rack 1.3.10 → 1.4.0

data/COPYING

@@ -1,4 +1,4 @@
-Copyright (c) 2007, 2008, 2009, 2010, 2011, 2012 Christian Neukirchen <purl.org/net/chneukirchen>
+Copyright (c) 2007, 2008, 2009, 2010 Christian Neukirchen <purl.org/net/chneukirchen>
 
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to

data/KNOWN-ISSUES

@@ -1,12 +1,3 @@
-= Known issues with Rack and ECMA-262
-
-* Many users expect the escape() function defined in ECMA-262 to be compatible
-  with URI. Confusion is especially strong because the documentation for the
-  escape function includes a reference to the URI specifications. ECMA-262
-  escape is not however a URI escape function, it is a javascript escape
-  function, and is not fully compatible. Most notably, for characters outside of
-  the BMP. Users should use the more correct encodeURI functions.
-
 = Known issues with Rack and Web servers
 
 * Lighttpd sets wrong SCRIPT_NAME and PATH_INFO if you mount your

data/README.rdoc

@@ -1,4 +1,4 @@
-= Rack, a modular Ruby webserver interface {<img src="https://secure.travis-ci.org/rack/rack.png" alt="Build Status" />}[http://travis-ci.org/rack/rack] {<img src="https://gemnasium.com/rack/rack.png" alt="Dependency Status" />}[https://gemnasium.com/rack/rack]
+= Rack, a modular Ruby webserver interface
 
 Rack provides a minimal, modular and adaptable interface for developing
 web applications in Ruby.  By wrapping HTTP requests and responses in
@@ -27,11 +27,8 @@ These web servers include Rack handlers in their distributions:
 * Fuzed
 * Glassfish v3
 * Phusion Passenger (which is mod_rack for Apache and for nginx)
-* Puma
 * Rainbows!
 * Unicorn
-* unixrack
-* uWSGI
 * Zbatery
 
 Any valid Rack app will run the same on all these handlers, without
@@ -135,11 +132,7 @@ at my site:
 
 Testing Rack requires the bacon testing framework:
 
-    bundle install --without extra # to be able to run the fast tests
-
-Or:
-
-    bundle install # this assumes that you have installed native extensions!
+    gem install bacon
 
 There are two rake-based test tasks:
 
@@ -362,7 +355,7 @@ run on port 11211) and memcache-client installed.
 * July 16, 2011: Sixteenth public release 1.3.2
   * Fix for Rails and rack-test, Rack::Utils#escape calls to_s
 
-* September 16, 2011: Seventeenth public release 1.3.3
+* Not Yet Released: Seventeenth public release 1.3.3
   * Fix bug with broken query parameters in Rack::ShowExceptions
   * Rack::Request#cookies no longer swallows exceptions on broken input
   * Prevents XSS attacks enabled by bug in Ruby 1.8's regexp engine
@@ -380,10 +373,6 @@ run on port 11211) and memcache-client installed.
 * October 17, 2011: Twentieth public release 1.3.5
   * Fix annoying warnings caused by the backport in 1.3.4
 
-* December 28th, 2011: Twenty first public release: 1.1.3.
-  * Security fix. http://www.ocert.org/advisories/ocert-2011-003.html
-    Further information here: http://jruby.org/2011/12/27/jruby-1-6-5-1
-
 * December 28th, 2011: Twenty fourth public release 1.4.0
   * Ruby 1.8.6 support has officially been dropped. Not all tests pass.
   * Raise sane error messages for broken config.ru
@@ -403,114 +392,11 @@ run on port 11211) and memcache-client installed.
   * Support added for HTTP_X_FORWARDED_SCHEME
   * Numerous bug fixes, including many fixes for new and alternate rubies
 
