rack 2.0.0.alpha → 2.0.0.rc1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: cc63040ab20caf8e900b85fe57f9be6eca73d858
-  data.tar.gz: c8422fc04a12b1dadaeeb49956ab23a583589351
+  metadata.gz: 54be55d492853c85486a9d94bfa3122be91a375c
+  data.tar.gz: b1f919ccb928bf607b66efb2dc494d350c4e67f8
 SHA512:
-  metadata.gz: 224fc13672ae42e6d296ddb1b70fd8dd0f1ba29dc5780c97780593217e9790444bd2f40a30f952fd1620289ebe98d932cc25ffd833a258aa24be77e70d7ed8ce
-  data.tar.gz: 102bccf930b6d7fa4b495f7f73973281770c2e69dc76bde3a1cc9f926c6d11495d136a51c46a3001793a1cc115bc9f04c74139bcdc653ffa56252d15a759b414
+  metadata.gz: 969ed8dd45442d71e9448dcc7951d997429cbe3a8857694c76cd0c8137ea22ba831f54dc1c24d65f2f2b35ce44c4a1d43bba182b98d93d86fc5917a671cc1486
+  data.tar.gz: cf0ede4ad49a3e2bb23f0136532c32d6fb799b5cb050bffa909727478bf1cca6c6d7704f574cb9a9c9e657e7b5f6430e5e1e8485ac1c747d5d6a14a8d4b81a2d

data/COPYING

@@ -1,4 +1,4 @@
-Copyright (c) 2007-2015 Christian Neukirchen <purl.org/net/chneukirchen>
+Copyright (c) 2007-2016 Christian Neukirchen <purl.org/net/chneukirchen>
 
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to

data/HISTORY.md

@@ -1,9 +1,18 @@
 Sun Dec 4 18:48:03 2015  Jeremy Daer <jeremydaer@gmail.com>
 
-	* "First-Party" cookies. Browsers omit First-Party cookies from
-	third-party requests, closing the door on many common CSRF attacks.
-	Pass `first_party: true` to enable:
-	    response.set_cookie 'foo', value: 'bar', first_party: true
+	* First-party "SameSite" cookies. Browsers omit SameSite cookies
+	from third-party requests, closing the door on many CSRF attacks.
+
+	Pass `same_site: true` (or `:strict`) to enable:
+	    response.set_cookie 'foo', value: 'bar', same_site: true
+	or `same_site: :lax` to use Lax enforcement:
+	    response.set_cookie 'foo', value: 'bar', same_site: :lax
+
+	Based on version 7 of the Same-site Cookies internet draft:
+	https://tools.ietf.org/html/draft-west-first-party-cookies-07
+
+	Thanks to Ben Toews (@mastahyeti) and Bob Long (@bobjflong) for
+	updating to drafts 5 and 7.
 
 Tue Nov  3 16:17:26 2015  Aaron Patterson <tenderlove@ruby-lang.org>
 

data/example/protectedlobster.rb

@@ -4,7 +4,7 @@ require 'rack/lobster'
 lobster = Rack::Lobster.new
 
 protected_lobster = Rack::Auth::Basic.new(lobster) do |username, password|
-  'secret' == password
+  Rack::Utils.secure_compare('secret', password)
 end
 
 protected_lobster.realm = 'Lobster 2.0'

data/example/protectedlobster.ru

@@ -2,7 +2,7 @@ require 'rack/lobster'
 
 use Rack::ShowExceptions
 use Rack::Auth::Basic, "Lobster 2.0" do |username, password|
-  'secret' == password
+  Rack::Utils.secure_compare('secret', password)
 end
 
 run Rack::Lobster.new

data/lib/rack.rb

@@ -18,7 +18,7 @@ module Rack
     VERSION.join(".")
   end
 
-  RELEASE = "2.0.0.alpha"
+  RELEASE = "2.0.0.rc1"
 
