rack 1.5.5 → 1.6.0.beta

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: ddc7522db220a6e7fef72e5720df45c3e78a9b54
-  data.tar.gz: c0b77fe5d69c8bcfbd315494f00541e4e72d4f35
+  metadata.gz: b7e9fdbcce0cd16bdeda0ee39e9aa066e2dbcb17
+  data.tar.gz: 1be24bd36bc380d25cb5ef7bff5bf2abab269412
 SHA512:
-  metadata.gz: 5c9e7ad0586b57f002aab11b31758620c0c314ff77998500d67a6bf1b7eb6c6edcd74630a0642ea71a78da8866a281c9f74a3f540fd6a9296e1bb4cf7ea3dcbe
-  data.tar.gz: 51fb9d24391b01c03a9dcc0c1b7cf453d7d3320be8bc97ce9bf4a65656cbe820ae1edef3d587b3595ed64c6dabe3e31d86effb92b79a3461a78dbdeb874375d7
+  metadata.gz: 1f4730c383cd5346a255fe4a179470653370f345ccf508389bf4149c744908b195ec3676eb564f5bf434e261d698230c7ba38dd7d192ddd022c1df9d9c0f7bf7
+  data.tar.gz: 42f1f9f7239286710e4b3b58f142cd673fe66e56b9e42ec45c2c7a3406079118f2dd1684c165404d9f77e482129335fa315ef179fefd0711c0f59156c4ca7a31

data/KNOWN-ISSUES

@@ -28,3 +28,17 @@
 
   Since lighttpd 1.4.23, you also can use the "fix-root-scriptname" flag
   in fastcgi.server.
+
+= Known conflicts regarding parameter parsing
+
+ * Many users have differing opinions about parameter parsing. The current
+   parameter parsers in Rack are based on a combination of the HTTP and CGI
+   specs, and are intended to round-trip encoding and decoding. There are some
+   choices that may be viewed as deficiencies, specifically:
+    - Rack does not create implicit arrays for multiple instances of a parameter
+    - Rack returns nil when a value is not given
+    - Rack does not support multi-type keys in parameters
+   These issues or choices, will not be fixed before 2.0, if at all. They are
+   very major breaking changes. Users are free to write alternative parameter
+   parsers, and their own Request and Response wrappers. Moreover, users are
+   encouraged to do so.

data/README.rdoc

@@ -1,4 +1,4 @@
-= Rack, a modular Ruby webserver interface {<img src="https://secure.travis-ci.org/rack/rack.png" alt="Build Status" />}[http://travis-ci.org/rack/rack] {<img src="https://gemnasium.com/rack/rack.png" alt="Dependency Status" />}[https://gemnasium.com/rack/rack]
+= Rack, a modular Ruby webserver interface {<img src="https://secure.travis-ci.org/rack/rack.svg" alt="Build Status" />}[http://travis-ci.org/rack/rack] {<img src="https://gemnasium.com/rack/rack.svg" alt="Dependency Status" />}[https://gemnasium.com/rack/rack]
 
 Rack provides a minimal, modular and adaptable interface for developing
 web applications in Ruby.  By wrapping HTTP requests and responses in
@@ -33,6 +33,7 @@ These web servers include Rack handlers in their distributions:
 * Unicorn
 * unixrack
 * uWSGI
+* yahns
 * Zbatery
 
 Any valid Rack app will run the same on all these handlers, without
@@ -528,8 +529,6 @@ run on port 11211) and memcache-client installed.
   * Fix a race condition that could result in overwritten pidfiles
   * Various documentation additions
 
-* Prevent extremely deep parameters from being parsed. CVE-2015-3225
-
 == Contact
 
 Please post bugs, suggestions and patches to
@@ -557,12 +556,17 @@ The Rack Core Team, consisting of
 * Christian Neukirchen (chneukirchen)
 * James Tucker (raggi)
 * Josh Peek (josh)
+* José Valim (josevalim)
 * Michael Fellinger (manveru)
-* Ryan Tomayko (rtomayko)
-* Scytrin dai Kinthra (scytrin)
 * Aaron Patterson (tenderlove)
+* Santiago Pastorino (spastorino)
 * Konstantin Haase (rkh)
 
+and the Rack Alumnis
+
+* Ryan Tomayko (rtomayko)
+* Scytrin dai Kinthra (scytrin)
+
 would like to thank:
 