-* January 22nd, 2012: Twenty fifth public release 1.4.1
-  * Alter the keyspace limit calculations to reduce issues with nested params
-  * Add a workaround for multipart parsing where files contain unescaped "%"
-  * Added Rack::Response::Helpers#method_not_allowed? (code 405)
-  * Rack::File now returns 404 for illegal directory traversals
-  * Rack::File now returns 405 for illegal methods (non HEAD/GET)
-  * Rack::Cascade now catches 405 by default, as well as 404
-  * Cookies missing '--' no longer cause an exception to be raised
-  * Various style changes and documentation spelling errors
-  * Rack::BodyProxy always ensures to execute its block
-  * Additional test coverage around cookies and secrets
-  * Rack::Session::Cookie can now be supplied either secret or old_secret
-  * Tests are no longer dependent on set order
-  * Rack::Static no longer defaults to serving index files
-  * Rack.release was fixed
-
-* January 6th, 2013: Twenty sixth public release 1.1.4
-  * Add warnings when users do not provide a session secret
-
-* January 6th, 2013: Twenty seventh public release 1.2.6
-  * Add warnings when users do not provide a session secret
-  * Fix parsing performance for unquoted filenames
-
-* January 6th, 2013: Twenty eighth public release 1.3.7
-  * Add warnings when users do not provide a session secret
-  * Fix parsing performance for unquoted filenames
-  * Updated URI backports
-  * Fix URI backport version matching, and silence constant warnings
-  * Correct parameter parsing with empty values
-  * Correct rackup '-I' flag, to allow multiple uses
-  * Correct rackup pidfile handling
-  * Report rackup line numbers correctly
-  * Fix request loops caused by non-stale nonces with time limits
-  * Fix reloader on Windows
-  * Prevent infinite recursions from Response#to_ary
-  * Various middleware better conforms to the body close specification
-  * Updated language for the body close specification
-  * Additional notes regarding ECMA escape compatibility issues
-  * Fix the parsing of multiple ranges in range headers
-
-* January 6th, 2013: Twenty ninth public release 1.4.2
-  * Add warnings when users do not provide a session secret
-  * Fix parsing performance for unquoted filenames
-  * Updated URI backports
-  * Fix URI backport version matching, and silence constant warnings
-  * Correct parameter parsing with empty values
-  * Correct rackup '-I' flag, to allow multiple uses
-  * Correct rackup pidfile handling
-  * Report rackup line numbers correctly
-  * Fix request loops caused by non-stale nonces with time limits
-  * Fix reloader on Windows
-  * Prevent infinite recursions from Response#to_ary
-  * Various middleware better conforms to the body close specification
-  * Updated language for the body close specification
-  * Additional notes regarding ECMA escape compatibility issues
-  * Fix the parsing of multiple ranges in range headers
-  * Prevent errors from empty parameter keys
-  * Added PATCH verb to Rack::Request
-  * Various documentation updates
-  * Fix session merge semantics (fixes rack-test)
-  * Rack::Static :index can now handle multiple directories
-  * All tests now utilize Rack::Lint (special thanks to Lars Gierth)
-  * Rack::File cache_control parameter is now deprecated, and removed by 1.5
-  * Correct Rack::Directory script name escaping
-  * Rack::Static supports header rules for sophisticated configurations
-  * Multipart parsing now works without a Content-Length header
-  * New logos courtesy of Zachary Scott!
-  * Rack::BodyProxy now explicitly defines #each, useful for C extensions
-  * Cookies that are not URI escaped no longer cause exceptions
-
-* January 7th, 2013: Thirtieth public release 1.3.8
-  * Security: Prevent unbounded reads in large multipart boundaries
-
-* January 7th, 2013: Thirty first public release 1.4.3
-  * Security: Prevent unbounded reads in large multipart boundaries
-
-* January 13th, 2013: Thirty second public release 1.4.4, 1.3.9, 1.2.7, 1.1.5
-  * [SEC] Rack::Auth::AbstractRequest no longer symbolizes arbitrary strings
-  * Fixed erroneous test case in the 1.3.x series
-
-* February 7th, Thirty fifth public release 1.1.6, 1.2.8, 1.3.10
-  * Fix CVE-2013-0263, timing attack against Rack::Session::Cookie
-
-* February 7th, Thirty fifth public release 1.4.5
-  * Fix CVE-2013-0263, timing attack against Rack::Session::Cookie
-  * Fix CVE-2013-0262, symlink path traversal in Rack::File
-
-* February 7th, Thirty fifth public release 1.5.2
-  * Fix CVE-2013-0263, timing attack against Rack::Session::Cookie
-  * Fix CVE-2013-0262, symlink path traversal in Rack::File
-  * Add various methods to Session for enhanced Rails compatibility
-  * Request#trusted_proxy? now only matches whole stirngs
-  * Add JSON cookie coder, to be default in Rack 1.6+ due to security concerns
-  * URLMap host matching in environments that don't set the Host header fixed
-  * Fix a race condition that could result in overwritten pidfiles
-  * Various documentation additions
-
 == Contact
 
 Please post bugs, suggestions and patches to
 the bug tracker at <http://github.com/rack/rack/issues>.
 
-Please post security related bugs and suggestions to the core team at
-<https://groups.google.com/group/rack-core> or rack-core@googlegroups.com. Due
-to wide usage of the library, it is strongly preferred that we manage timing in
-order to provide viable patches at the time of disclosure. Your assistance in
-this matter is greatly appreciated.
-
 Mailing list archives are available at
 <http://groups.google.com/group/rack-devel>.
 
