RubyGems - rack - Versions diffs - 1.6.0.beta2 → 1.6.0 - Mend

rack 1.6.0.beta2 → 1.6.0

Potentially problematic release.

This version of rack might be problematic. Click here for more details.

Files changed (10) hide show

checksums.yaml CHANGED

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 67268c360a9006f4c63b876a1dff3d8f4dfbdc51
-  data.tar.gz: 394f5b04b57657f9fe03bbd84ea1d81bb6a438e5
+  metadata.gz: 942ed8704e37c2a93a99fe47fe5402122dbbacc3
+  data.tar.gz: 8a52005b33ac3863b001ea56350b65b50c74b8a0
 SHA512:
-  metadata.gz: ff862d5cdcb4a71aecd2d94d4774ddf116cc0b94e5b07e5833d14928605b61c845103bcd8cc1638c69d8fb3ce1e4a2a2d39f7a896b3940b1adce960a276fae3f
-  data.tar.gz: e96164e1ee85b7d08e16fa2b80d6913f17161847e53eec50f9a8e745833b867c641798ab0857d3a055c6e3cb4ef8ee7094dbd19090a06a6e2c47a45cec636f1d
+  metadata.gz: f7a7414780bc2acadb7b8fc479ea7087c1b93ce0a1d82649dccd33caef7d8fe3eaba5f4188fe58baa3b889331ed29ac584b13b11572dc6ec5dc0844f73f9c2fe
+  data.tar.gz: 6eb24f229ef6aa6db52dfc04d2c519be8a4e89c2010d3c0f1d89a50b4973c7eafd07819c1d0ab961a10ee9e063174c76374b2bb3f1a52865458750a5ef7263b1

data/README.rdoc CHANGED

@@ -181,6 +181,34 @@ Installing the Ruby fcgi gem:
 Furthermore, to test Memcache sessions, you need memcached (will be
 run on port 11211) and memcache-client installed.
+== Configuration
+Several parameters can be modified on `Rack::Utils` to configure Rack behaviour.
+e.g:
+```ruby
+Rack::Utils.key_space_limit = 128
+```
+=== key_space_limit
+The default number of bytes to allow a single parameter key to take up.
+This helps prevent a rogue client from flooding a Request.
+Default to 65536 characters (4 kiB in worst case).
+=== multipart_part_limit
+The maximum number of parts a request can contain.
+Accepting too many part can lead to the server running out of file handles.
+The default is `128`, which mean that a single request can't upload more than 128 files at once.
+Set to `0` for not limit.
+Can also be set via the `RACK_MULTIPART_PART_LIMIT` environment variable.
 == History
 * March 3rd, 2007: First public release 0.1.

data/Rakefile CHANGED

@@ -32,7 +32,7 @@ task :officialrelease do
 end
 task :officialrelease_really => %w[SPEC dist gem] do
-  sh "sha1sum #{release}.tar.gz #{release}.gem"
+  sh "shasum #{release}.tar.gz #{release}.gem"
 end
 def release

data/SPEC CHANGED

@@ -176,20 +176,16 @@ The error stream must respond to +puts+, +write+ and +flush+.
 If rack.hijack? is true then rack.hijack must respond to #call.
 rack.hijack must return the io that will also be assigned (or is
 already present, in rack.hijack_io.
 rack.hijack_io must respond to:
 <tt>read, write, read_nonblock, write_nonblock, flush, close,
 close_read, close_write, closed?</tt>
 The semantics of these IO methods must be a best effort match to
 those of a normal ruby IO or Socket object, using standard
 arguments and raising standard exceptions. Servers are encouraged
 to simply pass on real IO objects, although it is recognized that
 this approach is not directly compatible with SPDY and HTTP 2.0.
 IO provided in rack.hijack_io should preference the
 IO::WaitReadable and IO::WaitWritable APIs wherever supported.
 There is a deliberate lack of full specification around
 rack.hijack_io, as semantics will change from server to server.
 Users are encouraged to utilize this API with a knowledge of their
@@ -197,9 +193,7 @@ server choice, and servers may extend the functionality of
 hijack_io to provide additional features to users. The purpose of
 rack.hijack is for Rack to "get out of the way", as such, Rack only
 provides the minimum of specification and support.
 If rack.hijack? is false, then rack.hijack should not be set.
 If rack.hijack? is false, then rack.hijack_io should not be set.
 ==== Response (after headers)
 It is also possible to hijack a response after the status and headers
@@ -208,7 +202,6 @@ In order to do this, an application may set the special header
 <tt>rack.hijack</tt> to an object that responds to <tt>call</tt>
 accepting an argument that conforms to the <tt>rack.hijack_io</tt>
 protocol.
 After the headers have been sent, and this hijack callback has been
 called, the application is now responsible for the remaining lifecycle
 of the IO. The application is also responsible for maintaining HTTP
@@ -217,10 +210,8 @@ applications will have wanted to specify the header Connection:close in
 HTTP/1.1, and not Connection:keep-alive, as there is no protocol for
 returning hijacked sockets to the web server. For that purpose, use the
 body streaming API instead (progressively yielding strings via each).
 Servers must ignore the <tt>body</tt> part of the response tuple when
 the <tt>rack.hijack</tt> response API is in use.
 The special response header <tt>rack.hijack</tt> must only be set
 if the request env has <tt>rack.hijack?</tt> <tt>true</tt>.
 ==== Conventions
@@ -238,9 +229,9 @@ The header must respond to +each+, and yield values of key and value.
 Special headers starting "rack." are for communicating with the
 server, and must not be sent back to the client.
 The header keys must be Strings.
-The header must not contain a +Status+ key,
-contain keys with <tt>:</tt> or newlines in their name,
-but only contain keys that match the token rule according to RFC 2616.
+The header must not contain a +Status+ key.
+The header must conform to RFC7230 token specification, i.e. cannot
+contain non-printable ASCII, DQUOTE or "(),/:;<=>?@[\]{}".
 The values of the header must be Strings,
 consisting of lines (for multiple header values, e.g. multiple
 <tt>Set-Cookie</tt> values) separated by "\\n".

