roda 2.29.0 → 3.0.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: e11c20c0c5dfda417dafc01b68c10915e59abf04
-  data.tar.gz: edd6bd09207b2f8e15f78b9c9ada35285003ff0d
+  metadata.gz: b7717dcab195a4aa608a95fe1b957a4e70e46eb1
+  data.tar.gz: a183e023f32c278e5ddce68390775ef396472d44
 SHA512:
-  metadata.gz: a82a396922fc18b9d69551ff405cade3d51e09d5eb518c70bc3166b4214d70692412f91e59c4e31a9fec84e948c93bec3a1a7a066584bd1c5585b39fc57b2c15
-  data.tar.gz: 4690e25684a1264e29c3c60426263a5631716080de3e699785e193bd96868a9c4788b8aa17ca97fbecacf1db96a39146bb33bc0db23e1398c8d79c2ab3ab34da
+  metadata.gz: 0aded27e4b6f521e554f49d14e805fe3bdf03265f3cb4b4437145bc8767ef4b07ced8e267caaee331dc8fba84cb706c166776dd507e5ff254238c9b39984a94a
+  data.tar.gz: 79cc0eeea440e916f31b5312c0005e06a543f29204b6ec4b3a34340a221708fb5779b85b38d1242bca29d9b86e789803336e502621bec68034e08e583e1df2b1

data/CHANGELOG

@@ -1,3 +1,55 @@
+= 3.0.0 (2017-09-15)
+
+* Make defined symbol_matcher and hash_matcher match methods private (jeremyevans)
+
+* Use public_send instead of send unless calling private methods is expected (jeremyevans)
+
+* Compute multi_run regexp when freezing app to avoid thread safety issues at runtime (jeremyevans)
+
+* Remove deprecated support for using undefined multi_route namespaces when routing (jeremyevans)
+
+* Make it possible to reset :include_request options to false for json and json_parser plugins (jeremyevans)
+
+* Deprecate RodaRequest#placeholder_string_matcher? private method (jeremyevans)
+
+* Deprecate Roda.thread_safe_cache, use RodaCache directly (jeremyevans)
+
+* Make using an app as middleware always create a subclass of the app (jeremyevans)
+
+* Enable SHA256 subresource integrity by default in assets plugin (jeremyevans)
+
+* Make subclassing a roda app always inherit the render cache (jeremyevans)
+
+* Make :cache=>nil render plugin option still allow caching via :cache render method option (jeremyevans)
+
+* Make content_for plugin append to existing content by default (jeremyevans)
+
+* Make :host matcher in the header_matchers plugin always yield captures if given a regexp (jeremyevans)
+
+* Make :header matcher in the header_matchers plugin now always prefix header with HTTP_ (jeremyevans)
+
+* Remove deprecated support for locals handling at the plugin level in the render plugin (jeremyevans)
+
+* Remove deprecated support for handling locals in the view_options plugin (jeremyevans)
+
+* Remove deprecated support for :ext option in render plugin (jeremyevans)
+
+* Remove deprecated view_subdirs alias for view_options plugin (jeremyevans)
+
+* Remove deprecated support for EventMachine and Stream#callback method in the streaming plugin (jeremyevans)
+
+* Drop support for ruby 1.8.7 (jeremyevans)
+
+* Make using an unsupported matcher raise error by default (jeremyevans)
+
+* Make having a match/route block return an unsupported value raise error by default (jeremyevans)
+
+* Remove deprecated :format, :opt, and :optd symbol matchers in symbol_matchers plugin (jeremyevans)
+
+* Remove deprecated support for placeholders in string matchers (jeremyevans)
+
+* Remove deprecated constants and plugins (jeremyevans)
+
 = 2.29.0 (2017-08-16)
 
 * Deprecate accessing multi_route namespace when there are no routes (jeremyevans)

data/MIT-LICENSE

@@ -1,4 +1,4 @@
-Copyright (c) 2014-2016 Jeremy Evans
+Copyright (c) 2014-2017 Jeremy Evans
 Copyright (c) 2010-2014 Michel Martens, Damian Janowski and Cyril David
 Copyright (c) 2008-2009 Christian Neukirchen
 

data/README.rdoc

@@ -131,10 +131,11 @@ allowing for code such as <tt>r.redirect(path) if some_condition</tt>.
 If +r.redirect+ is called without arguments
 and the current request method is not +GET+, it redirects to the current path.
 
