rest-client 1.6.14 → 2.0.2

data/Rakefile

@@ -1,38 +1,122 @@
-begin
-  # optionally load `rake build/install/release tasks'
-  require 'bundler/gem_tasks'
-rescue LoadError
+# load `rake build/install/release tasks'
+require 'bundler/setup'
+require_relative './lib/restclient/version'
+
+namespace :ruby do
+  Bundler::GemHelper.install_tasks(:name => 'rest-client')
 end
 
 require "rspec/core/rake_task"
 
 desc "Run all specs"
-task :spec => ["spec:unit", "spec:integration"]
+RSpec::Core::RakeTask.new('spec')
 
 desc "Run unit specs"
 RSpec::Core::RakeTask.new('spec:unit') do |t|
-  t.pattern = ['spec/*_spec.rb']
+  t.pattern = 'spec/unit/*_spec.rb'
 end
 
 desc "Run integration specs"
 RSpec::Core::RakeTask.new('spec:integration') do |t|
-  t.pattern = ['spec/integration/*_spec.rb']
+  t.pattern = 'spec/integration/*_spec.rb'
 end
 
 desc "Print specdocs"
 RSpec::Core::RakeTask.new(:doc) do |t|
   t.rspec_opts = ["--format", "specdoc", "--dry-run"]
-  t.pattern = ['spec/*_spec.rb']
+  t.pattern = 'spec/**/*_spec.rb'
 end
 
 desc "Run all examples with RCov"
 RSpec::Core::RakeTask.new('rcov') do |t|
-  t.pattern = ['spec/*_spec.rb']
+  t.pattern = 'spec/*_spec.rb'
   t.rcov = true
   t.rcov_opts = ['--exclude', 'examples']
 end
 
-task :default => :spec
+desc 'Regenerate authors file'
+task :authors do
+  Dir.chdir(File.dirname(__FILE__)) do
+    File.open('AUTHORS', 'w') do |f|
+      f.write( <<-EOM
+The Ruby REST Client would not be what it is today without the help of
+the following kind souls:
+
+      EOM
+      )
+    end
+
+    sh 'git shortlog -s | cut -f 2 >> AUTHORS'
+  end
+end
+
+task :default do
+  sh 'rake -T'
+end
+
+def alias_task(alias_task, original)
+  desc "Alias for rake #{original}"
+  task alias_task, Rake.application[original].arg_names => original
+end
+alias_task(:test, :spec)
+
+############################
+
+WindowsPlatforms = %w{x86-mingw32 x64-mingw32 x86-mswin32}
+
+namespace :all do
+
+  desc "Build rest-client #{RestClient::VERSION} for all platforms"
+  task :build => ['ruby:build'] + \
+    WindowsPlatforms.map {|p| "windows:#{p}:build"}
+
+  desc "Create tag v#{RestClient::VERSION} and for all platforms build and push " \
+    "rest-client #{RestClient::VERSION} to Rubygems"
+  task :release => ['build', 'ruby:release'] + \
+    WindowsPlatforms.map {|p| "windows:#{p}:push"}
+
+end
+
+namespace :windows do
+  spec_path = File.join(File.dirname(__FILE__), 'rest-client.windows.gemspec')
+
+  WindowsPlatforms.each do |platform|
+    namespace platform do
+      gem_filename = "rest-client-#{RestClient::VERSION}-#{platform}.gem"
+      base = File.dirname(__FILE__)
+      pkg_dir = File.join(base, 'pkg')
+      gem_file_path = File.join(pkg_dir, gem_filename)
+
+      desc "Build #{gem_filename} into the pkg directory"
+      task 'build' do
+        orig_platform = ENV['BUILD_PLATFORM']
+        begin
+          ENV['BUILD_PLATFORM'] = platform
+
+          sh("gem build -V #{spec_path}") do |ok, res|
+            if ok
+              FileUtils.mkdir_p(pkg_dir)
+              FileUtils.mv(File.join(base, gem_filename), pkg_dir)
+              Bundler.ui.confirm("rest-client #{RestClient::VERSION} " \
+                                 "built to pkg/#{gem_filename}")
+            else
+              abort "Command `gem build` failed: #{res}"
+            end
+          end
+
+        ensure
+          ENV['BUILD_PLATFORM'] = orig_platform
+        end
+      end
+
+      desc "Push #{gem_filename} to Rubygems"
+      task 'push' do
+        sh("gem push #{gem_file_path}")
+      end
+    end
+  end
+
+end
 
