byte ranges" do
     Rack::Utils.byte_ranges({"HTTP_RANGE" => "bytes=123-999"},500).should.equal [(123..499)]
     Rack::Utils.byte_ranges({"HTTP_RANGE" => "bytes=600-999"},500).should.equal []

metadata

@@ -1,13 +1,13 @@
 --- !ruby/object:Gem::Specification 
 name: rack
 version: !ruby/object:Gem::Version 
-  hash: 23
+  hash: 21
   prerelease: 
   segments: 
   - 1
   - 3
-  - 6
-  version: 1.3.6
+  - 7
+  version: 1.3.7
 platform: ruby
 authors: 
 - Christian Neukirchen
@@ -15,7 +15,7 @@ autorequire:
 bindir: bin
 cert_chain: []
 
-date: 2011-12-28 00:00:00 Z
+date: 2013-01-07 00:00:00 Z
 dependencies: 
 - !ruby/object:Gem::Dependency 
   name: bacon
@@ -81,7 +81,7 @@ dependencies:
     requirements: 
     - - ">="
       - !ruby/object:Gem::Version 
-        hash: 1923831981
+        hash: 1777625759
         segments: 
         - 1
         - 2
@@ -112,7 +112,7 @@ description: |
   servers, web frameworks, and software in between (the so-called
   middleware) into a single method call.
   
-  Also see http://rack.rubyforge.org.
+  Also see http://rack.github.com/.
 
 email: chneukirchen@gmail.com
 executables: 
@@ -124,6 +124,8 @@ extra_rdoc_files:
 - KNOWN-ISSUES
 files: 
 - bin/rackup
+- contrib/rack.png
+- contrib/rack.svg
 - contrib/rack_logo.svg
 - example/lobster.ru
 - example/protectedlobster.rb
@@ -137,6 +139,7 @@ files:
 - lib/rack/auth/digest/request.rb
 - lib/rack/backports/uri/common_18.rb
 - lib/rack/backports/uri/common_192.rb
+- lib/rack/backports/uri/common_193.rb
 - lib/rack/body_proxy.rb
 - lib/rack/builder.rb
 - lib/rack/cascade.rb
@@ -194,6 +197,7 @@ files:
 - test/builder/anything.rb
 - test/builder/comment.ru
 - test/builder/end.ru
+- test/builder/line.ru
 - test/builder/options.ru
 - test/cgi/lighttpd.conf
 - test/cgi/rackup_stub.rb
@@ -277,7 +281,7 @@ files:
 - Rakefile
 - README.rdoc
 - SPEC
-homepage: http://rack.rubyforge.org
+homepage: http://rack.github.com/
 licenses: []
 
 post_install_message: 
@@ -306,7 +310,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
 requirements: []
 
 rubyforge_project: rack
-rubygems_version: 1.8.12
+rubygems_version: 1.8.24
 signing_key: 
 specification_version: 3
 summary: a modular Ruby webserver interface
@@ -357,3 +361,4 @@ test_files:
 - test/spec_urlmap.rb
 - test/spec_utils.rb
 - test/spec_webrick.rb
+has_rdoc: