rack 1.5.1 → 1.5.2

data/README.rdoc

@@ -511,6 +511,23 @@ run on port 11211) and memcache-client installed.
   * Added hash-like methods to Abstract::ID::SessionHash for compatibility
   * Various documentation corrections
 
+* February 7th, Thirty fifth public release 1.1.6, 1.2.8, 1.3.10
+  * Fix CVE-2013-0263, timing attack against Rack::Session::Cookie
+
+* February 7th, Thirty fifth public release 1.4.5
+  * Fix CVE-2013-0263, timing attack against Rack::Session::Cookie
+  * Fix CVE-2013-0262, symlink path traversal in Rack::File
+
+* February 7th, Thirty fifth public release 1.5.2
+  * Fix CVE-2013-0263, timing attack against Rack::Session::Cookie
+  * Fix CVE-2013-0262, symlink path traversal in Rack::File
+  * Add various methods to Session for enhanced Rails compatibility
+  * Request#trusted_proxy? now only matches whole stirngs
+  * Add JSON cookie coder, to be default in Rack 1.6+ due to security concerns
+  * URLMap host matching in environments that don't set the Host header fixed
+  * Fix a race condition that could result in overwritten pidfiles
+  * Various documentation additions
+
 == Contact
 
 Please post bugs, suggestions and patches to

data/lib/rack.rb

@@ -80,4 +80,8 @@ module Rack
     autoload :Pool, "rack/session/pool"
     autoload :Memcache, "rack/session/memcache"
   end
+
+  module Utils
+    autoload :OkJson, "rack/utils/okjson"
+  end
 end

data/lib/rack/conditionalget.rb

@@ -13,7 +13,7 @@ module Rack
   # a conditional GET matches.
   #
   # Adapted from Michael Klishin's Merb implementation:
-  # http://github.com/wycats/merb-core/tree/master/lib/merb-core/rack/middleware/conditional_get.rb
+  # https://github.com/wycats/merb/blob/master/merb-core/lib/merb-core/rack/middleware/conditional_get.rb
   class ConditionalGet
     def initialize(app)
       @app = app

data/lib/rack/deflater.rb

@@ -4,6 +4,18 @@ require "time"  # for Time.httpdate
 require 'rack/utils'
 
 module Rack
+  # This middleware enables compression of http responses.
+  #
+  # Currently supported compression algorithms:
+  #
+  #   * gzip
+  #   * deflate
+  #   * identity (no transformation)
+  #
+  # The middleware automatically detects when compression is supported
+  # and allowed. For example no transformation is made when a cache
+  # directive of 'no-transform' is present, or when the response status
+  # code is one that doesn't allow an entity body.
   class Deflater
     def initialize(app)
       @app = app

data/lib/rack/file.rb

@@ -41,19 +41,14 @@ module Rack
       path_info = Utils.unescape(env["PATH_INFO"])
       parts = path_info.split SEPS
 
-      parts.inject(0) do |depth, part|
-        case part
-        when '', '.'
-          depth
-        when '..'
-          return fail(404, "Not Found") if depth - 1 < 0
-          depth - 1
-        else
-          depth + 1
-        end
+      clean = []
+
+      parts.each do |part|
+        next if part.empty? || part == '.'
+        part == '..' ? clean.pop : clean << part
       end
 
-      @path = F.join(@root, *parts)
+      @path = F.join(@root, *clean)
 
       available = begin
         F.file?(@path) && F.readable?(@path)

data/lib/rack/request.rb

@@ -340,7 +340,7 @@ module Rack
     end
 
     def trusted_proxy?(ip)
-      ip =~ /^127\.0\.0\.1$|^(10|172\.(1[6-9]|2[0-9]|30|31)|192\.168)\.|^::1$|^fd[0-9a-f]{2}:.+|^localhost$|^unix$|^unix:/i
+      ip =~ /\A127\.0\.0\.1\Z|\A(10|172\.(1[6-9]|2[0-9]|30|31)|192\.168)\.|\A::1\Z|\Afd[0-9a-f]{2}:.+|\Alocalhost\Z|\Aunix\Z|\Aunix:/i
     end
 
     def ip

data/lib/rack/server.rb

@@ -329,8 +329,11 @@ module Rack
       end
 
       def write_pid
-        ::File.open(options[:pid], 'w'){ |f| f.write("#{Process.pid}") }
+        ::File.open(options[:pid], ::File::CREAT | ::File::EXCL | ::File::WRONLY ){ |f| f.write("#{Process.pid}") }
         at_exit { ::File.delete(options[:pid]) if ::File.exist?(options[:pid]) }
+      rescue Errno::EEXIST
+        check_pid!
+        retry
       end
 
       def check_pid!