 ############################
 
@@ -43,7 +127,6 @@ Rake::RDocTask.new do |t|
   t.title    = "rest-client, fetch RESTful resources effortlessly"
   t.options << '--line-numbers' << '--inline-source' << '-A cattr_accessor=object'
   t.options << '--charset' << 'utf-8'
-  t.rdoc_files.include('README.rdoc')
+  t.rdoc_files.include('README.md')
   t.rdoc_files.include('lib/*.rb')
 end
-

data/bin/restclient

@@ -1,6 +1,6 @@
 #!/usr/bin/env ruby
 
-$:.unshift File.dirname(__FILE__) + "/../lib"
+$LOAD_PATH.unshift File.dirname(__FILE__) + "/../lib"
 
 require 'rubygems'
 require 'restclient'
@@ -26,10 +26,10 @@ end
 
 config = YAML.load(File.read(ENV['HOME'] + "/.restclient")) rescue {}
 
-@url, @username, @password = if c = config[@url]
-  [c['url'], c['username'], c['password']]
+if (c = config[@url])
+  @url, @username, @password = [c['url'], c['username'], c['password']]
 else
-  [@url, * ARGV]
+  @url, @username, @password = [@url, * ARGV]
 end
 
 usage("invalid url '#{@url}") unless @url =~ /^https?/
@@ -50,17 +50,15 @@ if @verb
     end
     exit 0
   rescue RestClient::Exception => e
-    puts e.response.body if e.respond_to? :response
+    puts e.response.body if e.respond_to?(:response) && e.response
     raise
   end
 end
 
 POSSIBLE_VERBS.each do |m|
-  eval <<-end_eval
-def  #{m}(path, *args, &b)
-	r[path].#{m}(*args, &b)
-end
-  end_eval
+  define_method(m.to_sym) do |path, *args, &b|
+    r[path].public_send(m.to_sym, *args, &b)
+  end
 end
 
 def method_missing(s, * args, & b)
@@ -79,11 +77,12 @@ end
 require 'irb'
 require 'irb/completion'
 
-if File.exists? ".irbrc"
+if File.exist? ".irbrc"
   ENV['IRBRC'] = ".irbrc"
 end
 
-if File.exists?(File.expand_path(rcfile = "~/.restclientrc"))
+rcfile = File.expand_path("~/.restclientrc")
+if File.exist?(rcfile)
   load(rcfile)
 end
 