-The +.freeze.app+ at the end is optional.  Freezing the app avoids any possible
-thread safety issues inside the application at runtime, which shouldn't be possible
-anyway.  This generally should only be done in production mode.
-The +.app+ is an optimization, which saves a few method calls for every request.
+The +.freeze.app+ at the end is optional.  Freezing the app makes modifying
+app-level settings raise an error, alerting you to possible thread-safety issues
+in your application.  It is recommended to freeze the app in production and
+during testing.  The +.app+ is an optimization, which saves a few method calls
+for every request.
 
 == The Routing Tree
 
@@ -232,7 +233,7 @@ Here's an example showcasing how different matchers work:
       end
 
       # GET /username/foobar branch
-      r.on "username", String, :method=>:get do |username|
+      r.on "username", String, method: :get do |username|
         user = User.find_by_username(username)
 
         # GET /username/foobar/posts
@@ -249,7 +250,7 @@ Here's an example showcasing how different matchers work:
 
       # /search?q=barbaz
       r.get "search" do
-        "Searched for #{r['q']}" #=> "Searched for barbaz"
+        "Searched for #{r.params['q']}" #=> "Searched for barbaz"
       end
 
       r.is "login" do
@@ -260,7 +261,7 @@ Here's an example showcasing how different matchers work:
 
         # POST /login?user=foo&password=baz
         r.post do
-          "#{r['user']}:#{r['password']}" #=> "foo:baz"
+          "#{r.params['user']}:#{r.params['password']}" #=> "foo:baz"
         end
       end
     end
@@ -285,41 +286,15 @@ If a string contains any slashes, it matches one additional segment for each sla
   "foo/bar" # matches "/foo/bar"
   "foo/bar" # does not match "/foo/bard"
 
-While deprecated by default, if a string contains a colon followed by any
-<tt>\\w</tt> characters, the colon and remaining <tt>\\w</tt> characters match any
-nonempty segment that contains at least one character:
-
-  "foo/:id" # matches "/foo/bar", "/foo/baz", etc.
-  "foo/:id" # does not match "/fo/bar"
-
-You can use multiple colons in a string:
-
-  ":x/:y" # matches "/foo/bar", "/bar/foo" etc.
-  ":x/:y" # does not match "/foo", "/bar/"
-
-Note that instead of using colons in strings, it is recommended to use separate
-symbol arguments, as it is faster and simpler:
-
-  "foo", String # instead of "foo/:id"
-  String, String     # instead of ":x/:y"
-
-You can load the placeholder_string_matchers plugin to allow placeholders in
-strings without a deprecation warning.  The deprecated default handling of placeholders
-in strings will be removed in Roda 3.
-
-Note that other than colons followed by a <tt>\\w</tt> character, strings do no
-handle regular expression syntax, they are matched verbatim:
-
-  "\\d+(/\\w+)?" # matches "/\d+(/\w+)?"
-  "\\d+(/\\w+)?" # does not match "/123/abc"
-
 === Regexp
 
 Regexps match one or more segments by looking for the pattern,
-preceded by a slash:
+preceded by a slash, and followed by a slash or the end of the path:
 
   /foo\w+/ # matches "/foobar"
   /foo\w+/ # does not match "/foo/bar"
+  /foo/i # matches "/foo", "/Foo/"
+  /foo/i # does not match "/food"
 
 If any patterns are captured by the Regexp, they are yielded:
 
@@ -331,7 +306,8 @@ If any patterns are captured by the Regexp, they are yielded:
 There are two classes that are supported as matchers, String
 and Integer.
 