   # Return the Rack release as a dotted string.
   def self.release

data/lib/rack/auth/digest/params.rb

@@ -17,7 +17,7 @@ module Rack
         end
 
         def self.split_header_value(str)
-          str.scan( /(\w+\=(?:"[^\"]+"|[^,]+))/n ).collect{ |v| v[0] }
+          str.scan(/\w+\=(?:"[^\"]+"|[^,]+)/n)
         end
 
         def initialize
@@ -38,7 +38,7 @@ module Rack
 
         def to_s
           map do |k, v|
-            "#{k}=" + (UNQUOTED.include?(k) ? v.to_s : quote(v))
+            "#{k}=" << (UNQUOTED.include?(k) ? v.to_s : quote(v))
           end.join(', ')
         end
 
@@ -50,4 +50,3 @@ module Rack
     end
   end
 end
-

data/lib/rack/common_logger.rb

@@ -48,7 +48,7 @@ module Rack
         now.strftime("%d/%b/%Y:%H:%M:%S %z"),
         env[REQUEST_METHOD],
         env[PATH_INFO],
-        env[QUERY_STRING].empty? ? "" : "?"+env[QUERY_STRING],
+        env[QUERY_STRING].empty? ? "" : "?#{env[QUERY_STRING]}",
         env[HTTP_VERSION],
         status.to_s[0..3],
         length,

data/lib/rack/directory.rb

@@ -59,13 +59,21 @@ table { width:100%%; }
     def initialize(root, app=nil)
       @root = ::File.expand_path(root)
       @app = app || Rack::File.new(@root)
+      @head = Rack::Head.new(lambda { |env| get env })
     end
 
     def call(env)
+      # strip body if this is a HEAD call
+      @head.call env
+    end
+
+    def get(env)
       script_name = env[SCRIPT_NAME]
       path_info = Utils.unescape_path(env[PATH_INFO])
 
-      if forbidden = check_forbidden(path_info)
+      if bad_request = check_bad_request(path_info)
+        bad_request
+      elsif forbidden = check_forbidden(path_info)
         forbidden
       else
         path = ::File.join(@root, path_info)
@@ -73,6 +81,16 @@ table { width:100%%; }
       end
     end
 
+    def check_bad_request(path_info)
+      return if Utils.valid_path?(path_info)
+
+      body = "Bad Request\n"
+      size = body.bytesize
+      return [400, {CONTENT_TYPE => "text/plain",
+        CONTENT_LENGTH => size.to_s,
+        "X-Cascade" => "pass"}, [body]]
+    end
+
     def check_forbidden(path_info)
       return unless path_info.include? ".."
 
@@ -155,7 +173,7 @@ table { width:100%%; }
         return format % (int.to_f / size) if int >= size
       end
 
-      int.to_s + 'B'
+      "#{int}B"
     end
   end
 end

data/lib/rack/etag.rb

@@ -65,10 +65,10 @@ module Rack
 
         body.each do |part|
           parts << part
-          (digest ||= Digest::MD5.new) << part unless part.empty?
+          (digest ||= Digest::SHA256.new) << part unless part.empty?
         end
 
-        [digest && digest.hexdigest, parts]
+        [digest && digest.hexdigest.byteslice(0, 32), parts]
       end
   end
 end

data/lib/rack/file.rb

@@ -2,6 +2,7 @@ require 'time'
 require 'rack/utils'
 require 'rack/mime'
 require 'rack/request'
+require 'rack/head'
 
 module Rack
   # Rack::File serves files below the +root+ directory given, according to the
@@ -22,17 +23,24 @@ module Rack
       @root = root
       @headers = headers
       @default_mime = default_mime
+      @head = Rack::Head.new(lambda { |env| get env })
     end
 
     def call(env)
+      # HEAD requests drop the response body, including 4xx error messages.
+      @head.call env
+    end
+
+    def get(env)
       request = Rack::Request.new env
       unless ALLOWED_VERBS.include? request.request_method
         return fail(405, "Method Not Allowed", {'Allow' => ALLOW_HEADER})
       end
 
       path_info = Utils.unescape_path request.path_info
-      clean_path_info = Utils.clean_path_info(path_info)
+      return fail(400, "Bad Request") unless Utils.valid_path?(path_info)
 