data/lib/rack.rb CHANGED

@@ -11,7 +11,7 @@
 module Rack
   # The Rack protocol version number implemented.
-  VERSION = [1,2]
+  VERSION = [1,3]
   # Return the Rack protocol version as a dotted string.
   def self.version

data/lib/rack/lint.rb CHANGED

@@ -635,12 +635,11 @@ module Rack
         assert("header key must be a string, was #{key.class}") {
           key.kind_of? String
         }
-        ## The header must not contain a +Status+ key,
+        ## The header must not contain a +Status+ key.
         assert("header must not contain Status") { key.downcase != "status" }
-        ## contain keys with <tt>:</tt> or newlines in their name,
-        assert("header names must not contain : or \\n") { key !~ /[:\n]/ }
-        ## The header must match the token rule according to RFC 2616
-        assert("invalid header name: #{key}") { key =~ /\A[\!#\$%&'\*\+-.0-9A-Z\^_`a-z\|~]+\z/ }
+        ## The header must conform to RFC7230 token specification, i.e. cannot
+        ## contain non-printable ASCII, DQUOTE or "(),/:;<=>?@[\]{}".
+        assert("invalid header name: #{key}") { key !~ /[\(\),\/:;<=>\?@\[\\\]{}[[:cntrl:]]]/ }
         ## The values of the header must be Strings,
         assert("a header value must be a String, but the value of " +

data/lib/rack/utils.rb CHANGED

@@ -68,7 +68,7 @@ module Rack
     # This helps prevent a rogue client from flooding a Request.
     self.key_space_limit = 65536
-    # The maximum number of parts a request can contain. Accepting to many part
+    # The maximum number of parts a request can contain. Accepting too many part
     # can lead to the server running out of file handles.
     # Set to `0` for no limit.
     self.multipart_part_limit = (ENV['RACK_MULTIPART_LIMIT'] || 128).to_i

data/rack.gemspec CHANGED

@@ -1,6 +1,6 @@
 Gem::Specification.new do |s|
   s.name            = "rack"
-  s.version         = "1.6.0.beta2"
+  s.version         = "1.6.0"
   s.platform        = Gem::Platform::RUBY
   s.summary         = "a modular Ruby webserver interface"
   s.license         = "MIT"

data/test/spec_lint.rb CHANGED

@@ -200,19 +200,36 @@ describe Rack::Lint do
     }.should.raise(Rack::Lint::LintError).
       message.should.match(/must not contain Status/)
-    lambda {
-      Rack::Lint.new(lambda { |env|
-                       [200, {"Content-Type:" => "text/plain"}, []]
-                     }).call(env({}))
-    }.should.raise(Rack::Lint::LintError).
-      message.should.match(/must not contain :/)
-    lambda {
-      Rack::Lint.new(lambda { |env|
-                       [200, {"([{<quark>}])?" => "text/plain"}, []]
-                     }).call(env({}))
-    }.should.raise(Rack::Lint::LintError).
-      message.should.equal("invalid header name: ([{<quark>}])?")
+    # From RFC 7230:<F24><F25>
+    # Most HTTP header field values are defined using common syntax
+    # components (token, quoted-string, and comment) separated by
+    # whitespace or specific delimiting characters.  Delimiters are chosen
+    # from the set of US-ASCII visual characters not allowed in a token
+    # (DQUOTE and "(),/:;<=>?@[\]{}").
+    #
+    #   token          = 1*tchar
+    #
+    #   tchar          = "!" / "#" / "$" / "%" / "&" / "'" / "*"
+    #                 / "+" / "-" / "." / "^" / "_" / "`" / "|" / "~"
+    #                 / DIGIT / ALPHA
+    #                 ; any VCHAR, except delimiters
+    invalid_headers = 0.upto(31).map(&:chr) + %W<( ) , / : ; < = > ? @ [ \\ ] { } \x7F>
+    invalid_headers.each do |invalid_header|
+      lambda {
+        Rack::Lint.new(lambda { |env|
+          [200, {invalid_header => "text/plain"}, []]
+        }).call(env({}))
+      }.should.raise(Rack::Lint::LintError, "on invalid header: #{invalid_header}").
+      message.should.equal("invalid header name: #{invalid_header}")
+    end
+    valid_headers = 0.upto(127).map(&:chr) - invalid_headers
+    valid_headers.each do |valid_header|
+      lambda {
+        Rack::Lint.new(lambda { |env|
+          [200, {valid_header => "text/plain"}, []]
+        }).call(env({}))
+      }.should.not.raise(Rack::Lint::LintError, "on valid header: #{valid_header}")
+    end
     lambda {
       Rack::Lint.new(lambda { |env|

metadata CHANGED

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: rack
 version: !ruby/object:Gem::Version
-  version: 1.6.0.beta2
+  version: 1.6.0
 platform: ruby
 authors:
 - Christian Neukirchen
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2014-11-27 00:00:00.000000000 Z
+date: 2014-12-18 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bacon
@@ -246,12 +246,12 @@ required_ruby_version: !ruby/object:Gem::Requirement
       version: '0'
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
-  - - ">"
+  - - ">="
     - !ruby/object:Gem::Version
-      version: 1.3.1
+      version: '0'
 requirements: []
 rubyforge_project: rack
-rubygems_version: 2.2.2
+rubygems_version: 2.4.5
 signing_key:
 specification_version: 4
 summary: a modular Ruby webserver interface