-String :: matches any non-empty segment
+String :: matches any non-empty segment, yielding the segment except for
+          the preceding slash
 Integer :: matches any segment of 0-9, returns matched values as integers
 
 Using String and Integer is the recommended way to handle
@@ -396,7 +372,7 @@ allows for easily defining your own:
     end
     
     route do |r|
-      r.on :foo=>'bar' do
+      r.on foo: 'bar' do
         # ...
       end
     end
@@ -406,7 +382,7 @@ allows for easily defining your own:
 
 The +:all+ matcher matches if all of the entries in the given array match, so
 
-  r.on :all=>[String, String] do
+  r.on all: [String, String] do
     # ...
   end
 
@@ -419,7 +395,7 @@ is the same as:
 The reason it also exists as a separate hash matcher
 is so you can use it inside an array matcher, so:
 
-  r.on ['foo', {:all=>['foos', Integer]}] do
+  r.on ['foo', {all: ['foos', Integer]}] do
   end
 
 would match +/foo+ and +/foos/10+, but not +/foos+.
@@ -429,8 +405,8 @@ would match +/foo+ and +/foos/10+, but not +/foos+.
 The +:method+ matcher matches the method of the request.
 You can provide an array to specify multiple request methods and match on any of them:
 
-  {:method => :post}             # matches POST
-  {:method => ['post', 'patch']} # matches POST and PATCH
+  {method: :post}             # matches POST
+  {method: ['post', 'patch']} # matches POST and PATCH
 
 === false, nil
 
@@ -438,8 +414,8 @@ If +false+ or +nil+ is given directly as a matcher, it doesn't match anything.
 
 === Everything else
 
-Everything else matches anything, but such usage is deprecated.  In Roda 3, using
-an unsupported matcher will raise an error.
+Everything else raises an error, unless support is specifically added for it
+(some plugins add support for additional matcher types).
 
 == Optional segments
 
@@ -450,11 +426,11 @@ the item's id, and 456 being some optional data.
 The simplest way to handle this is by treating this as two separate routes with a
 shared branch:
 
-  r.on "items", String do |item_id|
+  r.on "items", Integer do |item_id|
     # Shared code for branch here
 
     # /items/123/456
-    r.is String do |optional_data|
+    r.is Integer do |optional_data|
     end
 
     # /items/123
@@ -495,8 +471,7 @@ or route block return value is inspected:
 
 String :: used as the response body
 nil, false :: ignored
-everything else :: also ignored, but this is deprecated and will raise an
-                   error starting in Roda 3
+everything else :: raises an error
 
 Plugins can add support for additional match block and route block return
 values.  One example of this is the json plugin, which allows returning
@@ -574,7 +549,7 @@ If you want to match the request method
 and do only a partial match on the request path,
 you need to use +r.on+ with the <tt>:method</tt> hash matcher:
 
-  r.on "foo", :method=>:get do # Matches GET /foo(/.*)?
+  r.on "foo", method: :get do # Matches GET /foo(/.*)?
   end
 
 == Root Method
@@ -588,7 +563,7 @@ Unlike the other matching methods, +r.root+ takes no arguments.
 
 Note that +r.root+ does not match if the path is empty;
 you should use <tt>r.get true</tt> for that.
-If you want to match either the the empty path or +/+,
+If you want to match either the empty path or +/+,
 you can use <tt>r.get ["", true]</tt>, or use the slash_path_empty
 plugin.
 
@@ -694,7 +669,7 @@ The default Rake task will run the specs for Roda.
 == Settings
 
 Each Roda app can store settings in the +opts+ hash.
-The settings are inherited if you happen to subclass +Roda+.  
+The settings are inherited by subclasses.
 
   Roda.opts[:layout] = "guest"
 
@@ -726,22 +701,6 @@ The following options are respected by the default library or multiple plugins:
 :freeze_middleware :: Whether to freeze all middleware when building the rack app.
 :root :: Set the root path for the app.  This defaults to the current working
          directory of the process.
-:unsupported_block_result :: If set to :raise, raises an error if a match or
-                             route block returns an object that is not handled.
-                             By default, String, nil, and false are handled,
-                             and other types can be handled via plugins. Setting
-                             this option can alert you to possible issues in your
-                             application.
-:unsupported_matcher :: If set to :raise, raises an error if a matcher is used that
-                        is not handled.  By default, String, Symbol, Regexp, Hash,
-                        Array, Proc, true, false, and nil are handled.  Setting
-                        this option can alert you to possible issues in your
-                        application.
-:verbatim_string_matcher :: If set to true, makes all string matchers match
-                            verbatim strings, disallowing the use of colons
-                            for placeholders.  In general, it is recommended
-                            to use separate symbol matchers instead of
-                            embedding placeholders in string matchers.
 