+      clean_path_info = Utils.clean_path_info(path_info)
       path = ::File.join(@root, clean_path_info)
 
       available = begin
@@ -131,6 +139,7 @@ module Rack
 
     def fail(status, body, headers = {})
       body += "\n"
+
       [
         status,
         {

data/lib/rack/handler.rb

@@ -52,7 +52,7 @@ module Rack
       elsif ENV.include?("RACK_HANDLER")
         self.get(ENV["RACK_HANDLER"])
       else
-        pick ['thin', 'puma', 'webrick']
+        pick ['puma', 'thin', 'webrick']
       end
     end
 

data/lib/rack/mock.rb

@@ -128,7 +128,7 @@ module Rack
         end
       end
 
-      empty_str = ''.force_encoding(Encoding::ASCII_8BIT)
+      empty_str = String.new.force_encoding(Encoding::ASCII_8BIT)
       opts[:input] ||= empty_str
       if String === opts[:input]
         rack_input = StringIO.new(opts[:input])

data/lib/rack/multipart/generator.rb

@@ -22,7 +22,7 @@ module Rack
           else
             content_for_other(file, name)
           end
-        end.join + "--#{MULTIPART_BOUNDARY}--\r"
+        end.join << "--#{MULTIPART_BOUNDARY}--\r"
       end
 
       private

data/lib/rack/multipart/parser.rb

@@ -26,7 +26,7 @@ module Rack
           str = if left < size
                   @io.read left
                 else
-                 @io.read size
+                  @io.read size
                 end
 
           if str
@@ -100,8 +100,6 @@ module Rack
               # Generic multipart cases, not coming from a form
               data = {:type => content_type,
                       :name => name, :tempfile => body, :head => head}
-            elsif !filename && data.empty?
-              return
             end
 
             yield data
@@ -347,6 +345,7 @@ module Rack
               k,v = param.split('=', 2)
               k.strip!
               v.strip!
+              v = v[1..-2] if v[0] == '"' && v[-1] == '"'
               encoding = Encoding.find v if k == CHARSET
             end
           end

data/lib/rack/query_parser.rb

@@ -79,16 +79,22 @@ module Rack
       raise RangeError if depth <= 0
 
       name =~ %r(\A[\[\]]*([^\[\]]+)\]*)
-      k = $1 || ''
-      after = $' || ''
+      k = $1 || ''.freeze
+      after = $' || ''.freeze
 
-      return if k.empty?
+      if k.empty?
+        if !v.nil? && name == "[]".freeze
+          return Array(v)
+        else
+          return
+        end
+      end
 
-      if after == ""
+      if after == ''.freeze
         params[k] = v
-      elsif after == "["
+      elsif after == "[".freeze
         params[name] = v
-      elsif after == "[]"
+      elsif after == "[]".freeze
         params[k] ||= []
         raise ParameterTypeError, "expected Array (got #{params[k].class.name}) for param `#{k}'" unless params[k].is_a?(Array)
         params[k] << v
@@ -96,7 +102,8 @@ module Rack
         child_key = $1
         params[k] ||= []
         raise ParameterTypeError, "expected Array (got #{params[k].class.name}) for param `#{k}'" unless params[k].is_a?(Array)
-        if params_hash_type?(params[k].last) && !params[k].last.key?(child_key)
+        first_key = child_key.gsub(/[\[\]]/, ' ').split.first
+        if params_hash_type?(params[k].last) && !params[k].last.key?(first_key)
           normalize_params(params[k].last, child_key, v, depth - 1)
         else
           params[k] << normalize_params(make_params, child_key, v, depth - 1)
@@ -107,7 +114,7 @@ module Rack
         params[k] = normalize_params(params[k], after, v, depth - 1)
       end
 
-      return params
+      params
     end
 
     def make_params

data/lib/rack/reloader.rb

@@ -26,6 +26,7 @@ module Rack
       @last = (Time.now - cooldown)
       @cache = {}
       @mtimes = {}
+      @reload_mutex = Mutex.new
 
       extend backend
     end
@@ -33,7 +34,7 @@ module Rack
     def call(env)
       if @cooldown and Time.now > @last + @cooldown
         if Thread.list.size > 1
-          Thread.exclusive{ reload! }
+          @reload_mutex.synchronize{ reload! }
         else
           reload!
         end