 * Adrian Madrid, for the LiteSpeed handler.
@@ -616,7 +620,7 @@ CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
 
 == Links
 
-Rack:: <http://rack.github.com/>
+Rack:: <http://rack.github.io/>
 Official Rack repositories:: <http://github.com/rack>
 Rack Bug Tracking:: <http://github.com/rack/rack/issues>
 rack-devel mailing list:: <http://groups.google.com/group/rack-devel>

data/Rakefile

@@ -6,7 +6,6 @@ task :default => [:test]
 desc "Install gem dependencies"
 task :deps do
   require 'rubygems'
-  require 'rbconfig'
   spec = Gem::Specification.load('rack.gemspec')
   spec.dependencies.each do |dep|
     reqs = dep.requirements_list
@@ -33,7 +32,7 @@ task :officialrelease do
 end
 
 task :officialrelease_really => %w[SPEC dist gem] do
-  sh "shasum #{release}.tar.gz #{release}.gem"
+  sh "sha1sum #{release}.tar.gz #{release}.gem"
 end
 
 def release
@@ -42,8 +41,8 @@ end
 
 desc "Make binaries executable"
 task :chmod do
-  Dir["bin/*"].each { |binary| File.chmod(0775, binary) }
-  Dir["test/cgi/test*"].each { |binary| File.chmod(0775, binary) }
+  Dir["bin/*"].each { |binary| File.chmod(0755, binary) }
+  Dir["test/cgi/test*"].each { |binary| File.chmod(0755, binary) }
 end
 
 desc "Generate a ChangeLog"