data/lib/rack/session/abstract/id.rb

@@ -24,6 +24,14 @@ module Rack
         include Enumerable
         attr_writer :id
 
+        def self.find(env)
+          env[ENV_SESSION_KEY]
+        end
+
+        def self.set(env, session)
+          env[ENV_SESSION_KEY] = session
+        end
+
         def self.set_options(env, options)
           env[ENV_SESSION_OPTIONS_KEY] = options.dup
         end

data/lib/rack/session/cookie.rb

@@ -65,6 +65,19 @@ module Rack
             ::Marshal.load(super(str)) rescue nil
           end
         end
+
+        # N.B. Unlike other encoding methods, the contained objects must be a
+        # valid JSON composite type, either a Hash or an Array.
+        class JSON < Base64
+          def encode(obj)
+            super(::Rack::Utils::OkJson.encode(obj))
+          end
+
+          def decode(str)
+            return unless str
+            ::Rack::Utils::OkJson.decode(super(str)) rescue nil
+          end
+        end
       end
 
       # Use no encoding for session cookies
@@ -152,7 +165,7 @@ module Rack
       def digest_match?(data, digest)
         return unless data && digest
         @secrets.any? do |secret|
-          digest == generate_hmac(data, secret)
+          Rack::Utils.secure_compare(digest, generate_hmac(data, secret))
         end
       end
 

data/lib/rack/urlmap.rb

@@ -13,6 +13,7 @@ module Rack
 
   class URLMap
     NEGATIVE_INFINITY = -1.0 / 0.0
+    INFINITY = 1.0 / 0.0
 
     def initialize(map = {})
       remap(map)
@@ -35,7 +36,7 @@ module Rack
 
         [host, location, match, app]
       }.sort_by do |(host, location, _, _)|
-        [host ? -host.size : NEGATIVE_INFINITY, -location.size]
+        [host ? -host.size : INFINITY, -location.size]
       end
     end
 

data/lib/rack/utils.rb

@@ -395,6 +395,18 @@ module Rack
     end
     module_function :byte_ranges
 
+    # Constant time string comparison.
+    def secure_compare(a, b)
+      return false unless bytesize(a) == bytesize(b)
+
+      l = a.unpack("C*")
+
+      r, i = 0, -1
+      b.each_byte { |v| r |= v ^ l[i+=1] }
+      r == 0
+    end
+    module_function :secure_compare
+
     # Context allows the use of a compatible middleware at different points
     # in a request handling stack. A compatible middleware must define
     # #context which should take the arguments env and app. The first of which