data/history.md

@@ -1,19 +1,183 @@
-# 1.6.14
-
-- This release is unchanged from 1.6.9. It was published in order to supersede
-  the malicious 1.6.10-13 versions, even for users who are still pinning to the
-  legacy 1.6.x series. All users are encouraged to upgrade to rest-client 2.x.
-
-# 1.6.10, 1.6.11, 1.6.12, 1.6.13 (CVE-2019-15224)
-
-- These versions were pushed by a malicious actor and included a backdoor permitting
-  remote code execution in Rails environments.
-- They were live for about five days before being yanked.
-  https://github.com/rest-client/rest-client/issues/713
-
-# 1.6.9
-
-- Move rdoc to a development dependency
+# 2.0.2
+
+- Suppress the header override warning introduced in 2.0.1 if the value is the
+  same. There's no conflict if the value is unchanged. (#578)
+
+# 2.0.1
+
+- Warn if auto-generated headers from the payload, such as Content-Type,
+  override headers set by the user. This is usually not what the user wants to
+  happen, and can be surprising. (#554)
+- Drop the old check for weak default TLS ciphers, and use the built-in Ruby
+  defaults. Ruby versions from Oct. 2014 onward use sane defaults, so this is
+  no longer needed. (#573)
+
+# 2.0.0
+
+This release is largely API compatible, but makes several breaking changes.
+
+- Drop support for Ruby 1.9
+- Allow mime-types as new as 3.x (requires ruby 2.0)
+- Respect Content-Type charset header provided by server. Previously,
+  rest-client would not override the string encoding chosen by Net::HTTP. Now
+  responses that specify a charset will yield a body string in that encoding.
+  For example, `Content-Type: text/plain; charset=EUC-JP` will return a String
+  encoded with `Encoding::EUC_JP`. (#361)
+- Change exceptions raised on request timeout. Instead of
+  `RestClient::RequestTimeout` (which is still used for HTTP 408), network
+  timeouts will now raise either `RestClient::Exceptions::ReadTimeout` or
+  `RestClient::Exceptions::OpenTimeout`, both of which inherit from
+  `RestClient::Exceptions::Timeout`. For backwards compatibility, this still
+  inherits from `RestClient::RequestTimeout` so existing uses will still work.
+  This may change in a future major release. These new timeout classes also
+  make the original wrapped exception available as `#original_exception`.
+- Unify request exceptions under `RestClient::RequestFailed`, which still
+  inherits from `ExceptionWithResponse`. Previously, HTTP 304, 401, and 404
+  inherited directly from `ExceptionWithResponse` rather than from
+  `RequestFailed`. Now _all_ HTTP status code exceptions inherit from both.
+- Rename the `:timeout` request option to `:read_timeout`. When `:timeout` is
+  passed, now set both `:read_timeout` and `:open_timeout`.
+- Change default HTTP Accept header to `*/*`
+- Use a more descriptive User-Agent header by default
+- Drop RC4-MD5 from default cipher list
+- Only prepend http:// to URIs without a scheme
+- Fix some support for using IPv6 addresses in URLs (still affected by Ruby
+  2.0+ bug https://bugs.ruby-lang.org/issues/9129, with the fix expected to be
+  backported to 2.0 and 2.1)
+- `Response` objects are now a subclass of `String` rather than a `String` that
+  mixes in the response functionality. Most of the methods remain unchanged,
+  but this makes it much easier to understand what is happening when you look
+  at a RestClient response object. There are a few additional changes:
+  - Response objects now implement `.inspect` to make this distinction clearer.
+  - `Response#to_i` will now behave like `String#to_i` instead of returning the
+    HTTP response code, which was very surprising behavior.
+  - `Response#body` and `#to_s` will now return a true `String` object rather
+    than self. Previously there was no easy way to get the true `String`
+    response instead of the Frankenstein response string object with
+    AbstractResponse mixed in.
+  - Response objects no longer accept an extra request args hash, but instead
+    access request args directly from the request object, which reduces
+    confusion and duplication.
+- Handle multiple HTTP response headers with the same name (except for
+  Set-Cookie, which is special) by joining the values with a comma space,
+  compliant with RFC 7230
+- Rewrite cookie support to be much smarter and to use cookie jars consistently
+  for requests, responses, and redirection in order to resolve long-standing
+  complaints about the previously broken behavior: (#498)
+  - The `:cookies` option may now be a Hash of Strings, an Array of
+    HTTP::Cookie objects, or a full HTTP::CookieJar.
+  - Add `RestClient::Request#cookie_jar` and reimplement `Request#cookies` to
+    be a wrapper around the cookie jar.
+  - Still support passing the `:cookies` option in the headers hash, but now
+    raise ArgumentError if that option is also passed to `Request#initialize`.
+  - Warn if both `:cookies` and a `Cookie` header are supplied.
+  - Use the `Request#cookie_jar` as the basis for `Response#cookie_jar`,
+    creating a copy of the jar and adding any newly received cookies.
+  - When following redirection, also use this same strategy so that cookies
+    from the original request are carried through in a standards-compliant way
+    by the cookie jar.