 There may be other options supported by individual plugins, if so it will be
 mentioned in the documentation for the plugin.
@@ -769,7 +728,7 @@ By default, +view+ will render the template inside the default layout template;
       r.get "render" do
         # Renders the views/home.erb template, which will have access to
         # the instance variable @var, as well as local variable content.
-        render("home", :locals=>{:content => "hello, world"})
+        render("home", locals: {content: "hello, world"})
       end
 
       r.get "view" do
@@ -788,12 +747,10 @@ You can override the default rendering options by passing a hash to the plugin:
 
   class App < Roda
     plugin :render,
-      :escape => true, # Automatically escape output in erb templates using Erubis
-                       # can use :erubi instead of true to use Erubi instead of Erubis
-      :views => 'admin_views', # Default views directory
-      :layout_opts => {:template=>'admin_layout',
-                       :ext=>'html.erb'},    # Default layout template options
-      :template_opts => {:default_encoding=>'UTF-8'} # Default template options
+      escape: true, # Automatically escape output in erb templates using Erubi's escaping support
+      views: 'admin_views', # Default views directory
+      layout_opts: {template: 'admin_layout', engine: 'html.erb'},    # Default layout options
+      template_opts: {default_encoding: 'UTF-8'} # Default template options
   end
 
 == Sessions
@@ -806,7 +763,7 @@ that comes with Rack:
   require "roda"
 
   class App < Roda
-    use Rack::Session::Cookie, :secret => ENV['SECRET']
+    use Rack::Session::Cookie, secret: ENV['SECRET']
   end
 
 == Security
@@ -853,14 +810,7 @@ are not escaping the output of the content template:
 
   <%== yield %> # not <%= yield %>
 
-You can also provide a +:escape_safe_classes+ option, which will
-make <tt><%= %></tt> not escape certain string subclasses, useful
-if you have helpers that already return escaped output using a
-string subclass instance.
-
-This support requires {Erubis}[http://www.kuwata-lab.com/erubis/].
-You can use <tt>:escape=>:erubi</tt> to use {Erubi}[https://github.com/jeremyevans/erubi],
-a simplified fork of Erubis.
+This support requires {Erubi}[https://github.com/jeremyevans/erubi].
 
 === Security Related HTTP Headers
 
@@ -890,36 +840,21 @@ Example:
 
 === Rendering Templates Derived From User Input
 
-Roda's rendering plugin assumes that template paths given to it are trusted by default.
-If you provide a path to the +render+/+view+ methods that is derived from user input, you
-are opening yourself for people rendering arbitrary files on the system that that have a
-file name ending in the default template extension.  For example, if you do:
+Roda's rendering plugin by default checks that rendered templates are inside the views
+directory.  This is because rendering templates outside the views directory is not
+commonly needed, and it prevents a common attack (which is especially severe if there is any
+location on the file system that users can write files to).
 
-  class App < Roda
-    plugin :render
-    route do |r|
-      view(r['page'])
-    end
-  end
-
-Then attackers can submit a <tt>page</tt> parameter such as <tt>'../../../../tmp/upload'</tt>
-to render the <tt>/tmp/upload.erb</tt> file.  If you have another part of your system that
-allows users to create files with arbitrary extensions (even temporary files), then it may
-be possible to combine these two issues into a remote code execution exploit.
-
-To mitigate against this issue, you can use the <tt>:check_paths => true</tt> render
-option, which will check that the full path of the template to be rendered begins with the
-+:views+ directory, and raises an exception if not.  You can also use the +:allowed_paths+
-render option to specify which paths are allowed.  While
-<tt>:check_paths => true</tt> is not currently the default, it will become the default in
-Roda 3.  Note that when specifying the +:path+ option when rendering a template, Roda will
+You can specify which directories are allowed using the +:allowed_paths+ render plugin
+option. If you really want to turn path checking off, you can do so via the
+<tt>check_paths: false</tt> render plugin option.
 not check paths, as it assumes that users and libraries that use this option will be checking
 such paths manually.
 