data/lib/rack/request.rb

@@ -16,23 +16,6 @@ module Rack
       super(env)
     end
 
-    # shortcut for <tt>request.params[key]</tt>
-    def [](key)
-      params[key.to_s]
-    end
-
-    # shortcut for <tt>request.params[key] = value</tt>
-    #
-    # Note that modifications will not be persisted in the env. Use update_param or delete_param if you want to destructively modify params.
-    def []=(key, value)
-      params[key.to_s] = value
-    end
-
-    # like Hash#values_at
-    def values_at(*keys)
-      keys.map{|key| params[key] }
-    end
-
     def params
       @params ||= super
     end
@@ -160,7 +143,7 @@ module Rack
 
       def session
         fetch_header(RACK_SESSION) do |k|
-          set_header RACK_SESSION, {}
+          set_header RACK_SESSION, default_session
         end
       end
 
@@ -437,8 +420,35 @@ module Rack
         ip =~ /\A127\.0\.0\.1\Z|\A(10|172\.(1[6-9]|2[0-9]|30|31)|192\.168)\.|\A::1\Z|\Afd[0-9a-f]{2}:.+|\Alocalhost\Z|\Aunix\Z|\Aunix:/i
       end
 
+      # shortcut for <tt>request.params[key]</tt>
+      def [](key)
+        if $verbose
+          warn("Request#[] is deprecated and will be removed in a future version of Rack. Please use request.params[] instead")
+        end
+
+        params[key.to_s]
+      end
+
+      # shortcut for <tt>request.params[key] = value</tt>
+      #
+      # Note that modifications will not be persisted in the env. Use update_param or delete_param if you want to destructively modify params.
+      def []=(key, value)
+        if $verbose
+          warn("Request#[]= is deprecated and will be removed in a future version of Rack. Please use request.params[]= instead")
+        end
+
+        params[key.to_s] = value
+      end
+
+      # like Hash#values_at
+      def values_at(*keys)
+        keys.map { |key| params[key] }
+      end
+
       private
 
+      def default_session; {}; end
+
       def parse_http_accept_header(header)
         header.to_s.split(/\s*,\s*/).map do |part|
           attribute, parameters = part.split(/\s*;\s*/, 2)

data/lib/rack/session/abstract/id.rb

@@ -124,10 +124,12 @@ module Rack
         end
 
         def keys
+          load_for_read!
           @data.keys
         end
 
         def values
+          load_for_read!
           @data.values
         end
 

data/lib/rack/static.rb

@@ -93,7 +93,7 @@ module Rack
       # HTTP Headers
       @header_rules = options[:header_rules] || []
       # Allow for legacy :cache_control option while prioritizing global header_rules setting
-      @header_rules.insert(0, [:all, {CACHE_CONTROL => options[:cache_control]}]) if options[:cache_control]
+      @header_rules.unshift([:all, {CACHE_CONTROL => options[:cache_control]}]) if options[:cache_control]
 
       @file_server = Rack::File.new(root)
     end

data/lib/rack/urlmap.rb

@@ -47,11 +47,13 @@ module Rack
       server_name = env[SERVER_NAME]
       server_port = env[SERVER_PORT]
 
+      is_same_server = casecmp?(http_host, server_name) ||
+                       casecmp?(http_host, "#{server_name}:#{server_port}")
+
       @mapping.each do |host, location, match, app|
         unless casecmp?(http_host, host) \
             || casecmp?(server_name, host) \
-            || (!host && (casecmp?(http_host, server_name) ||
-                          casecmp?(http_host, "#{server_name}:#{server_port}")))
+            || (!host && is_same_server)
           next
         end
 

data/lib/rack/utils.rb

@@ -248,13 +248,23 @@ module Rack
           rfc2822(value[:expires].clone.gmtime) if value[:expires]
         secure = "; secure"  if value[:secure]
         httponly = "; HttpOnly" if (value.key?(:httponly) ? value[:httponly] : value[:http_only])
-        first_party = "; First-Party" if value[:first_party]
+        same_site =
+          case value[:same_site]
+          when false, nil
+            nil
+          when :lax, 'Lax', :Lax
+            '; SameSite=Lax'.freeze
+          when true, :strict, 'Strict', :Strict
+            '; SameSite=Strict'.freeze
+          else
+            raise ArgumentError, "Invalid SameSite value: #{value[:same_site].inspect}"
+          end
         value = value[:value]
       end
       value = [value] unless Array === value
 