+- Don't set basic auth header if explicit `Authorization` header is specified
+- Add `:proxy` option to requests, which can be used for thread-safe
+  per-request proxy configuration, overriding `RestClient.proxy`
+- Allow overriding `ENV['http_proxy']` to disable proxies by setting
+  `RestClient.proxy` to a falsey value. Previously there was no way in Ruby 2.x
+  to turn off a proxy specified in the environment without changing `ENV`.
+- Add actual support for streaming request payloads. Previously rest-client
+  would call `.to_s` even on RestClient::Payload::Streamed objects. Instead,
+  treat any object that responds to `.read` as a streaming payload and pass it
+  through to `.body_stream=` on the Net:HTTP object. This massively reduces the
+  memory required for large file uploads.
+- Changes to redirection behavior: (#381, #484)
+  - Remove `RestClient::MaxRedirectsReached` in favor of the normal
+    `ExceptionWithResponse` subclasses. This makes the response accessible on
+    the exception object as `.response`, making it possible for callers to tell
+    what has actually happened when the redirect limit is reached.
+  - When following HTTP redirection, store a list of each previous response on
+    the response object as `.history`. This makes it possible to access the
+    original response headers and body before the redirection was followed.
+  - Follow redirection consistently, regardless of whether the HTTP method was
+    passed as a symbol or string. Under the hood rest-client now normalizes the
+    HTTP request method to a lowercase string.
+- Add `:before_execution_proc` option to `RestClient::Request`. This makes it
+  possible to add procs like `RestClient.add_before_execution_proc` to a single
+  request without global state.
+- Run tests on Travis's beta OS X support.
+- Make `Request#transmit` a private method, along with a few others.
+- Refactor URI parsing to happen earlier, in Request initialization.
+- Improve consistency and functionality of complex URL parameter handling:
+  - When adding URL params, handle URLs that already contain params.
+  - Add new convention for handling URL params containing deeply nested arrays
+    and hashes, unify handling of null/empty values, and use the same code for
+    GET and POST params. (#437)
+  - Add the RestClient::ParamsArray class, a simple array-like container that
+    can be used to pass multiple keys with same name or keys where the ordering
+    is significant.
+- Add a few more exception classes for obscure HTTP status codes.
+- Multipart: use a much more robust multipart boundary with greater entropy.
+- Make `RestClient::Payload::Base#inspect` stop pretending to be a String.
+- Add `Request#redacted_uri` and `Request#redacted_url` to display the URI
+  with any password redacted.
+
+# 2.0.0.rc1
+
+Changes in the release candidate that did not persist through the final 2.0.0
+release:
+- RestClient::Exceptions::Timeout was originally going to be a direct subclass
+  of RestClient::Exception in the release candidate. This exception tree was
+  made a subclass of RestClient::RequestTimeout prior to the final release.
+
+# 1.8.0
+
+- Security: implement standards compliant cookie handling by adding a
+  dependency on http-cookie. This breaks compatibility, but was necessary to
+  address a session fixation / cookie disclosure vulnerability.
+  (#369 / CVE-2015-1820)
+
+  Previously, any Set-Cookie headers found in an HTTP 30x response would be
+  sent to the redirection target, regardless of domain. Responses now expose a
+  cookie jar and respect standards compliant domain / path flags in Set-Cookie
+  headers.
+
+# 1.7.3
+
+- Security: redact password in URI from logs (#349 / OSVDB-117461)
+- Drop monkey patch on MIME::Types (added `type_for_extension` method, use
+  the public interface instead.
+
+# 1.7.2
+
+- Ignore duplicate certificates in CA store on Windows
+
+# 1.7.1
+
+- Relax mime-types dependency to continue supporting mime-types 1.x series.
+  There seem to be a large number of popular gems that have depended on
+  mime-types '~> 1.16' until very recently.
+- Improve urlencode performance
+- Clean up a number of style points
+
+# 1.7.0
+
+- This release drops support for Ruby 1.8.7 and breaks compatibility in a few
+  other relatively minor ways
+- Upgrade to mime-types ~> 2.0
+- Don't CGI.unescape cookie values sent to the server (issue #89)
+- Add support for reading credentials from netrc
+- Lots of SSL changes and enhancements: (#268)
+  - Enable peer verification by default (setting `VERIFY_PEER` with OpenSSL)
+  - By default, use the system default certificate store for SSL verification,
+    even on Windows (this uses a separate Windows build that pulls in ffi)
+  - Add support for SSL `ca_path`
+  - Add support for SSL `cert_store`
+  - Add support for SSL `verify_callback` (with some caveats for jruby, OS X, #277)
+  - Add support for SSL ciphers, and choose secure ones by default
+- Run tests under travis
+- Several other bugfixes and test improvements
+  - Convert Errno::ETIMEDOUT to RestClient::RequestTimeout
+  - Handle more HTTP response codes from recent standards
+  - Save raw responses to binary mode tempfile (#110)
+  - Disable timeouts with :timeout => nil rather than :timeout => -1
+  - Drop all Net::HTTP monkey patches
 