data/lib/rack/utils/okjson.rb

@@ -0,0 +1,599 @@
+# encoding: UTF-8
+#
+# Copyright 2011, 2012 Keith Rarick
+#
+# Permission is hereby granted, free of charge, to any person obtaining a copy
+# of this software and associated documentation files (the "Software"), to deal
+# in the Software without restriction, including without limitation the rights
+# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+# copies of the Software, and to permit persons to whom the Software is
+# furnished to do so, subject to the following conditions:
+#
+# The above copyright notice and this permission notice shall be included in
+# all copies or substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+# THE SOFTWARE.
+
+# See https://github.com/kr/okjson for updates.
+# Imported from the above repo @ d4e8643ad92e14b37d11326855499c7e4108ed17
+# Namespace modified for vendoring under Rack::Utils
+
+require 'stringio'
+
+# Some parts adapted from
+# http://golang.org/src/pkg/json/decode.go and
+# http://golang.org/src/pkg/utf8/utf8.go
+module Rack::Utils::OkJson
+  Upstream = 'LTD7LBKLZWFF7OZK'
+  extend self
+
+
+  # Decodes a json document in string s and
+  # returns the corresponding ruby value.
+  # String s must be valid UTF-8. If you have
+  # a string in some other encoding, convert
+  # it first.
+  #
+  # String values in the resulting structure
+  # will be UTF-8.
+  def decode(s)
+    ts = lex(s)
+    v, ts = textparse(ts)
+    if ts.length > 0
+      raise Error, 'trailing garbage'
+    end
+    v
+  end
+
+
+  # Parses a "json text" in the sense of RFC 4627.
+  # Returns the parsed value and any trailing tokens.
+  # Note: this is almost the same as valparse,
+  # except that it does not accept atomic values.
+  def textparse(ts)
+    if ts.length < 0
+      raise Error, 'empty'
+    end
+
+    typ, _, val = ts[0]
+    case typ
+    when '{' then objparse(ts)
+    when '[' then arrparse(ts)
+    else
+      raise Error, "unexpected #{val.inspect}"
+    end
+  end
+
+
+  # Parses a "value" in the sense of RFC 4627.
+  # Returns the parsed value and any trailing tokens.
+  def valparse(ts)
+    if ts.length < 0
+      raise Error, 'empty'
+    end
+
+    typ, _, val = ts[0]
+    case typ
+    when '{' then objparse(ts)
+    when '[' then arrparse(ts)
+    when :val,:str then [val, ts[1..-1]]
+    else
+      raise Error, "unexpected #{val.inspect}"
+    end
+  end
+
+
+  # Parses an "object" in the sense of RFC 4627.
+  # Returns the parsed value and any trailing tokens.
+  def objparse(ts)
+    ts = eat('{', ts)
+    obj = {}
+
+    if ts[0][0] == '}'
+      return obj, ts[1..-1]
+    end
+
+    k, v, ts = pairparse(ts)
+    obj[k] = v
+
+    if ts[0][0] == '}'
+      return obj, ts[1..-1]
+    end
+
+    loop do
+      ts = eat(',', ts)
+
+      k, v, ts = pairparse(ts)
+      obj[k] = v
+
+      if ts[0][0] == '}'
+        return obj, ts[1..-1]
+      end
+    end
+  end
+
+
+  # Parses a "member" in the sense of RFC 4627.
+  # Returns the parsed values and any trailing tokens.
+  def pairparse(ts)
+    (typ, _, k), ts = ts[0], ts[1..-1]
+    if typ != :str
+      raise Error, "unexpected #{k.inspect}"
+    end
+    ts = eat(':', ts)
+    v, ts = valparse(ts)
+    [k, v, ts]
+  end
+
+
+  # Parses an "array" in the sense of RFC 4627.
+  # Returns the parsed value and any trailing tokens.
+  def arrparse(ts)
+    ts = eat('[', ts)
+    arr = []
+
+    if ts[0][0] == ']'
+      return arr, ts[1..-1]
+    end
+
+    v, ts = valparse(ts)
+    arr << v
+
+    if ts[0][0] == ']'
+      return arr, ts[1..-1]
+    end
+
+    loop do
+      ts = eat(',', ts)
+
+      v, ts = valparse(ts)
