rack 1.6.4 → 1.6.5

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: fb00d79382a3da4823e22b19a39e44c18b6ecf95
-  data.tar.gz: 5bb320ab78e603bb4da43d757bba382654562f3a
+  metadata.gz: 20cfbff780d181ef57fe493c5d9d52586cb65bae
+  data.tar.gz: f57c4e0262ec3491683ea83e9823e9fe49973fbe
 SHA512:
-  metadata.gz: b3ef871417f3da49fac5952395efb126fe540303227f6a1a1f0bedc08b33abfed4cef4a001e788284ca0135eed3e39b0471cd865af78f1b1ef2efcb076ba07c8
-  data.tar.gz: a1fd7d68a5503e67c985089855c2544e10009677949fe6945bd51cfe59796eb5d60879687884b46319ebd7b0858723caa57ee68a4d9cf8f7463b355591905500
+  metadata.gz: 2dc649b00ffb1811ad6c49a0aa9c48376b9f8dd3b5b15d1f19cd5005f60e31f0e7d00af3d17de5acd646bebd806ef16a61b111c0d3aa7303578c2b743c646509
+  data.tar.gz: 74489fbf35da911d31a85f69737e9ac4aecb10d1cc05394041e0b5f24b323266d64e80481dcd4f8a3064b9d5e7c5ba10b2aa059b4d81eb5c13a459e1843ac3ab

data/HISTORY.md

@@ -1,3 +1,23 @@
+Sun Dec 4 18:48:03 2015  Jeremy Daer <jeremydaer@gmail.com>
+
+	* First-party "SameSite" cookies. Browsers omit SameSite cookies
+	from third-party requests, closing the door on many CSRF attacks.
+
+	Pass `same_site: true` (or `:strict`) to enable:
+	    response.set_cookie 'foo', value: 'bar', same_site: true
+	or `same_site: :lax` to use Lax enforcement:
+	    response.set_cookie 'foo', value: 'bar', same_site: :lax
+
+	Based on version 7 of the Same-site Cookies internet draft:
+	https://tools.ietf.org/html/draft-west-first-party-cookies-07
+
+	Thanks to Ben Toews (@mastahyeti) and Bob Long (@bobjflong) for
+	updating to drafts 5 and 7.
+
+Wed Jun 24 12:13:37 2015  Aaron Patterson <tenderlove@ruby-lang.org>
+
+	* Fix Ruby 1.8 backwards compatibility
+
 Fri Jun 19 07:14:50 2015  Matthew Draper <matthew@trebex.net>
 
 	* Work around a Rails incompatibility in our private API

data/lib/rack.rb

@@ -20,7 +20,7 @@ module Rack
 
   # Return the Rack release as a dotted string.
   def self.release
-    "1.6.4"
+    "1.6.5"
   end
   PATH_INFO      = 'PATH_INFO'.freeze
   REQUEST_METHOD = 'REQUEST_METHOD'.freeze

data/lib/rack/handler.rb

@@ -19,13 +19,25 @@ module Rack
       if klass = @handlers[server]
         klass.split("::").inject(Object) { |o, x| o.const_get(x) }
       else
-        const_get(server, false)
+        _const_get(server, false)
       end
 
     rescue NameError => name_error
       raise load_error || name_error
     end
 
+    begin
+      ::Object.const_get("Object", false)
+      def self._const_get(str, inherit = true)
+        const_get(str, inherit)
+      end
+    rescue
+      def self._const_get(str, inherit = true)
+        const_get(str)
+      end
+    end
+
+
     # Select first available Rack handler given an `Array` of server names.
     # Raises `LoadError` if no handler was found.
     #

data/lib/rack/reloader.rb

@@ -26,6 +26,7 @@ module Rack
       @last = (Time.now - cooldown)
       @cache = {}
       @mtimes = {}
+      @reload_mutex = Mutex.new
 
       extend backend
     end
@@ -33,7 +34,7 @@ module Rack
     def call(env)
       if @cooldown and Time.now > @last + @cooldown
         if Thread.list.size > 1
-          Thread.exclusive{ reload! }
+          @reload_mutex.synchronize{ reload! }
         else
           reload!
         end

data/lib/rack/utils.rb

@@ -311,12 +311,23 @@ module Rack
           rfc2822(value[:expires].clone.gmtime) if value[:expires]
         secure = "; secure"  if value[:secure]
         httponly = "; HttpOnly" if (value.key?(:httponly) ? value[:httponly] : value[:http_only])
+        same_site =
+          case value[:same_site]
+          when false, nil
+            nil
+          when :lax, 'Lax', :Lax
+            '; SameSite=Lax'.freeze
+          when true, :strict, 'Strict', :Strict
+            '; SameSite=Strict'.freeze
+          else
+            raise ArgumentError, "Invalid SameSite value: #{value[:same_site].inspect}"
+          end
         value = value[:value]
       end
       value = [value] unless Array === value
       cookie = escape(key) + "=" +
         value.map { |v| escape v }.join("&") +
-        "#{domain}#{path}#{max_age}#{expires}#{secure}#{httponly}"
+        "#{domain}#{path}#{max_age}#{expires}#{secure}#{httponly}#{same_site}"
 
       case header["Set-Cookie"]
       when nil, ''

data/rack.gemspec

@@ -1,6 +1,6 @@
 Gem::Specification.new do |s|
   s.name            = "rack"
-  s.version         = "1.6.4"
+  s.version         = "1.6.5"
   s.platform        = Gem::Platform::RUBY
   s.summary         = "a modular Ruby webserver interface"
   s.license         = "MIT"

data/test/spec_handler.rb

@@ -23,10 +23,19 @@ describe Rack::Handler do
     lambda {
       Rack::Handler.get('boom')
     }.should.raise(LoadError)
+  end
 