data/SPEC

@@ -40,7 +40,17 @@ below.
 <tt>QUERY_STRING</tt>:: The portion of the request URL that
                         follows the <tt>?</tt>, if any. May be
                         empty, but is always required!
-<tt>SERVER_NAME</tt>, <tt>SERVER_PORT</tt>:: When combined with <tt>SCRIPT_NAME</tt> and <tt>PATH_INFO</tt>, these variables can be used to complete the URL. Note, however, that <tt>HTTP_HOST</tt>, if present, should be used in preference to <tt>SERVER_NAME</tt> for reconstructing the request URL.  <tt>SERVER_NAME</tt> and <tt>SERVER_PORT</tt> can never be empty strings, and so are always required.
+<tt>SERVER_NAME</tt>, <tt>SERVER_PORT</tt>::
+                       When combined with <tt>SCRIPT_NAME</tt> and
+                       <tt>PATH_INFO</tt>, these variables can be
+                       used to complete the URL. Note, however,
+                       that <tt>HTTP_HOST</tt>, if present,
+                       should be used in preference to
+                       <tt>SERVER_NAME</tt> for reconstructing
+                       the request URL.
+                       <tt>SERVER_NAME</tt> and <tt>SERVER_PORT</tt>
+                       can never be empty strings, and so
+                       are always required.
 <tt>HTTP_</tt> Variables:: Variables corresponding to the
                            client-supplied HTTP request
                            headers (i.e., variables whose
@@ -49,24 +59,47 @@ below.
                            variables should correspond with
                            the presence or absence of the
                            appropriate HTTP header in the
-                           request. See <a href="https://tools.ietf.org/html/rfc3875#section-4.1.18">
-                           RFC3875 section 4.1.18</a> for specific behavior.
+                           request. See
+                           <a href="https://tools.ietf.org/html/rfc3875#section-4.1.18">
+                           RFC3875 section 4.1.18</a> for
+                           specific behavior.
 In addition to this, the Rack environment must include these
 Rack-specific variables:
-<tt>rack.version</tt>:: The Array representing this version of Rack. See Rack::VERSION, that corresponds to the version of this SPEC.
-<tt>rack.url_scheme</tt>:: +http+ or +https+, depending on the request URL.
+<tt>rack.version</tt>:: The Array representing this version of Rack
+                        See Rack::VERSION, that corresponds to
+                        the version of this SPEC.
+<tt>rack.url_scheme</tt>:: +http+ or +https+, depending on the
+                           request URL.
 <tt>rack.input</tt>:: See below, the input stream.
 <tt>rack.errors</tt>:: See below, the error stream.
-<tt>rack.multithread</tt>:: true if the application object may be simultaneously invoked by another thread in the same process, false otherwise.
-<tt>rack.multiprocess</tt>:: true if an equivalent application object may be simultaneously invoked by another process, false otherwise.
-<tt>rack.run_once</tt>:: true if the server expects (but does not guarantee!) that the application will only be invoked this one time during the life of its containing process. Normally, this will only be true for a server based on CGI (or something similar).
-<tt>rack.hijack?</tt>:: present and true if the server supports connection hijacking. See below, hijacking.
-<tt>rack.hijack</tt>:: an object responding to #call that must be called at least once before using rack.hijack_io. It is recommended #call return rack.hijack_io as well as setting it in env if necessary.
-<tt>rack.hijack_io</tt>:: if rack.hijack? is true, and rack.hijack has received #call, this will contain an object resembling an IO. See hijacking.
+<tt>rack.multithread</tt>:: true if the application object may be
+                            simultaneously invoked by another thread
+                            in the same process, false otherwise.
+<tt>rack.multiprocess</tt>:: true if an equivalent application object
+                             may be simultaneously invoked by another
+                             process, false otherwise.
+<tt>rack.run_once</tt>:: true if the server expects
+                         (but does not guarantee!) that the
+                         application will only be invoked this one
+                         time during the life of its containing
+                         process. Normally, this will only be true
+                         for a server based on CGI
+                         (or something similar).
+<tt>rack.hijack?</tt>:: present and true if the server supports
+                        connection hijacking. See below, hijacking.
+<tt>rack.hijack</tt>:: an object responding to #call that must be
+                       called at least once before using
+                       rack.hijack_io.
+                       It is recommended #call return rack.hijack_io
+                       as well as setting it in env if necessary.
+<tt>rack.hijack_io</tt>:: if rack.hijack? is true, and rack.hijack
+                          has received #call, this will contain
+                          an object resembling an IO. See hijacking.
 Additional environment specifications have approved to
 standardized middleware APIs.  None of these are required to
 be implemented by the server.
-<tt>rack.session</tt>:: A hash like interface for storing request session data.
+<tt>rack.session</tt>:: A hash like interface for storing
+                        request session data.
                         The store must implement:
                         store(key, value)         (aliased as []=);
                         fetch(key, default = nil) (aliased as []);
@@ -110,15 +143,18 @@ must be opened in binary mode, for Ruby 1.9 compatibility.
 The input stream must respond to +gets+, +each+, +read+ and +rewind+.
 * +gets+ must be called without arguments and return a string,
   or +nil+ on EOF.
-* +read+ behaves like IO#read. Its signature is <tt>read([length, [buffer]])</tt>.
-  If given, +length+ must be a non-negative Integer (>= 0) or +nil+, and +buffer+ must
-  be a String and may not be nil. If +length+ is given and not nil, then this method
-  reads at most +length+ bytes from the input stream. If +length+ is not given or nil,
-  then this method reads all data until EOF.
-  When EOF is reached, this method returns nil if +length+ is given and not nil, or ""
-  if +length+ is not given or is nil.
-  If +buffer+ is given, then the read data will be placed into +buffer+ instead of a
-  newly created String object.
+* +read+ behaves like IO#read.
+  Its signature is <tt>read([length, [buffer]])</tt>.
+  If given, +length+ must be a non-negative Integer (>= 0) or +nil+,
+  and +buffer+ must be a String and may not be nil.
+  If +length+ is given and not nil, then this method reads at most
+  +length+ bytes from the input stream.
+  If +length+ is not given or nil, then this method reads
+  all data until EOF.
+  When EOF is reached, this method returns nil if +length+ is given
+  and not nil, or "" if +length+ is not given or is nil.
+  If +buffer+ is given, then the read data will be placed
+  into +buffer+ instead of a newly created String object.
 * +each+ must be called without arguments and only yield Strings.
 * +rewind+ must be called without arguments. It rewinds the input
   stream back to the beginning. It must not raise Errno::ESPIPE:
@@ -207,7 +243,7 @@ but only contain keys that consist of
 letters, digits, <tt>_</tt> or <tt>-</tt> and start with a letter.
 The values of the header must be Strings,
 consisting of lines (for multiple header values, e.g. multiple
-<tt>Set-Cookie</tt> values) seperated by "\n".
+<tt>Set-Cookie</tt> values) separated by "\\n".
 The lines must not contain characters below 037.
 === The Content-Type
 There must not be a <tt>Content-Type</tt>, when the +Status+ is 1xx,
@@ -222,7 +258,7 @@ The Body itself should not be an instance of String, as this will
 break in Ruby 1.9.
 If the Body responds to +close+, it will be called after iteration. If
 the body is replaced by a middleware after action, the original body
-must be closed first, if it repsonds to close.
+must be closed first, if it responds to close.
 If the Body responds to +to_path+, it must return a String
 identifying the location of a file whose contents are identical
 to that produced by calling +each+; this may be used by the