+      arr << v
+
+      if ts[0][0] == ']'
+        return arr, ts[1..-1]
+      end
+    end
+  end
+
+
+  def eat(typ, ts)
+    if ts[0][0] != typ
+      raise Error, "expected #{typ} (got #{ts[0].inspect})"
+    end
+    ts[1..-1]
+  end
+
+
+  # Scans s and returns a list of json tokens,
+  # excluding white space (as defined in RFC 4627).
+  def lex(s)
+    ts = []
+    while s.length > 0
+      typ, lexeme, val = tok(s)
+      if typ == nil
+        raise Error, "invalid character at #{s[0,10].inspect}"
+      end
+      if typ != :space
+        ts << [typ, lexeme, val]
+      end
+      s = s[lexeme.length..-1]
+    end
+    ts
+  end
+
+
+  # Scans the first token in s and
+  # returns a 3-element list, or nil
+  # if s does not begin with a valid token.
+  #
+  # The first list element is one of
+  # '{', '}', ':', ',', '[', ']',
+  # :val, :str, and :space.
+  #
+  # The second element is the lexeme.
+  #
+  # The third element is the value of the
+  # token for :val and :str, otherwise
+  # it is the lexeme.
+  def tok(s)
+    case s[0]
+    when ?{  then ['{', s[0,1], s[0,1]]
+    when ?}  then ['}', s[0,1], s[0,1]]
+    when ?:  then [':', s[0,1], s[0,1]]
+    when ?,  then [',', s[0,1], s[0,1]]
+    when ?[  then ['[', s[0,1], s[0,1]]
+    when ?]  then [']', s[0,1], s[0,1]]
+    when ?n  then nulltok(s)
+    when ?t  then truetok(s)
+    when ?f  then falsetok(s)
+    when ?"  then strtok(s)
+    when Spc then [:space, s[0,1], s[0,1]]
+    when ?\t then [:space, s[0,1], s[0,1]]
+    when ?\n then [:space, s[0,1], s[0,1]]
+    when ?\r then [:space, s[0,1], s[0,1]]
+    else          numtok(s)
+    end
+  end
+
+
+  def nulltok(s);  s[0,4] == 'null'  ? [:val, 'null',  nil]   : [] end
+  def truetok(s);  s[0,4] == 'true'  ? [:val, 'true',  true]  : [] end
+  def falsetok(s); s[0,5] == 'false' ? [:val, 'false', false] : [] end
+
+
+  def numtok(s)
+    m = /-?([1-9][0-9]+|[0-9])([.][0-9]+)?([eE][+-]?[0-9]+)?/.match(s)
+    if m && m.begin(0) == 0
+      if m[3] && !m[2]
+        [:val, m[0], Integer(m[1])*(10**Integer(m[3][1..-1]))]
+      elsif m[2]
+        [:val, m[0], Float(m[0])]
+      else
+        [:val, m[0], Integer(m[0])]
+      end
+    else
+      []
+    end
+  end
+
+
+  def strtok(s)
+    m = /"([^"\\]|\\["\/\\bfnrt]|\\u[0-9a-fA-F]{4})*"/.match(s)
+    if ! m
+      raise Error, "invalid string literal at #{abbrev(s)}"
+    end
+    [:str, m[0], unquote(m[0])]
+  end
+
+
+  def abbrev(s)
+    t = s[0,10]
+    p = t['`']
+    t = t[0,p] if p
+    t = t + '...' if t.length < s.length
+    '`' + t + '`'
+  end
+
+
+  # Converts a quoted json string literal q into a UTF-8-encoded string.
+  # The rules are different than for Ruby, so we cannot use eval.
+  # Unquote will raise an error if q contains control characters.
+  def unquote(q)
+    q = q[1...-1]
+    a = q.dup # allocate a big enough string
+    rubydoesenc = false
+    # In ruby >= 1.9, a[w] is a codepoint, not a byte.
+    if a.class.method_defined?(:force_encoding)
+      a.force_encoding('UTF-8')
+      rubydoesenc = true
+    end
+    r, w = 0, 0
+    while r < q.length
+      c = q[r]
+      case true
+      when c == ?\\
+        r += 1
+        if r >= q.length
+          raise Error, "string literal ends with a \"\\\": \"#{q}\""
+        end
+
+        case q[r]
+        when ?",?\\,?/,?'
+          a[w] = q[r]
+          r += 1
+          w += 1
+        when ?b,?f,?n,?r,?t
+          a[w] = Unesc[q[r]]
+          r += 1
+          w += 1
+        when ?u
+          r += 1
+          uchar = begin
+            hexdec4(q[r,4])
+          rescue RuntimeError => e