-    lambda {
-      Rack::Handler.get('Object')
-    }.should.raise(LoadError)
+  should "raise LoadError if handler isn't nested under Rack::Handler" do
+    # Feature-detect whether Ruby can do non-inherited const lookups.
+    # If it can't, then Rack::Handler may lookup non-handler toplevel
+    # constants, so the best we can do is no-op here and not test it.
+    begin
+      Rack::Handler._const_get('Object', false)
+    rescue NameError
+      lambda {
+        Rack::Handler.get('Object')
+      }.should.raise(LoadError)
+    end
   end
 
   should "get unregistered, but already required, handler by name" do

data/test/spec_response.rb

@@ -97,6 +97,70 @@ describe Rack::Response do
     response["Set-Cookie"].should.equal "foo=bar"
   end
 
+  it "can set SameSite cookies with symbol value :lax" do
+    response = Rack::Response.new
+    response.set_cookie "foo", {:value => "bar", :same_site => :lax}
+    response["Set-Cookie"].should.equal "foo=bar; SameSite=Lax"
+  end
+
+  it "can set SameSite cookies with symbol value :Lax" do
+    response = Rack::Response.new
+    response.set_cookie "foo", {:value => "bar", :same_site => :lax}
+    response["Set-Cookie"].should.equal "foo=bar; SameSite=Lax"
+  end
+
+  it "can set SameSite cookies with string value 'Lax'" do
+    response = Rack::Response.new
+    response.set_cookie "foo", {:value => "bar", :same_site => "Lax"}
+    response["Set-Cookie"].should.equal "foo=bar; SameSite=Lax"
+  end
+
+  it "can set SameSite cookies with boolean value true" do
+    response = Rack::Response.new
+    response.set_cookie "foo", {:value => "bar", :same_site => true}
+    response["Set-Cookie"].should.equal "foo=bar; SameSite=Strict"
+  end
+
+  it "can set SameSite cookies with symbol value :strict" do
+    response = Rack::Response.new
+    response.set_cookie "foo", {:value => "bar", :same_site => :strict}
+    response["Set-Cookie"].should.equal "foo=bar; SameSite=Strict"
+  end
+
+  it "can set SameSite cookies with symbol value :Strict" do
+    response = Rack::Response.new
+    response.set_cookie "foo", {:value => "bar", :same_site => :Strict}
+    response["Set-Cookie"].should.equal "foo=bar; SameSite=Strict"
+  end
+
+  it "can set SameSite cookies with string value 'Strict'" do
+    response = Rack::Response.new
+    response.set_cookie "foo", {:value => "bar", :same_site => "Strict"}
+    response["Set-Cookie"].should.equal "foo=bar; SameSite=Strict"
+  end
+
+  it "validates the SameSite option value" do
+    response = Rack::Response.new
+    lambda {
+      response.set_cookie "foo", {:value => "bar", :same_site => "Foo"}
+    }.should.raise(ArgumentError).
+      message.should.match(/Invalid SameSite value: "Foo"/)
+  end
+
+  it "can set SameSite cookies with symbol value" do
+    response = Rack::Response.new
+    response.set_cookie "foo", {:value => "bar", :same_site => :Strict}
+    response["Set-Cookie"].should.equal "foo=bar; SameSite=Strict"
+  end
+
+  [ nil, false ].each do |non_truthy|
+    it "omits SameSite attribute given a #{non_truthy.inspect} value" do
+      response = Rack::Response.new
+      response.set_cookie "foo", {:value => "bar", :same_site => non_truthy}
+      response["Set-Cookie"].should.equal "foo=bar"
+    end
+  end
+
   it "can delete cookies" do
     response = Rack::Response.new
     response.set_cookie "foo", "bar"

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: rack
 version: !ruby/object:Gem::Version
-  version: 1.6.4
+  version: 1.6.5
 platform: ruby
 authors:
 - Christian Neukirchen
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2015-06-18 00:00:00.000000000 Z
+date: 2016-11-10 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bacon
@@ -148,7 +148,6 @@ files:
 - test/cgi/assets/javascripts/app.js
 - test/cgi/assets/stylesheets/app.css
 - test/cgi/lighttpd.conf
-- test/cgi/lighttpd.errors
 - test/cgi/rackup_stub.rb
 - test/cgi/sample_rackup.ru
 - test/cgi/test
@@ -256,7 +255,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements: []
 rubyforge_project: rack
-rubygems_version: 2.4.5
+rubygems_version: 2.5.1
 signing_key: 
 specification_version: 4
 summary: a modular Ruby webserver interface
@@ -310,3 +309,4 @@ test_files:
 - test/spec_utils.rb
 - test/spec_version.rb
 - test/spec_webrick.rb
+has_rdoc: 

data/test/cgi/lighttpd.errors

@@ -1 +0,0 @@
-2015-06-16 14:11:43: (log.c.164) server started