data/lib/rack.rb

@@ -20,7 +20,7 @@ module Rack
 
   # Return the Rack release as a dotted string.
   def self.release
-    "1.5.5"
+    "1.5"
   end
 
   autoload :Builder, "rack/builder"
@@ -53,6 +53,7 @@ module Rack
   autoload :ShowExceptions, "rack/showexceptions"
   autoload :ShowStatus, "rack/showstatus"
   autoload :Static, "rack/static"
+  autoload :TempfileReaper, "rack/tempfile_reaper"
   autoload :URLMap, "rack/urlmap"
   autoload :Utils, "rack/utils"
   autoload :Multipart, "rack/multipart"

data/lib/rack/auth/abstract/request.rb

@@ -21,7 +21,7 @@ module Rack
       end
 
       def scheme
-        @scheme ||= parts.first.downcase
+        @scheme ||= parts.first && parts.first.downcase
       end
 
       def params

data/lib/rack/auth/basic.rb

@@ -41,7 +41,7 @@ module Rack
 
       class Request < Auth::AbstractRequest
         def basic?
-          !parts.first.nil? && "basic" == scheme
+          "basic" == scheme
         end
 
         def credentials

data/lib/rack/auth/digest/md5.rb

@@ -96,7 +96,7 @@ module Rack
 
         def valid_digest?(auth)
           pw = @authenticator.call(auth.username)
-          pw && digest(auth, pw) == auth.response
+          pw && Rack::Utils.secure_compare(digest(auth, pw), auth.response)
         end
 
         def md5(data)

data/lib/rack/backports/uri/common_18.rb

@@ -46,7 +46,7 @@ module URI
 
   # Decode given +str+ of URL-encoded form data.
   #
-  # This decods + to SP.
+  # This decodes + to SP.
   #
   # See URI.encode_www_form_component, URI.decode_www_form
   def self.decode_www_form_component(str, enc=nil)

data/lib/rack/builder.rb

@@ -51,7 +51,7 @@ module Rack
     end
 
     def initialize(default_app = nil,&block)
-      @use, @map, @run = [], nil, default_app
+      @use, @map, @run, @warmup = [], nil, default_app, nil
       instance_eval(&block) if block_given?
     end
 
@@ -73,7 +73,7 @@ module Rack
     #   end
     #
     #   use Middleware
-    #   run lambda { |env| [200, { "Content-Type => "text/plain" }, ["OK"]] }
+    #   run lambda { |env| [200, { "Content-Type" => "text/plain" }, ["OK"]] }
     #
     # All requests through to this application will first be processed by the middleware class.
     # The +call+ method in this example sets an additional environment key which then can be
@@ -104,6 +104,19 @@ module Rack
       @run = app
     end
 
+    # Takes a lambda or block that is used to warm-up the application.
+    #
+    #   warmup do |app|
+    #     client = Rack::MockRequest.new(app)
+    #     client.get('/')
+    #   end
+    #
+    #   use SomeMiddleware
+    #   run MyApp
+    def warmup(prc=nil, &block)
+      @warmup = prc || block
+    end
+
     # Creates a route within the application.
     #
     #   Rack::Builder.app do
@@ -131,7 +144,9 @@ module Rack
     def to_app
       app = @map ? generate_map(@run, @map) : @run
       fail "missing run or map statement" unless app
-      @use.reverse.inject(app) { |a,e| e[a] }
+      app = @use.reverse.inject(app) { |a,e| e[a] }
+      @warmup.call(app) if @warmup
+      app
     end
 
     def call(env)
@@ -142,7 +157,7 @@ module Rack
 
     def generate_map(default_app, mapping)
       mapped = default_app ? {'/' => default_app} : {}
-      mapping.each { |r,b| mapped[r] = self.class.new(default_app, &b) }
+      mapping.each { |r,b| mapped[r] = self.class.new(default_app, &b).to_app }
       URLMap.new(mapped)
     end
   end

data/lib/rack/cascade.rb

@@ -38,12 +38,12 @@ module Rack
       result
     end
 
-    def add app
+    def add(app)
       @has_app[app] = true
       @apps << app
     end
 
