rack 2.2.0 → 2.2.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 254670a03e7cc510d771ec829f76fa1cb5bce59d49d03c421205df082241b194
-  data.tar.gz: d294990c60dddf408c10ac2b9428c874bdd7afc2d8b42f0f5925d4795b1a9301
+  metadata.gz: ecd99d8eb4cb36d36f656ff9f0d688f5e97cfc9c219ea61daf75cc11c5b213fe
+  data.tar.gz: d61d3ae82e127877da8629b4d8f36fb8007b51793589c864f9632aed55bdc5fd
 SHA512:
-  metadata.gz: 922bc679eebc40d637ea88a590aad735b52a9649cedc3ee1d62e613fc5d75b31aba3530bdc9460480d053351fceecf5e5eefd4cf7cbae1936169cd6dbbdb76a9
-  data.tar.gz: 057c262c478f831b927103dab5939f9872c47abca1d8296923326b4584942d8d432d92ecd10c4bc8d1213afcf7fab9c1a13a23fc9143a3751df88678f375d180
+  metadata.gz: 4e2b43fae3062393ce93b0a9624177551a5aca4cb537203a99245b37ad97417f7f4e5d593ace93068cda6b8cce5fb111496caf46af90ff4ab16082b1d6927bd0
+  data.tar.gz: 43f899d6905c51240e5b2ba429818a025596a0a7cdb7b447a3f2760c8af50999387d7f198e7a553befd82eb66784e16ad6cb8f6720e300904388fb07b6365917

data/CHANGELOG.md

@@ -2,7 +2,13 @@
 
 All notable changes to this project will be documented in this file. For info on how to format all future additions to this file please reference [Keep A Changelog](https://keepachangelog.com/en/1.0.0/).
 
-## Unreleased
+## [2.2.1] - 2020-02-09
+
+### Fixed
+
+- Rework `Rack::Request#ip` to handle empty `forwarded_for`. ([#1577](https://github.com/rack/rack/pull/1577), [@ioquatix](https://github.com/ioquatix))
+
+## [2.2.0] - 2020-02-08
 
 ### SPEC Changes
 

data/SPEC.rdoc

@@ -42,18 +42,17 @@ below.
 <tt>QUERY_STRING</tt>:: The portion of the request URL that
                         follows the <tt>?</tt>, if any. May be
                         empty, but is always required!
-<tt>SERVER_NAME</tt>:: When combined with <tt>SCRIPT_NAME</tt> and
+<tt>SERVER_NAME</tt>, <tt>SERVER_PORT</tt>::
+                       When combined with <tt>SCRIPT_NAME</tt> and
                        <tt>PATH_INFO</tt>, these variables can be
                        used to complete the URL. Note, however,
                        that <tt>HTTP_HOST</tt>, if present,
                        should be used in preference to
                        <tt>SERVER_NAME</tt> for reconstructing
                        the request URL.
-                       <tt>SERVER_NAME</tt> can never be an empty
-                       string, and so is always required.
-<tt>SERVER_PORT</tt>:: An optional +Integer+ which is the port the
-                       server is running on. Should be specified if
-                       the server is running on a non-standard port.
+                       <tt>SERVER_NAME</tt> and <tt>SERVER_PORT</tt>
+                       can never be empty strings, and so
+                       are always required.
 <tt>HTTP_</tt> Variables:: Variables corresponding to the
                            client-supplied HTTP request
                            headers (i.e., variables whose
@@ -123,9 +122,6 @@ and should be prefixed uniquely.  The prefix rack.
 is reserved for use with the Rack core distribution and other
 accepted specifications and must not be used otherwise.
 
-The <tt>SERVER_PORT</tt> must be an Integer if set.
-The <tt>SERVER_NAME</tt> must be a valid authority as defined by RFC7540.
-The <tt>HTTP_HOST</tt> must be a valid authority as defined by RFC7540.
 The environment must not contain the keys
 <tt>HTTP_CONTENT_TYPE</tt> or <tt>HTTP_CONTENT_LENGTH</tt>
 (use the versions without <tt>HTTP_</tt>).

data/lib/rack/request.rb

@@ -352,16 +352,26 @@ module Rack
       end
 
       def ip
-        remote_addrs = split_header(get_header('REMOTE_ADDR'))
-        remote_addrs = reject_trusted_ip_addresses(remote_addrs)
+        remote_addresses = split_header(get_header('REMOTE_ADDR'))
+        external_addresses = reject_trusted_ip_addresses(remote_addresses)
 
-        if remote_addrs.any?
-          remote_addrs.first
-        else
-          forwarded_ips = self.forwarded_for
+        unless external_addresses.empty?
+          return external_addresses.first
+        end
 
-          reject_trusted_ip_addresses(forwarded_ips).last || forwarded_ips.first || get_header("REMOTE_ADDR")
+        if forwarded_for = self.forwarded_for
+          unless forwarded_for.empty?
+            # The forwarded for addresses are ordered: client, proxy1, proxy2.
+            # So we reject all the trusted addresses (proxy*) and return the
+            # last client. Or if we trust everyone, we just return the first
+            # address.
+            return reject_trusted_ip_addresses(forwarded_for).last || forwarded_for.first
+          end
         end
+
+        # If all the addresses are trusted, and we aren't forwarded, just return
+        # the first remote address, which represents the source of the request.
+        remote_addresses.first
       end
 
       # The media type (type/subtype) portion of the CONTENT_TYPE header

data/lib/rack/version.rb

@@ -20,7 +20,7 @@ module Rack
     VERSION.join(".")
   end
 
-  RELEASE = "2.2.0"
+  RELEASE = "2.2.1"
 
   # Return the Rack release as a dotted string.
   def self.release

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: rack
 version: !ruby/object:Gem::Version
-  version: 2.2.0
+  version: 2.2.1
 platform: ruby
 authors:
 - Leah Neukirchen
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2020-02-08 00:00:00.000000000 Z
+date: 2020-02-09 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: minitest
@@ -184,7 +184,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.1.2
+rubygems_version: 3.0.6
 signing_key: 
 specification_version: 4
 summary: A modular Ruby webserver interface.