rack 2.0.5 → 2.0.6

checksums.yaml

@@ -1,7 +1,7 @@
 ---
-SHA1:
-  metadata.gz: 67795fcdb4d1f94c31a5d36ab7d5c617132674e9
-  data.tar.gz: 28f1d6b5f728c8b766752a023b5c7c2c0b6014f6
+SHA256:
+  metadata.gz: c26f21f48fd630f4f95eead2d2845f51c160bcd084824b305d81d95bad08b6d9
+  data.tar.gz: 312598a6017f9dd516214a2390f828008e6f30a6f6b4acc570c79133b975c8a4
 SHA512:
-  metadata.gz: 13a96a15f60371cbfc1986593a92f099f14eefbfcc6d8833f7bd124ef87797f4f2ea443e5c35aeec1486c73cee4511098544d79b4e9d24f3b44a53f20cac13a3
-  data.tar.gz: 9cf9fda3a38fdc8bad2e5be1110b2f13c40a1999d6a9c8ea07f61b76b330f6d5f9cbee96bc751c5b54dc0c0376fbc1aa360f60240c7bd103b2ce2f6d725dd2bf
+  metadata.gz: bf760ff4d0077492ddd2760a8b9d9a16a45560dd55612c29b31331ce70f0308defa5edacbcd74bac2a8f0fb26a41330ff3bb995cc6367822deea2246c474e7aa
+  data.tar.gz: d4e666fcdbdc9c09b6175b4b3ec96f20f1638c12133ebc2666428be6cb98d54097ef8a4351e92f9ba9637ed7b0bc64ea45b755081ae07f24264bbb6ecd10c270

data/SPEC

@@ -60,8 +60,8 @@ below.
                            the presence or absence of the
                            appropriate HTTP header in the
                            request. See
-                           {https://tools.ietf.org/html/rfc3875#section-4.1.18
-                           RFC3875 section 4.1.18} for
+                           <a href="https://tools.ietf.org/html/rfc3875#section-4.1.18">
+                           RFC3875 section 4.1.18</a> for
                            specific behavior.
 In addition to this, the Rack environment must include these
 Rack-specific variables:
@@ -98,12 +98,13 @@ Rack-specific variables:
 Additional environment specifications have approved to
 standardized middleware APIs.  None of these are required to
 be implemented by the server.
-<tt>rack.session</tt>:: A hash like interface for storing request session data.
+<tt>rack.session</tt>:: A hash like interface for storing
+                        request session data.
                         The store must implement:
-                         store(key, value)         (aliased as []=);
-                         fetch(key, default = nil) (aliased as []);
-                         delete(key);
-                         clear;
+                        store(key, value)         (aliased as []=);
+                        fetch(key, default = nil) (aliased as []);
+                        delete(key);
+                        clear;
 <tt>rack.logger</tt>:: A common object interface for logging messages.
                        The object must implement:
                         info(message, &block)

data/lib/rack.rb

@@ -18,7 +18,7 @@ module Rack
     VERSION.join(".")
   end
 
-  RELEASE = "2.0.5"
+  RELEASE = "2.0.6"
 
   # Return the Rack release as a dotted string.
   def self.release

data/lib/rack/multipart/parser.rb

@@ -5,7 +5,7 @@ module Rack
     class MultipartPartLimitError < Errno::EMFILE; end
 
     class Parser
-      BUFSIZE = 1_048_576
+      BUFSIZE = 16384
       TEXT_PLAIN = "text/plain"
       TEMPFILE_FACTORY = lambda { |filename, content_type|
         Tempfile.new(["RackMultipart", ::File.extname(filename.gsub("\0".freeze, '%00'.freeze))])

data/lib/rack/request.rb

@@ -11,6 +11,8 @@ module Rack
   #   req.params["data"]
 
   class Request
+    SCHEME_WHITELIST = %w(https http).freeze
+
     def initialize(env)
       @params = nil
       super(env)
@@ -188,10 +190,8 @@ module Rack
           'https'
         elsif get_header(HTTP_X_FORWARDED_SSL) == 'on'
           'https'
-        elsif get_header(HTTP_X_FORWARDED_SCHEME)
-          get_header(HTTP_X_FORWARDED_SCHEME)
-        elsif get_header(HTTP_X_FORWARDED_PROTO)
-          get_header(HTTP_X_FORWARDED_PROTO).split(',')[0]
+        elsif forwarded_scheme
+          forwarded_scheme
         else
           get_header(RACK_URL_SCHEME)
         end
@@ -479,6 +479,19 @@ module Rack
       def reject_trusted_ip_addresses(ip_addresses)
         ip_addresses.reject { |ip| trusted_proxy?(ip) }
       end
+
+      def forwarded_scheme
+        scheme_headers = [
+          get_header(HTTP_X_FORWARDED_SCHEME),
+          get_header(HTTP_X_FORWARDED_PROTO).to_s.split(',')[0]
+        ]
+
+        scheme_headers.each do |header|
+          return header if SCHEME_WHITELIST.include?(header)
+        end
+
+        nil
+      end
     end
 
     include Env

data/lib/rack/show_exceptions.rb

@@ -46,7 +46,7 @@ module Rack
     end
 
     def prefers_plaintext?(env)
-      !accepts_html(env)
+      !accepts_html?(env)
     end
 
     def accepts_html?(env)

data/test/spec_request.rb

@@ -572,6 +572,11 @@ class RackRequestTest < Minitest::Spec
     request.must_be :ssl?
   end
 