@@ -586,7 +472,7 @@ CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
 
 == Links
 
-Rack:: <http://rack.github.com/>
+Rack:: <http://rack.rubyforge.org/>
 Official Rack repositories:: <http://github.com/rack>
 Rack Bug Tracking:: <http://github.com/rack/rack/issues>
 rack-devel mailing list:: <http://groups.google.com/group/rack-devel>

data/Rakefile

@@ -3,6 +3,18 @@
 desc "Run all the tests"
 task :default => [:test]
 
+desc "Install gem dependencies"
+task :deps do
+  require 'rubygems'
+  spec = Gem::Specification.load('rack.gemspec')
+  spec.dependencies.each do |dep|
+    reqs = dep.requirements_list
+    reqs = (["-v"] * reqs.size).zip(reqs).flatten
+    # Use system over sh, because we want to ignore errors!
+    system "gem", "install", '--conservative', dep.name, *reqs
+  end
+end
+
 desc "Make an archive as .tar.gz"
 task :dist => [:chmod, :changelog, :rdoc, "SPEC"] do
   sh "git archive --format=tar --prefix=#{release}/ HEAD^{tree} >#{release}.tar"
@@ -73,6 +85,9 @@ task :test => 'SPEC' do
   sh "bacon -I./lib:./test #{opts} #{specopts}"
 end
 
+desc "Run all the tests we run on CI"
+task :ci => :test
+
 desc "Run all the tests"
 task :fulltest => %w[SPEC chmod] do
   opts     = ENV['TEST'] || '-a'

data/SPEC

@@ -146,19 +146,17 @@ consisting of lines (for multiple header values, e.g. multiple
 The lines must not contain characters below 037.
 === The Content-Type
 There must be a <tt>Content-Type</tt>, except when the
-+Status+ is 1xx, 204 or 304, in which case there must be none
++Status+ is 1xx, 204, 205 or 304, in which case there must be none
 given.
 === The Content-Length
 There must not be a <tt>Content-Length</tt> header when the
-+Status+ is 1xx, 204 or 304.
++Status+ is 1xx, 204, 205 or 304.
 === The Body
 The Body must respond to +each+
 and must only yield String values.
 The Body itself should not be an instance of String, as this will
 break in Ruby 1.9.
-If the Body responds to +close+, it will be called after iteration. If
-the body is replaced by a middleware after action, the original body
-must be closed first, if it repsonds to close.
+If the Body responds to +close+, it will be called after iteration.
 If the Body responds to +to_path+, it must return a String
 identifying the location of a file whose contents are identical
 to that produced by calling +each+; this may be used by the

data/lib/rack.rb

@@ -73,18 +73,6 @@ module Rack
       autoload :Params, "rack/auth/digest/params"
       autoload :Request, "rack/auth/digest/request"
     end
-
-    # Not all of the following schemes are "standards", but they are used often.
-    @schemes = %w[basic digest bearer mac token oauth oauth2]
-
-    def self.add_scheme scheme
-      @schemes << scheme
-      @schemes.uniq!
-    end
-
-    def self.schemes
-      @schemes.dup
-    end
   end
 
   module Session

data/lib/rack/auth/abstract/request.rb

@@ -21,11 +21,7 @@ module Rack
       end
 
       def scheme
-        @scheme ||=
-          begin
-            s = parts.first.downcase
-            Rack::Auth.schemes.include?(s) ? s.to_sym : s
-          end
+        @scheme ||= parts.first.downcase.to_sym
       end
 
       def params

data/lib/rack/auth/basic.rb

@@ -41,7 +41,7 @@ module Rack
 
       class Request < Auth::AbstractRequest
         def basic?
-          !parts.first.nil? && :basic == scheme
+          :basic == scheme
         end
 
         def credentials

data/lib/rack/auth/digest/nonce.rb

@@ -38,7 +38,7 @@ module Rack
         end
 
         def stale?
-          !self.class.time_limit.nil? && (Time.now.to_i - @timestamp) > self.class.time_limit
+          !self.class.time_limit.nil? && (@timestamp - Time.now.to_i) < self.class.time_limit
         end
 
         def fresh?

data/lib/rack/backports/uri/common_18.rb

@@ -8,21 +8,7 @@
 
 module URI
   TBLENCWWWCOMP_ = {} # :nodoc:
-  256.times do |i|
-    TBLENCWWWCOMP_[i.chr] = '%%%02X' % i
-  end
-  TBLENCWWWCOMP_[' '] = '+'
-  TBLENCWWWCOMP_.freeze
   TBLDECWWWCOMP_ = {} # :nodoc:
-  256.times do |i|
-    h, l = i>>4, i&15
-    TBLDECWWWCOMP_['%%%X%X' % [h, l]] = i.chr
-    TBLDECWWWCOMP_['%%%x%X' % [h, l]] = i.chr
-    TBLDECWWWCOMP_['%%%X%x' % [h, l]] = i.chr
-    TBLDECWWWCOMP_['%%%x%x' % [h, l]] = i.chr
-  end
-  TBLDECWWWCOMP_['+'] = ' '
-  TBLDECWWWCOMP_.freeze
 
   # Encode given +s+ to URL-encoded form data.
   #
@@ -40,6 +26,18 @@ module URI
         '%' + $1.unpack('H2' * Rack::Utils.bytesize($1)).join('%').upcase
       end.tr(' ', '+')
     else
+      if TBLENCWWWCOMP_.empty?
+        tbl = {}
+        256.times do |i|
+          tbl[i.chr] = '%%%02X' % i
+        end
+        tbl[' '] = '+'
+        begin
+          TBLENCWWWCOMP_.replace(tbl)
+          TBLENCWWWCOMP_.freeze
+        rescue
+        end
+      end
       str.gsub(/[^*\-.0-9A-Z_a-z]/) {|m| TBLENCWWWCOMP_[m]}
     end
   end
@@ -50,6 +48,22 @@ module URI
   #
   # See URI.encode_www_form_component, URI.decode_www_form
   def self.decode_www_form_component(str, enc=nil)
+    if TBLDECWWWCOMP_.empty?
+      tbl = {}
+      256.times do |i|
+        h, l = i>>4, i&15
+        tbl['%%%X%X' % [h, l]] = i.chr
+        tbl['%%%x%X' % [h, l]] = i.chr
+        tbl['%%%X%x' % [h, l]] = i.chr
+        tbl['%%%x%x' % [h, l]] = i.chr
+      end
+      tbl['+'] = ' '
+      begin
+        TBLDECWWWCOMP_.replace(tbl)
+        TBLDECWWWCOMP_.freeze
+      rescue
+      end
+    end
     raise ArgumentError, "invalid %-encoding (#{str})" unless /\A(?:%[0-9a-fA-F]{2}|[^%])*\z/ =~ str
     str.gsub(/\+|%[0-9a-fA-F]{2}/) {|m| TBLDECWWWCOMP_[m]}
   end

data/lib/rack/backports/uri/common_192.rb

@@ -17,19 +17,6 @@
 require 'uri/common'
 
 module URI
-  TBLDECWWWCOMP_ = {} unless const_defined?(:TBLDECWWWCOMP_)  #:nodoc:
-  if TBLDECWWWCOMP_.empty?
-    256.times do |i|
-      h, l = i>>4, i&15
-      TBLDECWWWCOMP_['%%%X%X' % [h, l]] = i.chr
-      TBLDECWWWCOMP_['%%%x%X' % [h, l]] = i.chr
-      TBLDECWWWCOMP_['%%%X%x' % [h, l]] = i.chr
-      TBLDECWWWCOMP_['%%%x%x' % [h, l]] = i.chr
-    end
-    TBLDECWWWCOMP_['+'] = ' '
-    TBLDECWWWCOMP_.freeze
-  end
-
   def self.decode_www_form(str, enc=Encoding::UTF_8)
     return [] if str.empty?
     unless /\A#{WFKV_}=#{WFKV_}(?:[;&]#{WFKV_}=#{WFKV_})*\z/o =~ str
@@ -43,10 +30,26 @@ module URI
   end
 
   def self.decode_www_form_component(str, enc=Encoding::UTF_8)
+    if TBLDECWWWCOMP_.empty?
+      tbl = {}
+      256.times do |i|
+        h, l = i>>4, i&15
+        tbl['%%%X%X' % [h, l]] = i.chr
+        tbl['%%%x%X' % [h, l]] = i.chr
+        tbl['%%%X%x' % [h, l]] = i.chr
+        tbl['%%%x%x' % [h, l]] = i.chr
+      end
+      tbl['+'] = ' '
+      begin
+        TBLDECWWWCOMP_.replace(tbl)
+        TBLDECWWWCOMP_.freeze
+      rescue
+      end
+    end
     raise ArgumentError, "invalid %-encoding (#{str})" unless /\A[^%]*(?:%\h\h[^%]*)*\z/ =~ str
     str.gsub(/\+|%\h\h/, TBLDECWWWCOMP_).force_encoding(enc)
   end
 