+            raise Error, "invalid escape sequence \\u#{q[r,4]}: #{e}"
+          end
+          r += 4
+          if surrogate? uchar
+            if q.length >= r+6
+              uchar1 = hexdec4(q[r+2,4])
+              uchar = subst(uchar, uchar1)
+              if uchar != Ucharerr
+                # A valid pair; consume.
+                r += 6
+              end
+            end
+          end
+          if rubydoesenc
+            a[w] = '' << uchar
+            w += 1
+          else
+            w += ucharenc(a, w, uchar)
+          end
+        else
+          raise Error, "invalid escape char #{q[r]} in \"#{q}\""
+        end
+      when c == ?", c < Spc
+        raise Error, "invalid character in string literal \"#{q}\""
+      else
+        # Copy anything else byte-for-byte.
+        # Valid UTF-8 will remain valid UTF-8.
+        # Invalid UTF-8 will remain invalid UTF-8.
+        # In ruby >= 1.9, c is a codepoint, not a byte,
+        # in which case this is still what we want.
+        a[w] = c
+        r += 1
+        w += 1
+      end
+    end
+    a[0,w]
+  end
+
+
+  # Encodes unicode character u as UTF-8
+  # bytes in string a at position i.
+  # Returns the number of bytes written.
+  def ucharenc(a, i, u)
+    case true
+    when u <= Uchar1max
+      a[i] = (u & 0xff).chr
+      1
+    when u <= Uchar2max
+      a[i+0] = (Utag2 | ((u>>6)&0xff)).chr
+      a[i+1] = (Utagx | (u&Umaskx)).chr
+      2
+    when u <= Uchar3max
+      a[i+0] = (Utag3 | ((u>>12)&0xff)).chr
+      a[i+1] = (Utagx | ((u>>6)&Umaskx)).chr
+      a[i+2] = (Utagx | (u&Umaskx)).chr
+      3
+    else
+      a[i+0] = (Utag4 | ((u>>18)&0xff)).chr
+      a[i+1] = (Utagx | ((u>>12)&Umaskx)).chr
+      a[i+2] = (Utagx | ((u>>6)&Umaskx)).chr
+      a[i+3] = (Utagx | (u&Umaskx)).chr
+      4
+    end
+  end
+
+
+  def hexdec4(s)
+    if s.length != 4
+      raise Error, 'short'
+    end
+    (nibble(s[0])<<12) | (nibble(s[1])<<8) | (nibble(s[2])<<4) | nibble(s[3])
+  end
+
+
+  def subst(u1, u2)
+    if Usurr1 <= u1 && u1 < Usurr2 && Usurr2 <= u2 && u2 < Usurr3
+      return ((u1-Usurr1)<<10) | (u2-Usurr2) + Usurrself
+    end
+    return Ucharerr
+  end
+
+
+  def surrogate?(u)
+    Usurr1 <= u && u < Usurr3
+  end
+
+
+  def nibble(c)
+    case true
+    when ?0 <= c && c <= ?9 then c.ord - ?0.ord
+    when ?a <= c && c <= ?z then c.ord - ?a.ord + 10
+    when ?A <= c && c <= ?Z then c.ord - ?A.ord + 10
+    else
+      raise Error, "invalid hex code #{c}"
+    end
+  end
+
+
+  # Encodes x into a json text. It may contain only
+  # Array, Hash, String, Numeric, true, false, nil.
+  # (Note, this list excludes Symbol.)
+  # X itself must be an Array or a Hash.
+  # No other value can be encoded, and an error will
+  # be raised if x contains any other value, such as
+  # Nan, Infinity, Symbol, and Proc, or if a Hash key
+  # is not a String.
+  # Strings contained in x must be valid UTF-8.
+  def encode(x)
+    case x
+    when Hash    then objenc(x)
+    when Array   then arrenc(x)
+    else
+      raise Error, 'root value must be an Array or a Hash'
+    end
+  end
+
+
+  def valenc(x)
+    case x
+    when Hash    then objenc(x)
+    when Array   then arrenc(x)
+    when String  then strenc(x)
+    when Numeric then numenc(x)
+    when true    then "true"
+    when false   then "false"
+    when nil     then "null"
+    else
+      raise Error, "cannot encode #{x.class}: #{x.inspect}"
+    end
+  end
+
+
+  def objenc(x)
+    '{' + x.map{|k,v| keyenc(k) + ':' + valenc(v)}.join(',') + '}'
+  end
+
+
+  def arrenc(a)
+    '[' + a.map{|x| valenc(x)}.join(',') + ']'
+  end
+
+
+  def keyenc(k)
+    case k