 == Code Reloading
 
-Roda does not ship with integrated support for code reloading, as it is a toolkit and not a
-framework, but there are rack-based reloaders that will work with Roda apps.
+Roda does not ship with integrated support for code reloading, but there are rack-based
+reloaders that will work with Roda apps.
 
 For most applications, {rack-unreloader}[https://github.com/jeremyevans/rack-unreloader]
 is probably the fastest approach to reloading while still being fairly safe, as it
@@ -954,7 +889,7 @@ It's fast but may cause issues in cases where you remove classes, constants, or
 or when you are not clearing out cached data manually when files are reloaded.
 
 There is no one reloading solution that is the best for all applications and development
-approaches.  Consider your needs and the the tradeoffs of each of the reloading approaches,
+approaches.  Consider your needs and the tradeoffs of each of the reloading approaches,
 and pick the one you think will work best.
 
 If you are unsure where to start, it may be best to start with rerun or shotgun
@@ -1060,9 +995,16 @@ It started out as a fork of Cuba, from which it borrows the idea of using a rout
 (which Cuba in turn took from {Rum}[https://github.com/chneukirchen/rum]).
 From Sinatra, it takes the ideas that route blocks should return the request bodies
 and that routes should be canonical.
-It pilfers the idea for an extensible plugin system from the Ruby database library
+Roda's plugin system is based on the plugin system used by
 {Sequel}[http://sequel.jeremyevans.net].
 
+== Ruby Support Policy
+
+Roda fully supports the currently supported versions of Ruby (MRI) and JRuby.  It may
+support unsupported versions of Ruby or JRuby, but such support may be dropped in any
+minor version of keeping it becomes a support issue.  The minimum Ruby version
+required to run the current version of Roda is 1.9.2.
+
 == License
 
 MIT

data/Rakefile

@@ -1,9 +1,10 @@
 require "rake"
 require "rake/clean"
+require "rdoc/task"
 
 NAME = 'roda'
 VERS = lambda do
-  require File.expand_path("../lib/roda/version.rb", __FILE__)
+  require_relative 'lib/roda/version'
   Roda::RodaVersion
 end
 CLEAN.include ["#{NAME}-*.gem", "rdoc", "coverage", "www/public/*.html", "www/public/rdoc", "spec/assets/app.*.css", "spec/assets/app.*.js", "spec/assets/app.*.css.gz", "spec/assets/app.*.js.gz"]
@@ -17,32 +18,24 @@ end
 
 ### RDoc
 
-RDOC_DEFAULT_OPTS = ["--line-numbers", "--inline-source", '--title', 'Roda: Routing tree web toolkit']
+RDOC_OPTS = ["--line-numbers", "--inline-source", '--title', 'Roda: Routing tree web toolkit']
 
 begin
   gem 'hanna-nouveau'
-  RDOC_DEFAULT_OPTS.concat(['-f', 'hanna'])
+  RDOC_OPTS.concat(['-f', 'hanna'])
 rescue Gem::LoadError
 end
 
-rdoc_task_class = begin
-  require "rdoc/task"
-  RDoc::Task
-rescue LoadError
-  require "rake/rdoctask"
-  Rake::RDocTask
-end
-
-RDOC_OPTS = RDOC_DEFAULT_OPTS + ['--main', 'README.rdoc']
+RDOC_OPTS.concat(['--main', 'README.rdoc'])
 RDOC_FILES = %w"README.rdoc CHANGELOG MIT-LICENSE lib/**/*.rb" + Dir["doc/*.rdoc"] + Dir['doc/release_notes/*.txt']
 
-rdoc_task_class.new do |rdoc|
+RDoc::Task.new do |rdoc|
   rdoc.rdoc_dir = "rdoc"
   rdoc.options += RDOC_OPTS
   rdoc.rdoc_files.add RDOC_FILES
 end
 
-rdoc_task_class.new(:website_rdoc) do |rdoc|
+RDoc::Task.new(:website_rdoc) do |rdoc|
   rdoc.rdoc_dir = "www/public/rdoc"
   rdoc.options += RDOC_OPTS
   rdoc.rdoc_files.add RDOC_FILES