-    def include? app
+    def include?(app)
       @has_app.include? app
     end
 

data/lib/rack/chunked.rb

@@ -39,11 +39,22 @@ module Rack
       @app = app
     end
 
+    # pre-HTTP/1.0 (informally "HTTP/0.9") HTTP requests did not have
+    # a version (nor response headers)
+    def chunkable_version?(ver)
+      case ver
+      when "HTTP/1.0", nil, "HTTP/0.9"
+        false
+      else
+        true
+      end
+    end
+
     def call(env)
       status, headers, body = @app.call(env)
       headers = HeaderHash.new(headers)
 
-      if env['HTTP_VERSION'] == 'HTTP/1.0' ||
+      if ! chunkable_version?(env['HTTP_VERSION']) ||
          STATUS_WITH_NO_ENTITY_BODY.include?(status) ||
          headers['Content-Length'] ||
          headers['Transfer-Encoding']

data/lib/rack/commonlogger.rb

@@ -10,7 +10,7 @@ module Rack
   # an instance of Rack::NullLogger.
   #
   # +logger+ can be any class, including the standard library Logger, and is
-  # expected to have a +write+ method, which accepts the CommonLogger::FORMAT.
+  # expected to have either +write+ or +<<+ method, which accepts the CommonLogger::FORMAT.
   # According to the SPEC, the error stream must also respond to +puts+
   # (which takes a single argument that responds to +to_s+), and +flush+
   # (which is called without arguments in order to make the error appear for
@@ -18,7 +18,7 @@ module Rack
   class CommonLogger
     # Common Log Format: http://httpd.apache.org/docs/1.3/logs.html#common
     #
-    #   lilith.local - - [07/Aug/2006 23:58:02] "GET / HTTP/1.1" 500 -
+    #   lilith.local - - [07/Aug/2006 23:58:02 -0400] "GET / HTTP/1.1" 500 -
     #
     #   %{%s - %s [%s] "%s %s%s %s" %d %s\n} %
     FORMAT = %{%s - %s [%s] "%s %s%s %s" %d %s %0.4f\n}
@@ -42,11 +42,10 @@ module Rack
       now = Time.now
       length = extract_content_length(header)
 
-      logger = @logger || env['rack.errors']
-      logger.write FORMAT % [
+      msg = FORMAT % [
         env['HTTP_X_FORWARDED_FOR'] || env["REMOTE_ADDR"] || "-",
         env["REMOTE_USER"] || "-",
-        now.strftime("%d/%b/%Y %H:%M:%S"),
+        now.strftime("%d/%b/%Y:%H:%M:%S %z"),
         env["REQUEST_METHOD"],
         env["PATH_INFO"],
         env["QUERY_STRING"].empty? ? "" : "?"+env["QUERY_STRING"],
@@ -54,6 +53,15 @@ module Rack
         status.to_s[0..3],
         length,
         now - began_at ]
+
+      logger = @logger || env['rack.errors']
+      # Standard library logger doesn't support write but it supports << which actually
+      # calls to write on the log device without formatting
+      if logger.respond_to?(:write)
+        logger.write(msg)
+      else
+        logger << msg
+      end
     end
 
     def extract_content_length(headers)

data/lib/rack/conditionalget.rb

@@ -28,7 +28,10 @@ module Rack
           status = 304
           headers.delete('Content-Type')
           headers.delete('Content-Length')
-          body = []
+          original_body = body
+          body = Rack::BodyProxy.new([]) do
+            original_body.close if original_body.respond_to?(:close)
+          end
         end
         [status, headers, body]
       else
@@ -61,7 +64,16 @@ module Rack
     end
 
     def to_rfc2822(since)
-      Time.rfc2822(since) rescue nil
+      # shortest possible valid date is the obsolete: 1 Nov 97 09:55 A
+      # anything shorter is invalid, this avoids exceptions for common cases
+      # most common being the empty string
+      if since && since.length >= 16
+        # NOTE: there is no trivial way to write this in a non execption way
+        #   _rfc2822 returns a hash but is not that usable
+        Time.rfc2822(since) rescue nil
+      else
+        nil
+      end
     end
   end
 end