       cookie = "#{escape(key)}=#{value.map { |v| escape v }.join('&')}#{domain}" \
-        "#{path}#{max_age}#{expires}#{secure}#{httponly}#{first_party}"
+        "#{path}#{max_age}#{expires}#{secure}#{httponly}#{same_site}"
 
       case header
       when nil, ''
@@ -551,6 +561,7 @@ module Rack
       428 => 'Precondition Required',
       429 => 'Too Many Requests',
       431 => 'Request Header Fields Too Large',
+      451 => 'Unavailable for Legal Reasons',
       500 => 'Internal Server Error',
       501 => 'Not Implemented',
       502 => 'Bad Gateway',
@@ -598,5 +609,12 @@ module Rack
     end
     module_function :clean_path_info
 
+    NULL_BYTE = "\0".freeze
+
+    def valid_path?(path)
+      path.valid_encoding? && !path.include?(NULL_BYTE)
+    end
+    module_function :valid_path?
+
   end
 end

data/test/cgi/lighttpd.errors

@@ -0,0 +1,8 @@
+2016-05-04 12:00:25: (log.c.164) server started 
+2016-05-04 12:00:35: (server.c.1558) server stopped by UID = 502 PID = 80374 
+2016-05-04 12:13:42: (log.c.164) server started 
+2016-05-04 12:13:51: (server.c.1558) server stopped by UID = 502 PID = 82209 
+2016-05-04 12:16:30: (log.c.164) server started 
+2016-05-04 12:16:39: (server.c.1558) server stopped by UID = 502 PID = 82523 
+2016-05-04 12:18:17: (log.c.164) server started 
+2016-05-04 12:18:26: (server.c.1558) server stopped by UID = 502 PID = 82745 

data/test/helper.rb

@@ -2,7 +2,10 @@ require 'minitest/autorun'
 
 module Rack
   class TestCase < Minitest::Test
-    if `which lighttpd` && !$?.success?
+    # Check for Lighttpd and launch it for tests if available.
+    `which lighttpd`
+
+    if $?.success?
       begin
         # Keep this first.
         LIGHTTPD_PID = fork {

data/test/multipart/unity3d_wwwform

@@ -0,0 +1,11 @@
+--AaB03x
+Content-Type: text/plain; charset="utf-8"
+Content-disposition: form-data; name="user_sid"
+
+bbf14f82-d2aa-4c07-9fb8-ca6714a7ea97
+--AaB03x
+Content-Type: image/png; charset=UTF-8
+Content-disposition: form-data; name="file";
+filename="b67879ed-bfed-4491-a8cc-f99cca769f94.png"
+
+--AaB03x

data/test/spec_directory.rb

@@ -63,6 +63,13 @@ describe Rack::Directory do
     assert_match(res, /passed!/)
   end
 
+  it "serve uri with URL encoded null byte (%00) in filenames" do
+    res = Rack::MockRequest.new(Rack::Lint.new(app))
+      .get("/cgi/test%00")
+
+    res.must_be :bad_request?
+  end
+
   it "not allow directory traversal" do
     res = Rack::MockRequest.new(Rack::Lint.new(app)).
       get("/cgi/../test")
@@ -130,4 +137,12 @@ describe Rack::Directory do
     res = mr.get("/script-path/cgi/test+directory/test+file")
     res.must_be :ok?
   end
+
+  it "return error when file not found for head request" do
+    res = Rack::MockRequest.new(Rack::Lint.new(app)).
+      head("/cgi/missing")
+
+    res.must_be :not_found?
+    res.body.must_be :empty?
+  end
 end

data/test/spec_etag.rb

@@ -22,13 +22,13 @@ describe Rack::ETag do
   it "set ETag if none is set if status is 200" do
     app = lambda { |env| [200, {'Content-Type' => 'text/plain'}, ["Hello, World!"]] }
     response = etag(app).call(request)
-    response[1]['ETag'].must_equal "W/\"65a8e27d8879283831b664bd8b7f0ad4\""
+    response[1]['ETag'].must_equal "W/\"dffd6021bb2bd5b0af676290809ec3a5\""
   end
 