+  it "prevents scheme abuse" do
+    request = make_request(Rack::MockRequest.env_for("/", 'HTTP_X_FORWARDED_SCHEME' => 'a."><script>alert(1)</script>'))
+    request.scheme.must_equal 'http'
+  end
+
   it "parse cookies" do
     req = make_request \
       Rack::MockRequest.env_for("", "HTTP_COOKIE" => "foo=bar;quux=h&m")

data/test/spec_show_exceptions.rb

@@ -77,4 +77,17 @@ describe Rack::ShowExceptions do
     assert_match(res, /ShowExceptions/)
     assert_match(res, /unknown location/)
   end
+
+  it "knows to prefer plaintext for non-html" do
+    # We don't need an app for this
+    exc = Rack::ShowExceptions.new(nil)
+
+    [
+      [{ "HTTP_ACCEPT" => "text/plain" }, true],
+      [{ "HTTP_ACCEPT" => "text/foo" }, true],
+      [{ "HTTP_ACCEPT" => "text/html" }, false]
+    ].each do |env, expected|
+      assert_equal(expected, exc.prefers_plaintext?(env))
+    end
+  end
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: rack
 version: !ruby/object:Gem::Version
-  version: 2.0.5
+  version: 2.0.6
 platform: ruby
 authors:
 - Leah Neukirchen
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2018-04-23 00:00:00.000000000 Z
+date: 2018-11-05 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: minitest
@@ -275,59 +275,59 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements: []
 rubyforge_project: 
-rubygems_version: 2.6.13
+rubygems_version: 2.7.6
 signing_key: 
 specification_version: 4
 summary: a modular Ruby webserver interface
 test_files:
-- test/spec_auth_basic.rb
-- test/spec_auth_digest.rb
-- test/spec_body_proxy.rb
-- test/spec_builder.rb
-- test/spec_cascade.rb
-- test/spec_cgi.rb
-- test/spec_chunked.rb
-- test/spec_common_logger.rb
-- test/spec_conditional_get.rb
-- test/spec_config.rb
-- test/spec_content_length.rb
-- test/spec_content_type.rb
+- test/spec_multipart.rb
 - test/spec_deflater.rb
-- test/spec_directory.rb
+- test/spec_static.rb
+- test/spec_session_cookie.rb
+- test/spec_session_pool.rb
 - test/spec_etag.rb
-- test/spec_events.rb
-- test/spec_fastcgi.rb
-- test/spec_file.rb
+- test/spec_version.rb
 - test/spec_handler.rb
-- test/spec_head.rb
-- test/spec_lint.rb
-- test/spec_lobster.rb
-- test/spec_lock.rb
-- test/spec_logger.rb
-- test/spec_media_type.rb
-- test/spec_method_override.rb
+- test/spec_thin.rb
+- test/spec_session_abstract_id.rb
 - test/spec_mime.rb
-- test/spec_mock.rb
-- test/spec_multipart.rb
-- test/spec_null_logger.rb
 - test/spec_recursive.rb
+- test/spec_null_logger.rb
+- test/spec_media_type.rb
+- test/spec_cgi.rb
+- test/spec_method_override.rb
+- test/spec_content_type.rb
+- test/spec_session_abstract_session_hash.rb
 - test/spec_request.rb
-- test/spec_response.rb
-- test/spec_rewindable_input.rb
+- test/spec_chunked.rb
+- test/spec_show_exceptions.rb
 - test/spec_runtime.rb
+- test/spec_fastcgi.rb
+- test/spec_common_logger.rb
+- test/spec_builder.rb
+- test/spec_config.rb
+- test/spec_utils.rb
 - test/spec_sendfile.rb
+- test/spec_lobster.rb
+- test/spec_lint.rb
+- test/spec_conditional_get.rb
+- test/spec_tempfile_reaper.rb
+- test/spec_mock.rb
 - test/spec_server.rb
-- test/spec_session_abstract_id.rb
-- test/spec_session_abstract_session_hash.rb
-- test/spec_session_cookie.rb
-- test/spec_session_memcache.rb
-- test/spec_session_pool.rb
-- test/spec_show_exceptions.rb
+- test/spec_directory.rb
+- test/spec_webrick.rb
+- test/spec_response.rb
+- test/spec_file.rb
 - test/spec_show_status.rb
-- test/spec_static.rb
-- test/spec_tempfile_reaper.rb
-- test/spec_thin.rb
+- test/spec_body_proxy.rb
+- test/spec_logger.rb
+- test/spec_auth_digest.rb
 - test/spec_urlmap.rb
-- test/spec_utils.rb
-- test/spec_version.rb
-- test/spec_webrick.rb
+- test/spec_events.rb
+- test/spec_cascade.rb
+- test/spec_auth_basic.rb
+- test/spec_head.rb
+- test/spec_lock.rb
+- test/spec_rewindable_input.rb
+- test/spec_session_memcache.rb
+- test/spec_content_length.rb