+    when String then strenc(k)
+    else
+      raise Error, "Hash key is not a string: #{k.inspect}"
+    end
+  end
+
+
+  def strenc(s)
+    t = StringIO.new
+    t.putc(?")
+    r = 0
+
+    # In ruby >= 1.9, s[r] is a codepoint, not a byte.
+    rubydoesenc = s.class.method_defined?(:encoding)
+
+    while r < s.length
+      case s[r]
+      when ?"  then t.print('\\"')
+      when ?\\ then t.print('\\\\')
+      when ?\b then t.print('\\b')
+      when ?\f then t.print('\\f')
+      when ?\n then t.print('\\n')
+      when ?\r then t.print('\\r')
+      when ?\t then t.print('\\t')
+      else
+        c = s[r]
+        case true
+        when rubydoesenc
+          begin
+            c.ord # will raise an error if c is invalid UTF-8
+            t.write(c)
+          rescue
+            t.write(Ustrerr)
+          end
+        when Spc <= c && c <= ?~
+          t.putc(c)
+        else
+          n = ucharcopy(t, s, r) # ensure valid UTF-8 output
+          r += n - 1 # r is incremented below
+        end
+      end
+      r += 1
+    end
+    t.putc(?")
+    t.string
+  end
+
+
+  def numenc(x)
+    if ((x.nan? || x.infinite?) rescue false)
+      raise Error, "Numeric cannot be represented: #{x}"
+    end
+    "#{x}"
+  end
+
+
+  # Copies the valid UTF-8 bytes of a single character
+  # from string s at position i to I/O object t, and
+  # returns the number of bytes copied.
+  # If no valid UTF-8 char exists at position i,
+  # ucharcopy writes Ustrerr and returns 1.
+  def ucharcopy(t, s, i)
+    n = s.length - i
+    raise Utf8Error if n < 1
+
+    c0 = s[i].ord
+
+    # 1-byte, 7-bit sequence?
+    if c0 < Utagx
+      t.putc(c0)
+      return 1
+    end
+
+    raise Utf8Error if c0 < Utag2 # unexpected continuation byte?
+
+    raise Utf8Error if n < 2 # need continuation byte
+    c1 = s[i+1].ord
+    raise Utf8Error if c1 < Utagx || Utag2 <= c1
+
+    # 2-byte, 11-bit sequence?
+    if c0 < Utag3
+      raise Utf8Error if ((c0&Umask2)<<6 | (c1&Umaskx)) <= Uchar1max
+      t.putc(c0)
+      t.putc(c1)
+      return 2
+    end
+
+    # need second continuation byte
+    raise Utf8Error if n < 3
+
+    c2 = s[i+2].ord
+    raise Utf8Error if c2 < Utagx || Utag2 <= c2
+
+    # 3-byte, 16-bit sequence?
+    if c0 < Utag4
+      u = (c0&Umask3)<<12 | (c1&Umaskx)<<6 | (c2&Umaskx)
+      raise Utf8Error if u <= Uchar2max
+      t.putc(c0)
+      t.putc(c1)
+      t.putc(c2)
+      return 3
+    end
+
+    # need third continuation byte
+    raise Utf8Error if n < 4
+    c3 = s[i+3].ord
+    raise Utf8Error if c3 < Utagx || Utag2 <= c3
+
+    # 4-byte, 21-bit sequence?
+    if c0 < Utag5
+      u = (c0&Umask4)<<18 | (c1&Umaskx)<<12 | (c2&Umaskx)<<6 | (c3&Umaskx)
+      raise Utf8Error if u <= Uchar3max
+      t.putc(c0)
+      t.putc(c1)
+      t.putc(c2)
+      t.putc(c3)
+      return 4
+    end
+
+    raise Utf8Error
+  rescue Utf8Error
+    t.write(Ustrerr)
+    return 1
+  end
+
+
+  class Utf8Error < ::StandardError
+  end
+
+
+  class Error < ::StandardError
+  end
+
+
+  Utagx = 0x80 # 1000 0000
+  Utag2 = 0xc0 # 1100 0000
+  Utag3 = 0xe0 # 1110 0000
+  Utag4 = 0xf0 # 1111 0000
+  Utag5 = 0xF8 # 1111 1000
+  Umaskx = 0x3f # 0011 1111
+  Umask2 = 0x1f # 0001 1111
+  Umask3 = 0x0f # 0000 1111
+  Umask4 = 0x07 # 0000 0111
+  Uchar1max = (1<<7) - 1
+  Uchar2max = (1<<11) - 1
+  Uchar3max = (1<<16) - 1
+  Ucharerr = 0xFFFD # unicode "replacement char"
+  Ustrerr = "\xef\xbf\xbd" # unicode "replacement char"
+  Usurrself = 0x10000
+  Usurr1 = 0xd800
+  Usurr2 = 0xdc00
+  Usurr3 = 0xe000
+
+  Spc = ' '[0]
+  Unesc = {?b=>?\b, ?f=>?\f, ?n=>?\n, ?r=>?\r, ?t=>?\t}
+end