   it "set ETag if none is set if status is 201" do
     app = lambda { |env| [201, {'Content-Type' => 'text/plain'}, ["Hello, World!"]] }
     response = etag(app).call(request)
-    response[1]['ETag'].must_equal "W/\"65a8e27d8879283831b664bd8b7f0ad4\""
+    response[1]['ETag'].must_equal "W/\"dffd6021bb2bd5b0af676290809ec3a5\""
   end
 
   it "set Cache-Control to 'max-age=0, private, must-revalidate' (default) if none is set" do

data/test/spec_file.rb

@@ -68,6 +68,11 @@ describe Rack::File do
     assert_match(res, /ruby/)
   end
 
+  it "serve uri with URL encoded null byte (%00) in filenames" do
+    res = Rack::MockRequest.new(file(DOCROOT)).get("/cgi/test%00")
+    res.must_be :bad_request?
+  end
+
   it "allow safe directory traversal" do
     req = Rack::MockRequest.new(file(DOCROOT))
 
@@ -237,4 +242,10 @@ describe Rack::File do
     res['Content-Type'].must_equal nil
   end
 
+  it "return error when file not found for head request" do
+    res = Rack::MockRequest.new(file(DOCROOT)).head("/cgi/missing")
+    res.must_be :not_found?
+    res.body.must_be :empty?
+  end
+
 end

data/test/spec_multipart.rb

@@ -72,6 +72,13 @@ describe Rack::Multipart do
     end
   end
 
+  it "handles quoted encodings" do
+    # See #905
+    env = Rack::MockRequest.env_for("/", multipart_fixture(:unity3d_wwwform))
+    params = Rack::Multipart.parse_multipart(env)
+    params['user_sid'].encoding.must_equal Encoding::UTF_8
+  end
+
   it "raise RangeError if the key space is exhausted" do
     env = Rack::MockRequest.env_for("/", multipart_fixture(:content_type_and_no_filename))
 
@@ -88,6 +95,7 @@ describe Rack::Multipart do
     env['CONTENT_TYPE'] = "multipart/form-data; boundary=----WebKitFormBoundaryWLHCs9qmcJJoyjKR"
     params = Rack::Multipart.parse_multipart(env)
     params['profile']['bio'].must_include 'hello'
+    params['profile'].keys.must_include 'public_email'
   end
 
   it "reject insanely long boundaries" do

data/test/spec_request.rb

@@ -1305,6 +1305,11 @@ EOF
     req.trusted_proxy?("2001:470:1f0b:18f8::1").must_equal nil
   end
 
+  it "sets the default session to an empty hash" do
+    req = make_request(Rack::MockRequest.env_for("http://example.com:8080/"))
+    assert_equal Hash.new, req.session
+  end
+
   class MyRequest < Rack::Request
     def params
       {:foo => "bar"}

data/test/spec_response.rb

@@ -115,16 +115,66 @@ describe Rack::Response do
     response["Set-Cookie"].must_equal "foo=bar"
   end
 
-  it "can set First-Party cookies" do
+  it "can set SameSite cookies with symbol value :lax" do
     response = Rack::Response.new
-    response.set_cookie "foo", {:value => "bar", :first_party => true}
-    response["Set-Cookie"].must_equal "foo=bar; First-Party"
+    response.set_cookie "foo", {:value => "bar", :same_site => :lax}
+    response["Set-Cookie"].must_equal "foo=bar; SameSite=Lax"
+  end
+
+  it "can set SameSite cookies with symbol value :Lax" do
+    response = Rack::Response.new
+    response.set_cookie "foo", {:value => "bar", :same_site => :lax}
+    response["Set-Cookie"].must_equal "foo=bar; SameSite=Lax"
+  end
+
+  it "can set SameSite cookies with string value 'Lax'" do
+    response = Rack::Response.new
+    response.set_cookie "foo", {:value => "bar", :same_site => "Lax"}
+    response["Set-Cookie"].must_equal "foo=bar; SameSite=Lax"
+  end
+
+  it "can set SameSite cookies with boolean value true" do
+    response = Rack::Response.new
+    response.set_cookie "foo", {:value => "bar", :same_site => true}
+    response["Set-Cookie"].must_equal "foo=bar; SameSite=Strict"
+  end
+
+  it "can set SameSite cookies with symbol value :strict" do
+    response = Rack::Response.new
+    response.set_cookie "foo", {:value => "bar", :same_site => :strict}
+    response["Set-Cookie"].must_equal "foo=bar; SameSite=Strict"
+  end
+
+  it "can set SameSite cookies with symbol value :Strict" do
+    response = Rack::Response.new
+    response.set_cookie "foo", {:value => "bar", :same_site => :Strict}
+    response["Set-Cookie"].must_equal "foo=bar; SameSite=Strict"
+  end
+
+  it "can set SameSite cookies with string value 'Strict'" do
+    response = Rack::Response.new
+    response.set_cookie "foo", {:value => "bar", :same_site => "Strict"}
+    response["Set-Cookie"].must_equal "foo=bar; SameSite=Strict"
+  end
+
+  it "validates the SameSite option value" do
+    response = Rack::Response.new
+    lambda {
+      response.set_cookie "foo", {:value => "bar", :same_site => "Foo"}
+    }.must_raise(ArgumentError).
+      message.must_match(/Invalid SameSite value: "Foo"/)
+  end
+
+  it "can set SameSite cookies with symbol value" do
+    response = Rack::Response.new
+    response.set_cookie "foo", {:value => "bar", :same_site => :Strict}
+    response["Set-Cookie"].must_equal "foo=bar; SameSite=Strict"
   end
 
   [ nil, false ].each do |non_truthy|
-    it "omits First-Party attribute given a #{non_truthy.inspect} value" do
+    it "omits SameSite attribute given a #{non_truthy.inspect} value" do
       response = Rack::Response.new
-      response.set_cookie "foo", {:value => "bar", :first_party => non_truthy}
+      response.set_cookie "foo", {:value => "bar", :same_site => non_truthy}
       response["Set-Cookie"].must_equal "foo=bar"
     end
   end

data/test/spec_session_abstract_session_hash.rb

@@ -0,0 +1,28 @@
+require 'minitest/autorun'
+require 'rack/session/abstract/id'
+
+describe Rack::Session::Abstract::SessionHash do
+  attr_reader :hash
+
+  def setup
+    super
+    store = Class.new do
+      def load_session(req)
+        ["id", {foo: :bar, baz: :qux}]
+      end
+      def session_exists?(req)
+        true
+      end
+    end
+    @hash = Rack::Session::Abstract::SessionHash.new(store.new, nil)
+  end
+
+  it "returns keys" do
+    assert_equal ["foo", "baz"], hash.keys
+  end
+
+  it "returns values" do
+    assert_equal [:bar, :qux], hash.values
+  end
+
+end

data/test/spec_utils.rb

@@ -206,6 +206,14 @@ describe Rack::Utils do
     Rack::Utils.parse_nested_query("x[y][][z]=1&x[y][][w]=a&x[y][][z]=2&x[y][][w]=3").
       must_equal "x" => {"y" => [{"z" => "1", "w" => "a"}, {"z" => "2", "w" => "3"}]}
 
+    Rack::Utils.parse_nested_query("x[][y]=1&x[][z][w]=a&x[][y]=2&x[][z][w]=b").
+      must_equal "x" => [{"y" => "1", "z" => {"w" => "a"}}, {"y" => "2", "z" => {"w" => "b"}}]
+    Rack::Utils.parse_nested_query("x[][z][w]=a&x[][y]=1&x[][z][w]=b&x[][y]=2").
+      must_equal "x" => [{"y" => "1", "z" => {"w" => "a"}}, {"y" => "2", "z" => {"w" => "b"}}]
+
+    Rack::Utils.parse_nested_query("data[books][][data][page]=1&data[books][][data][page]=2").
+      must_equal "data" => { "books" => [{ "data" => { "page" => "1"}}, { "data" => { "page" => "2"}}] }
+
     lambda { Rack::Utils.parse_nested_query("x[y]=1&x[y]z=2") }.
       must_raise(Rack::Utils::ParameterTypeError).
       message.must_equal "expected Hash (got String) for param `y'"
@@ -300,13 +308,15 @@ describe Rack::Utils do
       must_equal 'x[y][][z]=1&x[y][][z]=2'
     Rack::Utils.build_nested_query('x' => { 'y' => [{ 'z' => '1', 'w' => 'a' }, { 'z' => '2', 'w' => '3' }] }).
       must_equal 'x[y][][z]=1&x[y][][w]=a&x[y][][z]=2&x[y][][w]=3'
+    Rack::Utils.build_nested_query({"foo" => ["1", ["2"]]}).
+      must_equal 'foo[]=1&foo[][]=2'
 
     lambda { Rack::Utils.build_nested_query("foo=bar") }.
       must_raise(ArgumentError).
       message.must_equal "value must be a Hash"
   end
 