 # 1.6.8
 

data/lib/restclient.rb

@@ -1,24 +1,21 @@
+require 'net/http'
+require 'openssl'
+require 'stringio'
 require 'uri'
 require 'zlib'
-require 'stringio'
-
-begin
-  require 'net/https'
-rescue LoadError => e
-  raise e unless RUBY_PLATFORM =~ /linux/
-  raise LoadError, "no such file to load -- net/https. Try running apt-get install libopenssl-ruby"
-end
 
 require File.dirname(__FILE__) + '/restclient/version'
 require File.dirname(__FILE__) + '/restclient/platform'
 require File.dirname(__FILE__) + '/restclient/exceptions'
+require File.dirname(__FILE__) + '/restclient/utils'
 require File.dirname(__FILE__) + '/restclient/request'
 require File.dirname(__FILE__) + '/restclient/abstract_response'
 require File.dirname(__FILE__) + '/restclient/response'
 require File.dirname(__FILE__) + '/restclient/raw_response'
 require File.dirname(__FILE__) + '/restclient/resource'
+require File.dirname(__FILE__) + '/restclient/params_array'
 require File.dirname(__FILE__) + '/restclient/payload'
-require File.dirname(__FILE__) + '/restclient/net_http_ext'
+require File.dirname(__FILE__) + '/restclient/windows'
 
 # This module's static methods are the entry point for using the REST client.
 #
@@ -94,8 +91,24 @@ module RestClient
     Request.execute(:method => :options, :url => url, :headers => headers, &block)
   end
 
-  class << self
-    attr_accessor :proxy
+  # A global proxy URL to use for all requests. This can be overridden on a
+  # per-request basis by passing `:proxy` to RestClient::Request.
+  def self.proxy
+    @proxy ||= nil
+  end
+
+  def self.proxy=(value)
+    @proxy = value
+    @proxy_set = true
+  end
+
+  # Return whether RestClient.proxy was set explicitly. We use this to
+  # differentiate between no value being set and a value explicitly set to nil.
+  #
+  # @return [Boolean]
+  #
+  def self.proxy_set?
+    @proxy_set ||= false
   end
 
   # Setup the log for RestClient calls.
@@ -155,6 +168,7 @@ module RestClient
   # Add a Proc to be called before each request in executed.
   # The proc parameters will be the http request and the request params.
   def self.add_before_execution_proc &proc
+    raise ArgumentError.new('block is required') unless proc
     @@before_execution_procs << proc
   end