data/rack.gemspec

@@ -1,8 +1,9 @@
 Gem::Specification.new do |s|
   s.name            = "rack"
-  s.version         = "1.5.1"
+  s.version         = "1.5.2"
   s.platform        = Gem::Platform::RUBY
   s.summary         = "a modular Ruby webserver interface"
+  s.license         = "MIT"
 
   s.description = <<-EOF
 Rack provides a minimal, modular and adaptable interface for developing

data/test/spec_multipart.rb

@@ -364,7 +364,7 @@ Content-Type: image/jpeg\r
   end
 
   it "builds complete params with the chunk size of 16384 slicing exactly on boundary" do
-    data = File.open(multipart_file("fail_16384_nofile")) { |f| f.read }.gsub(/\n/, "\r\n")
+    data = File.open(multipart_file("fail_16384_nofile"), 'rb') { |f| f.read }.gsub(/\n/, "\r\n")
     options = {
       "CONTENT_TYPE" => "multipart/form-data; boundary=----WebKitFormBoundaryWsY0GnpbI5U7ztzo",
       "CONTENT_LENGTH" => data.length.to_s,

data/test/spec_request.rb

@@ -1010,6 +1010,30 @@ EOF
     res.body.should.equal '3.4.5.6'
   end
 
+  should "regard local addresses as proxies" do
+    req = Rack::Request.new(Rack::MockRequest.env_for("/"))
+    req.trusted_proxy?('127.0.0.1').should.equal 0
+    req.trusted_proxy?('10.0.0.1').should.equal 0
+    req.trusted_proxy?('172.16.0.1').should.equal 0
+    req.trusted_proxy?('172.20.0.1').should.equal 0
+    req.trusted_proxy?('172.30.0.1').should.equal 0
+    req.trusted_proxy?('172.31.0.1').should.equal 0
+    req.trusted_proxy?('192.168.0.1').should.equal 0
+    req.trusted_proxy?('::1').should.equal 0
+    req.trusted_proxy?('fd00::').should.equal 0
+    req.trusted_proxy?('localhost').should.equal 0
+    req.trusted_proxy?('unix').should.equal 0
+    req.trusted_proxy?('unix:/tmp/sock').should.equal 0
+
+    req.trusted_proxy?("unix.example.org").should.equal nil
+    req.trusted_proxy?("example.org\n127.0.0.1").should.equal nil
+    req.trusted_proxy?("127.0.0.1\nexample.org").should.equal nil
+    req.trusted_proxy?("11.0.0.1").should.equal nil
+    req.trusted_proxy?("172.15.0.1").should.equal nil
+    req.trusted_proxy?("172.32.0.1").should.equal nil
+    req.trusted_proxy?("2001:470:1f0b:18f8::1").should.equal nil
+  end
+
   class MyRequest < Rack::Request
     def params
       {:foo => "bar"}

data/test/spec_sendfile.rb

@@ -35,7 +35,7 @@ describe Rack::Sendfile do
       unless method_defined?(:to_path)
         alias :to_path :path
       end
-    end.open(path, 'w+')
+    end.open(path, 'wb+')
   end
 
   it "does nothing when no X-Sendfile-Type header present" do

data/test/spec_server.rb

@@ -110,6 +110,22 @@ describe Rack::Server do
     server.send(:pidfile_process_status).should.eql :not_owned
   end
 
+  should "not write pid file when it is created after check" do
+    pidfile = Tempfile.open('pidfile') { |f| break f }.path
+    ::File.delete(pidfile)
+    server = Rack::Server.new(:pid => pidfile)
+    ::File.open(pidfile, 'w') { |f| f.write(1) }
+    with_stderr do |err|
+      should.raise(SystemExit) do
+        server.send(:write_pid)
+      end
+      err.rewind
+      output = err.read
+      output.should.match(/already running/)
+      output.should.include? pidfile
+    end
+  end
+
   should "inform the user about existing pidfiles with running processes" do
     pidfile = Tempfile.open('pidfile') { |f| f.write(1); break f }.path
     server = Rack::Server.new(:pid => pidfile)

data/test/spec_session_cookie.rb

@@ -100,6 +100,25 @@ describe Rack::Session::Cookie do
         coder.decode('lulz').should.equal nil
       end
     end
+
+    describe 'JSON' do
+      it 'marshals and base64 encodes' do
+        coder = Rack::Session::Cookie::Base64::JSON.new
+        obj   = %w[fuuuuu]
+        coder.encode(obj).should.equal [::Rack::Utils::OkJson.encode(obj)].pack('m')
+      end
+
+      it 'marshals and base64 decodes' do
+        coder = Rack::Session::Cookie::Base64::JSON.new
+        str   = [::Rack::Utils::OkJson.encode(%w[fuuuuu])].pack('m')
+        coder.decode(str).should.equal ::Rack::Utils::OkJson.decode(str.unpack('m').first)
+      end
+
+      it 'rescues failures on decode' do
+        coder = Rack::Session::Cookie::Base64::JSON.new
+        coder.decode('lulz').should.equal nil
+      end
+    end
   end
 
   it "warns if no secret is given" do

data/test/spec_urlmap.rb

@@ -110,7 +110,7 @@ describe Rack::URLMap do
 
     res = Rack::MockRequest.new(map).get("http://foo.org/")
     res.should.be.ok
-    res["X-Position"].should.equal "default.org"
+    res["X-Position"].should.equal "foo.org"
 
     res = Rack::MockRequest.new(map).get("/", "HTTP_HOST" => "example.org")
     res.should.be.ok

data/test/spec_utils.rb

@@ -354,6 +354,11 @@ describe Rack::Utils do
     Rack::Utils.bytesize("FOO\xE2\x82\xAC").should.equal 6
   end
 