-  remove_const :WFKV_ if const_defined?(:WFKV_)
+  remove_const :WFKV_
   WFKV_ = '(?:[^%#=;&]*(?:%\h\h[^%#=;&]*)*)' # :nodoc:
 end

data/lib/rack/body_proxy.rb

@@ -5,7 +5,6 @@ module Rack
     end
 
     def respond_to?(*args)
-      return false if args.first.to_s =~ /^to_ary$/
       super or @body.respond_to?(*args)
     end
 
@@ -20,16 +19,7 @@ module Rack
       @closed
     end
 
-    # N.B. This method is a special case to address the bug described by #434.
-    # We are applying this special case for #each only. Future bugs of this
-    # class will be handled by requesting users to patch their ruby
-    # implementation, to save adding too many methods in this class.
-    def each(*args, &block)
-      @body.each(*args, &block)
-    end
-
     def method_missing(*args, &block)
-      super if args.first.to_s =~ /^to_ary$/
       @body.__send__(*args, &block)
     end
   end

data/lib/rack/builder.rb

@@ -20,7 +20,7 @@ module Rack
   #
   #  app = Rack::Builder.app do
   #    use Rack::CommonLogger
-  #    lambda { |env| [200, {'Content-Type' => 'text/plain'}, 'OK'] }
+  #    run lambda { |env| [200, {'Content-Type' => 'text/plain'}, ['OK']] }
   #  end
   #
   #  run app
@@ -36,9 +36,9 @@ module Rack
         if cfgfile[/^#\\(.*)/] && opts
           options = opts.parse! $1.split(/\s+/)
         end
-        cfgfile.sub!(/^__END__\n.*/, '')
+        cfgfile.sub!(/^__END__\n.*\Z/m, '')
         app = eval "Rack::Builder.new {\n" + cfgfile + "\n}.to_app",
-          TOPLEVEL_BINDING, config, 0
+          TOPLEVEL_BINDING, config
       else
         require config
         app = Object.const_get(::File.basename(config, '.rb').capitalize)
@@ -46,13 +46,13 @@ module Rack
       return app, options
     end
 
-    def initialize(&block)
-      @ins = []
+    def initialize(default_app = nil,&block)
+      @use, @map, @run = [], nil, default_app
       instance_eval(&block) if block_given?
     end
 
-    def self.app(&block)
-      self.new(&block).to_app
+    def self.app(default_app = nil, &block)
+      self.new(default_app, &block).to_app
     end
 
     # Specifies a middleware to use in a stack.
@@ -75,7 +75,11 @@ module Rack
     # The +call+ method in this example sets an additional environment key which then can be
     # referenced in the application if required.
     def use(middleware, *args, &block)
-      @ins << lambda { |app| middleware.new(app, *args, &block) }
+      if @map
+        mapping, @map = @map, nil
+        @use << proc { |app| generate_map app, mapping }
+      end
+      @use << proc { |app| middleware.new(app, *args, &block) }
     end
 
     # Takes an argument that is an object that responds to #call and returns a Rack response.
@@ -93,7 +97,7 @@ module Rack
     #
     #   run Heartbeat
     def run(app)
-      @ins << app #lambda { |nothing| app }
+      @run = app
     end
 
     # Creates a route within the application.
@@ -116,22 +120,26 @@ module Rack
     # This example includes a piece of middleware which will run before requests hit +Heartbeat+.
     #
     def map(path, &block)
-      if @ins.last.kind_of? Hash
-        @ins.last[path] = self.class.new(&block).to_app
-      else
-        @ins << {}
-        map(path, &block)
-      end
+      @map ||= {}
+      @map[path] = block
     end
 
     def to_app
-      @ins[-1] = Rack::URLMap.new(@ins.last)  if Hash === @ins.last
-      inner_app = @ins.last
-      @ins[0...-1].reverse.inject(inner_app) { |a, e| e.call(a) }
+      app = @map ? generate_map(@run, @map) : @run
+      fail "missing run or map statement" unless app
+      @use.reverse.inject(app) { |a,e| e[a] }
     end
 
     def call(env)
       to_app.call(env)
     end
+
+    private
+
+    def generate_map(default_app, mapping)
+      mapped = default_app ? {'/' => default_app} : {}
+      mapping.each { |r,b| mapped[r] = self.class.new(default_app, &b) }
+      URLMap.new(mapped)
+    end
   end
 end