-  should 'perform the inverse function of #parse_nested_query' do
+  it 'performs the inverse function of #parse_nested_query' do
     [{"foo" => nil, "bar" => ""},
       {"foo" => "bar", "baz" => ""},
       {"foo" => ["1", "2"]},
@@ -323,7 +333,8 @@ describe Rack::Utils do
       {"x" => {"y" => [{"v" => {"w" => "1"}}]}},
       {"x" => {"y" => [{"z" => "1", "v" => {"w" => "2"}}]}},
       {"x" => {"y" => [{"z" => "1"}, {"z" => "2"}]}},
-      {"x" => {"y" => [{"z" => "1", "w" => "a"}, {"z" => "2", "w" => "3"}]}}
+      {"x" => {"y" => [{"z" => "1", "w" => "a"}, {"z" => "2", "w" => "3"}]}},
+      {"foo" => ["1", ["2"]]},
     ].each { |params|
       qs = Rack::Utils.build_nested_query(params)
       Rack::Utils.parse_nested_query(qs).must_equal params

data/test/spec_webrick.rb

@@ -17,6 +17,19 @@ describe Rack::Handler::WEBrick do
     Rack::Lint.new(TestRequest.new)
   @thread = Thread.new { @server.start }
   trap(:INT) { @server.shutdown }
+  @status_thread = Thread.new do
+    seconds = 10
+    wait_time = 0.1
+    until is_running? || seconds <= 0
+      seconds -= wait_time
+      sleep wait_time
+    end
+    raise "Server never reached status 'Running'" unless is_running?
+  end
+  end
+
+  def is_running?
+    @server.status == :Running
   end
 
   it "respond" do
@@ -188,6 +201,7 @@ describe Rack::Handler::WEBrick do
   end
 
   after do
+  @status_thread.join
   @server.shutdown
   @thread.join
   end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: rack
 version: !ruby/object:Gem::Version
-  version: 2.0.0.alpha
+  version: 2.0.0.rc1
 platform: ruby
 authors:
 - Christian Neukirchen
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2015-12-17 00:00:00.000000000 Z
+date: 2016-05-06 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: json
@@ -185,6 +185,7 @@ files:
 - test/cgi/assets/javascripts/app.js
 - test/cgi/assets/stylesheets/app.css
 - test/cgi/lighttpd.conf
+- test/cgi/lighttpd.errors
 - test/cgi/rackup_stub.rb
 - test/cgi/sample_rackup.ru
 - test/cgi/test
@@ -221,6 +222,7 @@ files:
 - test/multipart/semicolon
 - test/multipart/text
 - test/multipart/three_files_three_fields
+- test/multipart/unity3d_wwwform
 - test/multipart/webkit
 - test/rackup/config.ru
 - test/registering_handler/rack/handler/registering_myself.rb
@@ -262,6 +264,7 @@ files:
 - test/spec_sendfile.rb
 - test/spec_server.rb
 - test/spec_session_abstract_id.rb
+- test/spec_session_abstract_session_hash.rb
 - test/spec_session_cookie.rb
 - test/spec_session_memcache.rb
 - test/spec_session_pool.rb
@@ -300,7 +303,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: 1.3.1
 requirements: []
 rubyforge_project: 
-rubygems_version: 2.5.1
+rubygems_version: 2.6.4
 signing_key: 
 specification_version: 4
 summary: a modular Ruby webserver interface
@@ -343,6 +346,7 @@ test_files:
 - test/spec_sendfile.rb
 - test/spec_server.rb
 - test/spec_session_abstract_id.rb
+- test/spec_session_abstract_session_hash.rb
 - test/spec_session_cookie.rb
 - test/spec_session_memcache.rb
 - test/spec_session_pool.rb