+  should "should perform constant time string comparison" do
+    Rack::Utils.secure_compare('a', 'a').should.equal true
+    Rack::Utils.secure_compare('a', 'b').should.equal false
+  end
+
   should "return status code for integer" do
     Rack::Utils.status_code(200).should.equal 200
   end

metadata

@@ -1,70 +1,68 @@
---- !ruby/object:Gem::Specification
+--- !ruby/object:Gem::Specification 
 name: rack
-version: !ruby/object:Gem::Version
-  version: 1.5.1
+version: !ruby/object:Gem::Version 
+  hash: 7
   prerelease: 
+  segments: 
+  - 1
+  - 5
+  - 2
+  version: 1.5.2
 platform: ruby
-authors:
+authors: 
 - Christian Neukirchen
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2013-01-28 00:00:00.000000000 Z
-dependencies:
-- !ruby/object:Gem::Dependency
+
+date: 2013-02-08 00:00:00 Z
+dependencies: 
+- !ruby/object:Gem::Dependency 
   name: bacon
-  requirement: !ruby/object:Gem::Requirement
-    none: false
-    requirements:
-    - - ! '>='
-      - !ruby/object:Gem::Version
-        version: '0'
-  type: :development
   prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    none: false
-    requirements:
-    - - ! '>='
-      - !ruby/object:Gem::Version
-        version: '0'
-- !ruby/object:Gem::Dependency
-  name: rake
-  requirement: !ruby/object:Gem::Requirement
+  requirement: &id001 !ruby/object:Gem::Requirement 
     none: false
-    requirements:
-    - - ! '>='
-      - !ruby/object:Gem::Version
-        version: '0'
+    requirements: 
+    - - ">="
+      - !ruby/object:Gem::Version 
+        hash: 3
+        segments: 
+        - 0
+        version: "0"
   type: :development
+  version_requirements: *id001
+- !ruby/object:Gem::Dependency 
+  name: rake
   prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
+  requirement: &id002 !ruby/object:Gem::Requirement 
     none: false
-    requirements:
-    - - ! '>='
-      - !ruby/object:Gem::Version
-        version: '0'
-description: ! 'Rack provides a minimal, modular and adaptable interface for developing
-
+    requirements: 
+    - - ">="
+      - !ruby/object:Gem::Version 
+        hash: 3
+        segments: 
+        - 0
+        version: "0"
+  type: :development
+  version_requirements: *id002
+description: |
+  Rack provides a minimal, modular and adaptable interface for developing
   web applications in Ruby.  By wrapping HTTP requests and responses in
-
   the simplest way possible, it unifies and distills the API for web
-
   servers, web frameworks, and software in between (the so-called
-
   middleware) into a single method call.
-
-
+  
   Also see http://rack.github.com/.
 
-'
 email: chneukirchen@gmail.com
-executables:
+executables: 
 - rackup
 extensions: []
-extra_rdoc_files:
+
+extra_rdoc_files: 
 - README.rdoc
 - KNOWN-ISSUES
-files:
+files: 
 - bin/rackup
 - contrib/rack.png
 - contrib/rack.svg
@@ -135,6 +133,7 @@ files:
 - lib/rack/showstatus.rb
 - lib/rack/static.rb
 - lib/rack/urlmap.rb
+- lib/rack/utils/okjson.rb
 - lib/rack/utils.rb
 - lib/rack.rb
 - test/builder/anything.rb
@@ -238,30 +237,39 @@ files:
 - README.rdoc
 - SPEC
 homepage: http://rack.github.com/
-licenses: []
+licenses: 
+- MIT
 post_install_message: 
 rdoc_options: []
-require_paths:
+
+require_paths: 
 - lib
-required_ruby_version: !ruby/object:Gem::Requirement
+required_ruby_version: !ruby/object:Gem::Requirement 
   none: false
-  requirements:
-  - - ! '>='
-    - !ruby/object:Gem::Version
-      version: '0'
-required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements: 
+  - - ">="
+    - !ruby/object:Gem::Version 
+      hash: 3
+      segments: 
+      - 0
+      version: "0"
+required_rubygems_version: !ruby/object:Gem::Requirement 
   none: false
-  requirements:
-  - - ! '>='
-    - !ruby/object:Gem::Version
-      version: '0'
+  requirements: 
+  - - ">="
+    - !ruby/object:Gem::Version 
+      hash: 3
+      segments: 
+      - 0
+      version: "0"
 requirements: []
+
 rubyforge_project: rack
-rubygems_version: 1.8.23
+rubygems_version: 1.8.24
 signing_key: 
 specification_version: 3
 summary: a modular Ruby webserver interface
-test_files:
+test_files: 
 - test/spec_auth_basic.rb
 - test/spec_auth_digest.rb
 - test/spec_body_proxy.rb
@@ -309,3 +317,4 @@ test_files:
 - test/spec_urlmap.rb
 - test/spec_utils.rb
 - test/spec_webrick.rb
+has_rdoc: