roda 3.42.0 → 3.46.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: e2bdd27a69c76000c9c1d2d8f37f9919145fdae55224706c78adec42850c5d21
-  data.tar.gz: 8b92e1dbc9ec83ebca5d2d5b068c67fa282dfee25fe241451c93228a406a4749
+  metadata.gz: 5fd9ea4a9be8072ffc96e5bab91a845e99cc9a9d6641571167badd4146c93318
+  data.tar.gz: ed062be1d4b922ba39456f3868e599e3c6134fecfedaa3bfc780667bfec5c5f2
 SHA512:
-  metadata.gz: 5c9f2d3f0f021b7b0a16628cefe28c4d4001f2a80804f2bde9b48b641a70482a5d13d699252cb9f7c747de50710b91df30f893f83263e3e73c874621948b4cc6
-  data.tar.gz: c060f123bfb7bd0f02a83d864169d7d2a021c14cd152b8f3e7641c4c7e0317affb84fce0812afcb0d382e0828e31e2fd97b46482338ae92574fbad97793c8996
+  metadata.gz: 59e5677db771776107744f2438505b467363b410d6b2c8d19b1b11e802bfd15b22974997b20185e9ba3a1c9a7b8721bb5e3dbc1481a575f0812300c9c3241cac
+  data.tar.gz: 6233ec5251cfbeeaabdb44a7cba75d4831910215ae8239ec19873f58a62f14722bb6b57059f0814ae07e7ccc50977e3a2fbf74bb3b423a253b7dace5773c6887

data/CHANGELOG

@@ -1,3 +1,25 @@
+= 3.46.0 (2021-07-12)
+
+* Automatically optimize r.on/r.is/r.get/r.post methods with a single string, String, Integer, or regexp argument (jeremyevans)
+
+= 3.45.0 (2021-06-14)
+
+* Make typecast_params plugin check for null bytes in strings by default, with :allow_null_bytes option for previous behavior (jeremyevans)
+
+= 3.44.0 (2021-05-12)
+
+* Add optimized_segment_matchers plugin for optimized matchers for a single String class argument (jeremyevans)
+
+* Use RFC 5987 UTF-8 and ISO-8859-1 encoded filenames when using send_file and attachment in the sinatra_helpers plugin (jeremyevans)
+
+= 3.43.1 (2021-04-13)
+
+* [SECURITY] Fix issue where loading content_security_policy plugin after default_headers plugin had no effect (jeremyevans)
+
+= 3.43.0 (2021-04-12)
+
+* Add host_authorization plugin, for checking that requests are submitted using an approved host (jeremyevans)
+
 = 3.42.0 (2021-03-12)
 
 * Make Roda.plugin support plugins using keyword arguments in Ruby 3 (jeremyevans)

data/README.rdoc

@@ -13,7 +13,6 @@ Website :: http://roda.jeremyevans.net
 Source :: http://github.com/jeremyevans/roda
 Bugs :: http://github.com/jeremyevans/roda/issues
 Google Group :: http://groups.google.com/group/ruby-roda
-IRC :: irc://chat.freenode.net/#roda
 
 == Goals
 
@@ -965,19 +964,17 @@ option. If you really want to turn path checking off, you can do so via the
 Roda does not ship with integrated support for code reloading, but there are rack-based
 reloaders that will work with Roda apps.
 
-For most applications, {rack-unreloader}[https://github.com/jeremyevans/rack-unreloader]
-is probably the fastest approach to reloading while still being fairly safe, as it
-reloads just files that have been modified, and unloads constants defined in the files
-before reloading them.  However, it requires modifying your application code to use
-rack-unreloader specific APIs.
-
-A similar solution that reloads files and unloads constants is ActiveSupport::Dependencies.
-ActiveSupport::Dependencies doesn't require modifying your application code, but it modifies
-some core methods, including +require+ and +const_missing+. It requires less configuration,
-but depends that you follow Rails' file and class naming conventions. It also provides
-autoloading (on the fly) of files when a missing constant is accessed. If your application
-does not rely on autoloading then +require_dependency+ must be used to require the dependencies
-or they won't be reloaded.
+{Zeitwerk}[https://github.com/fxn/zeitwerk] (which Rails now uses for reloading) can be used
+with Roda.  It requires minimal setup and handles most cases. It overrides +require+ when
+activated. If it can meet the needs of your application, it's probably the best approach.
+
+{rack-unreloader}[https://github.com/jeremyevans/rack-unreloader] uses a fast
+approach to reloading while still being fairly safe, as it only reloads files that have
+been modified, and unloads constants defined in the files before reloading them. It can handle
+advanced cases that Zeitwerk does not support, such as classes defined in multiple files
+(common when using separate route files for different routing branches in the same application).
+However, rack-unreloader does not modify core classes and using it requires modifying your
+application code to use rack-unreloader specific APIs, which may not be simple.
 
 {AutoReloader}[https://github.com/rosenfeld/auto_reloader] provides transparent reloading for
 all files reached from one of the +reloadable_paths+ option entries, by detecting new top-level

data/doc/release_notes/3.43.0.txt

@@ -0,0 +1,34 @@
+= New Features
+
+* A host_authorization plugin has been added to verify the requested
+  Host header is authorized.  Using it can prevent DNS rebinding
+  attacks in cases where the application can receive requests for
+  arbitrary hosts.
+
+  To check for authorized hosts in your routing tree, you call the
+  check_host_authorization! method.  For example, if you want to
+  check for authorized hosts after serving requests for public
+  files, you could do:
+
+    plugin :public
+    plugin :host_authorization, 'my-domain-name.example.com'
+
+    route do |r|
+      r.public
+      check_host_authorized!
+
+      # ... rest of routing tree
+    end
+
+  In addition to handling single domain names via a string, you can
+  provide an array of domain names, a regexp to match again, or a
+  proc.
+  
+  By default, requests using unauthorized hosts receive an empty 403
+  response.  If you would like to customize the response, you can
+  pass a block when loading the plugin:
+
+    plugin :host_authorization, 'my-domain-name.example.com' do |r|
+      response.status = 403
+      "Response Body Here"
+    end

data/doc/release_notes/3.44.0.txt

@@ -0,0 +1,23 @@
+= New Features
+
+* An optimized_segment_matchers plugin has been added that offers
+  very fast matchers for arbitrary segments (the same segments
+  that would be matched by the String class matcher).  The
+  on_segment method it offers accepts no arguments and yields
+  the next segment if there is a segment.  The is_segment method
+  is similar, but only yields if the next segment is the final
+  segment.
+
+= Other Improvements
+
+* The send_file and attachment methods in the sinatra_helpers plugin
+  now support RFC 5987 UTF-8 and ISO-8859-1 encoded filenames,
+  allowing modern browsers to save files with encoded chracters. For
+  older browsers that do not support RFC 5987, unsupported characters
+  in filenames are replaced with dashes.  This is considered to be an
+  improvement over the previous behavior of using Ruby's inspect
+  output for the filename, which could contain backslashes (backslash
+  is not an allowed chracter in Windows filenames).
+
+* The performance of the String class matcher has been slightly
+  improved.

data/doc/release_notes/3.45.0.txt

@@ -0,0 +1,22 @@
+= Improvements
+
+* The typecast_params plugin checks now checks for null bytes by
+  default before typecasting.  If null bytes are present, it raises
+  an error.  Most applications do not require null bytes in
+  parameters, and in some cases allowing them can lead to security
+  issues, especially when parameters are passed to C extensions.
+  In general, the benefit of forbidding null bytes in parameters is
+  greater than the cost.
+  
+  If you would like to continue allowing null bytes, use the
+  :allow_null_bytes option when loading the plugin.
+
+  Note that this change does not affect uploaded files, since those
+  are expected to contain null bytes.
+
+= Backwards Compatibility
+
+* The change to the typecast_params plugin to raise an error for
+  null bytes can break applications that are expecting null bytes
+  to be passed in parameters.  Such applications should use the
+  :allow_null_bytes option when loading the plugin.

data/doc/release_notes/3.46.0.txt

@@ -0,0 +1,19 @@
+= Improvements
+
+* The r.on, r.is, r.get and r.post methods (and other verb methods
+  if using the all_verbs plugin) have now been optimized when using
+  a single string or regexp matcher, or the String or Integer class
+  matcher.  Since those four matchers are the most common types of
+  matchers passed to the methods, this can significantly improve
+  routing performance (about 50% in the r10k benchmark).
+
+  This optimization is automatically applied when freezing
+  applications, if the related methods have not been modified by
+  plugins.
+
+  This optimization does come at the expense of a small decrease
+  in routing performance (3-4%) for unoptimized cases, but the
+  majority of applications will see a overall performance benefit
+  from this change.
+
+* Other minor performance improvements have been made.

data/lib/roda.rb

@@ -212,6 +212,10 @@ class Roda
             if @middleware.empty? && use_new_dispatch_api?
               plugin :direct_call
             end
+
+            if ([:on, :is, :_verb, :_match_class_String, :_match_class_Integer, :_match_string, :_match_regexp, :empty_path?]).all?{|m| self::RodaRequest.instance_method(m).owner == RequestMethods}
+              plugin :_optimized_matching
+            end
           end
 
           build_rack_app

data/lib/roda/plugins/_optimized_matching.rb

@@ -0,0 +1,137 @@
+# frozen-string-literal: true
+
+#
+class Roda
+  module RodaPlugins
+    # The _optimized_matching plugin is automatically used internally to speed
+    # up matching when a single argument String instance, String class, Integer
+    # class, or Regexp matcher is passed to +r.on+, +r.is_+, or a verb method
+    # such as +r.get+ or +r.post+.
+    # 
+    # The optimization works by avoiding the +if_match+ method if possible.
+    # Instead of clearing the captures array on every call, and having the
+    # matching append to the captures, it checks directly for the match,
+    # and on succesful match, it yields directly to the block without using
+    # the captures array.
+    module OptimizedMatching 
+      TERM = Base::RequestMethods::TERM
+
+      module RequestMethods
+        # Optimize the r.is method handling of a single string, String, Integer,
+        # regexp, or true, argument.
+        def is(*args, &block)
+          case args.length
+          when 1
+            _is1(args, &block)
+          when 0
+            always(&block) if @remaining_path.empty?
+          else
+            if_match(args << TERM, &block)
+          end
+        end
+
+        # Optimize the r.on method handling of a single string, String, Integer,
+        # or regexp argument.  Inline the related matching code to avoid the
+        # need to modify @captures.
+        def on(*args, &block)
+          case args.length
+          when 1
+            case matcher = args[0]
+            when String
+              always{yield} if _match_string(matcher)
+            when Class
+              if matcher == String
+                rp = @remaining_path
+                if rp.getbyte(0) == 47
+                  if last = rp.index('/', 1)
+                    @remaining_path = rp[last, rp.length]
+                    always{yield rp[1, last-1]}
+                  elsif (len = rp.length) > 1
+                    @remaining_path = ""
+                    always{yield rp[1, len]}
+                  end
+                end
+              elsif matcher == Integer
+                if matchdata = @remaining_path.match(/\A\/(\d+)(?=\/|\z)/)
+                  @remaining_path = matchdata.post_match
+                  always{yield(matchdata[1].to_i)}
+                end
+              else
+                if_match(args, &block)
+              end
+            when Regexp
+              if matchdata = @remaining_path.match(self.class.cached_matcher(matcher){matcher})
+                @remaining_path = matchdata.post_match
+                always{yield(*matchdata.captures)}
+              end
+            else
+              if_match(args, &block)
+            end
+          when 0
+            always(&block)
+          else
+            if_match(args, &block)
+          end
+        end
+
+        private
+
+        # Optimize the r.get/r.post method handling of a single string, String, Integer,
+        # regexp, or true, argument.
+        def _verb(args, &block)
+          case args.length
+          when 0
+            always(&block)
+          when 1
+            _is1(args, &block)
+          else
+            if_match(args << TERM, &block)
+          end
+        end
+
+        # Internals of r.is/r.get/r.post optimization.  Inline the related matching
+        # code to avoid the need to modify @captures.
+        def _is1(args, &block)
+          case matcher = args[0]
+          when String
+            rp = @remaining_path
+            if _match_string(matcher)
+              if @remaining_path.empty?
+                always{yield}
+              else
+                @remaining_path = rp
+                nil
+              end
+            end
+          when Class
+            if matcher == String
+              rp = @remaining_path
+              if rp.getbyte(0) == 47 && !rp.index('/', 1) && (len = rp.length) > 1
+                @remaining_path = ''
+                always{yield rp[1, len]}
+              end
+            elsif matcher == Integer
+              if matchdata = @remaining_path.match(/\A\/(\d+)\z/)
+                @remaining_path = ''
+                always{yield(matchdata[1].to_i)}
+              end
+            else
+              if_match(args << TERM, &block)
+            end
+          when Regexp
+            if (matchdata = @remaining_path.match(self.class.cached_matcher(matcher){matcher})) && (post_match = matchdata.post_match).empty?
+              @remaining_path = ''
+              always{yield(*matchdata.captures)}
+            end
+          when true
+            always(&block) if @remaining_path.empty?
+          else
+            if_match(args << TERM, &block)
+          end
+        end
+      end
+    end
+
+    register_plugin(:_optimized_matching, OptimizedMatching)
+  end
+end

data/lib/roda/plugins/assets.rb

@@ -152,6 +152,22 @@ class Roda
     # together and not compressed during compilation.  You can use the
     # :css_compressor and :js_compressor options to specify the compressor to use.
     #
+    # It is also possible to use the built-in compression options in the CSS or JS
+    # compiler, assuming the compiler supports such options.  For example, with
+    # sass/sassc, you can use:
+    #
+    #   plugin :assets,
+    #     css_opts: {style: :compressed}
+    #
+    # === Source Maps (CSS)
+    #
+    # The assets plugin does not have direct support for source maps, so it is
+    # recommended you use embedded source maps if supported by the CSS compiler.
+    # For sass/sassc, you can use:
+    #
+    #   plugin :assets,
+    #     css_opts: {:source_map_embed=>true, source_map_contents: true, source_map_file: "."}
+    #
     # === With Asset Groups
     #
     # When using asset groups, a separate compiled file will be produced per

data/lib/roda/plugins/content_for.rb

@@ -62,8 +62,7 @@ class Roda
       end
 
       # Configure whether to append or overwrite if content_for
-      # is called multiple times to set data. Overwrite is default, use
-      # the :append option to append.
+      # is called multiple times with the same key.
       def self.configure(app, opts = OPTS)
         app.opts[:append_content_for] = opts.fetch(:append, true)
       end

data/lib/roda/plugins/default_headers.rb

@@ -23,30 +23,31 @@ class Roda
     module DefaultHeaders
       # Merge the given headers into the existing default headers, if any.
       def self.configure(app, headers={})
-        headers = app.opts[:default_headers] = (app.default_headers || app::RodaResponse::DEFAULT_HEADERS).merge(headers).freeze
+        app.opts[:default_headers] = (app.default_headers || app::RodaResponse::DEFAULT_HEADERS).merge(headers).freeze
+      end 
+
+      module ClassMethods
+        # The default response headers to use for the current class.
+        def default_headers
+          opts[:default_headers]
+        end
 
-        if headers.all?{|k, v| k.is_a?(String) && v.is_a?(String)}
-          response_class = app::RodaResponse
-          owner = response_class.instance_method(:set_default_headers).owner
-          if owner == Base::ResponseMethods || (owner == response_class && app.opts[:set_default_headers_overridder] == response_class)
-            app.opts[:set_default_headers_overridder] = response_class
-            response_class.class_eval(<<-END, __FILE__, __LINE__+1)
+        # Optimize the response class set_default_headers method if it hasn't been
+        # overridden and all default headers are strings.
+        def freeze
+          if (headers = opts[:default_headers]).all?{|k, v| k.is_a?(String) && v.is_a?(String)} &&
+             (self::RodaResponse.instance_method(:set_default_headers).owner == Base::ResponseMethods)
+            self::RodaResponse.class_eval(<<-END, __FILE__, __LINE__+1)
               private
 
-              alias set_default_headers set_default_headers
               def set_default_headers
                 h = @headers
                 #{headers.map{|k,v| "h[#{k.inspect}] ||= #{v.inspect}"}.join('; ')}
               end
             END
           end
-        end
-      end 
 
-      module ClassMethods
-        # The default response headers to use for the current class.
-        def default_headers
-          opts[:default_headers]
+          super
         end
       end
 

data/lib/roda/plugins/host_authorization.rb

@@ -0,0 +1,156 @@
+# frozen-string-literal: true
+
+#
+class Roda
+  module RodaPlugins
+    # The host_authorization plugin allows configuring an authorized host or
+    # an array of authorized hosts.  Then in the routing tree, you can check
+    # whether the request uses an authorized host via the +check_host_authorized!+
+    # method.
+    # 
+    # If the request doesn't match one of the authorized hosts, the
+    # request processing stops at that point. Using this plugin can prevent
+    # DNS rebinding attacks if the application can receive requests for
+    # arbitrary hosts.
+    #
+    # By default, an empty response using status 403 will be returned for requests
+    # with unauthorized hosts.
+    #
+    # Because +check_host_authorized!+ is an instance method, you can easily choose
+    # to only check for authorization in certain routes, or to check it after
+    # other processing.  For example, you could check for authorized hosts after
+    # serving static files, since the serving of static files should not be
+    # vulnerable to DNS rebinding attacks.
+    #
+    # = Usage
+    #
+    # In your routing tree, call the +check_host_authorized!+ method at the point you
+    # want to check for authorized hosts:
+    #
+    #   plugin :host_authorization, 'www.example.com'
+    #   plugin :public
+    #
+    #   route do |r|
+    #    r.public
+    #    check_host_authorized!
+    #
+    #    # ...
+    #   end
+    #
+    # = Specifying authorized hosts
+    #
+    # For applications hosted on a single domain name, you can use a single string:
+    #
+    #   plugin :host_authorization, 'www.example.com'
+    #
+    # For applications hosted on multiple domain names, you can use an array of strings:
+    #
+    #   plugin :host_authorization, %w'www.example.com www.example2.com'
+    #
+    # For applications supporting arbitrary subdomains, you can use a regexp. If using
+    # a regexp, make sure you use <tt>\A<tt> and <tt>\z</tt> in your regexp, and restrict
+    # the allowed characters to the minimum required, otherwise you can potentionally
+    # introduce a security issue:
+    #
+    #   plugin :host_authorization, /\A[-0-9a-f]+\.example\.com\z/
+    #
+    # For applications with more complex requirements, you can use a proc.  Similarly
+    # to the regexp case, the proc should be aware the host contains user-submitted
+    # values, and not assume it is in any particular format:
+    #
+    #   plugin :host_authorization, proc{|host| ExternalService.allowed_host?(host)}
+    #
+    # If an array of values is passed as the host argument, the host is authorized if
+    # it matches any value in the array.  All host authorization checks use the
+    # <tt>===</tt> method, which is why it works for strings, regexps, and procs.
+    # It can also work with arbitrary objects that support <tt>===</tt>.
+    #
+    # For security reasons, only the +Host+ header is checked by default.  If you are
+    # sure that your application is being run behind a forwarding proxy that sets the
+    # <tt>X-Forwarded-Host</tt> header, you should enable support for checking that
+    # header using the +:check_forwarded+ option:
+    # 
+    #   plugin :host_authorization, 'www.example.com', check_forwarded: true
+    #
+    # In this case, the trailing host in the <tt>X-Forwarded-Host</tt> header is checked,
+    # which should be the host set by the forwarding proxy closest to the application.
+    # In cases where multiple forwarding proxies are used that append to the
+    # <tt>X-Forwarded-Host</tt> header, you should not use this plugin.
+    #
+    # = Customizing behavior
+    #
+    # By default, an unauthorized host will receive an empty 403 response.  You can
+    # customize this by passing a block when loading the plugin. For example, for
+    # sites using the render plugin, you could return a page that uses your default
+    # layout:
+    #
+    #   plugin :render
+    #   plugin :host_authorization, 'www.example.com' do |r|
+    #     response.status = 403
+    #     view(:content=>"<h1>Forbidden</h1>")
+    #   end
+    #
+    # The block passed to this plugin is treated as a match block.
+    module HostAuthorization
+      def self.configure(app, host, opts=OPTS, &block)
+        app.opts[:host_authorization_host] = host
+        app.opts[:host_authorization_check_forwarded] = opts[:check_forwarded] if opts.key?(:check_forwarded)
+
+        if block
+          app.define_roda_method(:host_authorization_unauthorized, 1, &block)
+        end
+      end
+
+      module InstanceMethods
+        # Check whether the host is authorized.  If not authorized, return a response
+        # immediately based on the plugin block.
+        def check_host_authorization!
+          r = @_request
+          return if host_authorized?(_convert_host_for_authorization(r.env["HTTP_HOST"].to_s.dup))
+
+          if opts[:host_authorization_check_forwarded] && (host = r.env["HTTP_X_FORWARDED_HOST"])
+            if i = host.rindex(',')
+              host = host[i+1, 10000000].to_s
+            end
+            host = _convert_host_for_authorization(host.strip)
+
+            if !host.empty? && host_authorized?(host)
+              return
+            end
+          end
+
+          r.on do
+            host_authorization_unauthorized(r)
+          end
+        end
+
+        private
+
+        # Remove the port information from the passed string (mutates the passed argument).
+        def _convert_host_for_authorization(host)
+          host.sub!(/:\d+\z/, "")
+          host
+        end
+
+        # Whether the host given is one of the authorized hosts for this application.
+        def host_authorized?(host, authorized_host = opts[:host_authorization_host])
+          case authorized_host
+          when Array
+            authorized_host.any?{|auth_host| host_authorized?(host, auth_host)}
+          else
+            authorized_host === host
+          end
+        end
+
+        # Action to take for unauthorized hosts. Sets a 403 status by default.
+        def host_authorization_unauthorized(_)
+          @_response.status = 403
+          nil
+        end
+      end
+    end
+
+    register_plugin(:host_authorization, HostAuthorization)
+  end
+end
+

data/lib/roda/plugins/optimized_segment_matchers.rb

@@ -0,0 +1,53 @@
+# frozen-string-literal: true
+
+#
+class Roda
+  module RodaPlugins
+    # The optimized_segment_matchers plugin adds two optimized matcher methods,
+    # +r.on_segment+ and +r.is_segment+.  +r.on_segment+ is an optimized version of
+    # +r.on String+ that accepts no arguments and yields the next segment if there
+    # is a segment. +r.is_segment+ is an optimized version of +r.is String+ that accepts
+    # no arguments and yields the next segment only if it is the last segment.
+    #
+    #   plugin :optimized_segment_matchers
+    #
+    #   route do |r|
+    #     r.on_segment do |x|
+    #       # matches any segment (e.g. /a, /b, but not /)
+    #       r.is_segment do |y|
+    #         # matches only if final segment (e.g. /a/b, /b/c, but not /c, /c/d/, /c/d/e)
+    #       end
+    #     end
+    #   end
+    module OptimizedSegmentMatchers
+      module RequestMethods
+        # Optimized version of +r.on String+ that yields the next segment if there
+        # is a segment.
+        def on_segment
+          rp = @remaining_path
+          if rp.getbyte(0) == 47
+            if last = rp.index('/', 1)
+              @remaining_path = rp[last, rp.length]
+              always{yield rp[1, last-1]}
+            elsif (len = rp.length) > 1
+              @remaining_path = ""
+              always{yield rp[1, len]}
+            end
+          end
+        end
+
+        # Optimized version of +r.is String+ that yields the next segment only if it
+        # is the final segment.
+        def is_segment
+          rp = @remaining_path
+          if rp.getbyte(0) == 47 && !rp.index('/', 1) && (len = rp.length) > 1
+            @remaining_path = ""
+            always{yield rp[1, len]}
+          end
+        end
+      end
+    end
+
+    register_plugin(:optimized_segment_matchers, OptimizedSegmentMatchers)
+  end
+end

data/lib/roda/plugins/optimized_string_matchers.rb

@@ -19,7 +19,8 @@ class Roda
     #     end
     #   end
     #
-    # Note that both of these methods only work with plain strings, not
+    # If you are using the placeholder_string_matchers plugin, note
+    # that both of these methods only work with plain strings, not
     # with strings with embedded colons for capturing.  Matching will work
     # correctly in such cases, but the captures will not be yielded to the
     # match blocks.

data/lib/roda/plugins/sinatra_helpers.rb

@@ -211,6 +211,10 @@ class Roda
     # FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR
     # OTHER DEALINGS IN THE SOFTWARE.
     module SinatraHelpers
+      UTF8_ENCODING = Encoding.find('UTF-8')
+      ISO88591_ENCODING = Encoding.find('ISO-8859-1')
+      BINARY_ENCODING = Encoding.find('BINARY')
+
       # Depend on the status_303 plugin.
       def self.load_dependencies(app, _opts = nil)
         app.plugin :status_303
@@ -432,7 +436,25 @@ class Roda
         # instructing the user agents to prompt to save.
         def attachment(filename = nil, disposition='attachment')
           if filename
-            params = "; filename=#{File.basename(filename).inspect}"
+            param_filename = File.basename(filename)
+            encoding = param_filename.encoding
+
+            needs_encoding = param_filename.gsub!(/[^ 0-9a-zA-Z!\#$&\+\.\^_`\|~]+/, '-')
+            params = "; filename=#{param_filename.inspect}"
+
+            if needs_encoding && (encoding == UTF8_ENCODING || encoding == ISO88591_ENCODING)
+              # File name contains non attr-char characters from RFC 5987 Section 3.2.1
+
+              encoded_filename = File.basename(filename).force_encoding(BINARY_ENCODING)
+              # Similar regexp as above, but treat each byte separately, and encode
+              # space characters, since those aren't allowed in attr-char
+              encoded_filename.gsub!(/[^0-9a-zA-Z!\#$&\+\.\^_`\|~]/) do |c|
+                "%%%X" % c.ord
+              end
+
+              encoded_params = "; filename*=#{encoding.to_s}''#{encoded_filename}"
+            end
+
             unless @headers["Content-Type"]
               ext = File.extname(filename)
               unless ext.empty?
@@ -440,7 +462,7 @@ class Roda
               end
             end
           end
-          @headers["Content-Disposition"] = "#{disposition}#{params}"
+          @headers["Content-Disposition"] = "#{disposition}#{params}#{encoded_params}"
         end
 
         # Whether or not the status is set to 1xx. Returns nil if status not yet set.

data/lib/roda/plugins/typecast_params.rb

@@ -260,6 +260,11 @@ class Roda
     # strip leading and trailing whitespace from parameter string values before processing, which
     # you can do by passing the <tt>strip: :all</tt> option when loading the plugin.
     #
+    # By default, the typecast_params conversion procs check that null bytes are not allowed
+    # in param string values. This check for null bytes occurs prior to any type conversion.
+    # If you would like to skip this check and allow null bytes in param string values,
+    # you can do by passing the <tt>:allow_null_bytes</tt> option when loading the plugin.
+    #
     # By design, typecast_params only deals with string keys, it is not possible to use
     # symbol keys as arguments to the conversion methods and have them converted.
     module TypecastParams
@@ -356,6 +361,14 @@ class Roda
         end
       end
 
+      module AllowNullByte
+        private
+
+        # Allow ASCII NUL bytes ("\0") in parameter string values.
+        def check_null_byte(v)
+        end
+      end
+
       module StringStripper
         private
 
@@ -391,7 +404,10 @@ class Roda
           convert_array_meth = :"_convert_array_#{type}"
           define_method(convert_array_meth) do |v|
             raise Error, "expected array but received #{v.inspect}" unless v.is_a?(Array)
-            v.map!{|val| send(convert_meth, val)}
+            v.map! do |val|
+              check_null_byte(val)
+              send(convert_meth, val)
+            end
           end
 
           private convert_meth, convert_array_meth
@@ -927,12 +943,20 @@ class Roda
           end
         end
 
+        # Raise an Error if the value is a string containing a null byte.
+        def check_null_byte(v)
+          if v.is_a?(String) && v.index("\0")
+            handle_error(nil, :null_byte, "string parameter contains null byte", true)
+          end
+        end
+
         # Get the value of +key+ for the object, and convert it to the expected type using +meth+.
         # If the value either before or after conversion is nil, return the +default+ value.
         def process(meth, key, default)
           v = param_value(key)
 
           unless v.nil?
+            check_null_byte(v)
             v = send(meth, v)
           end
 
@@ -992,6 +1016,9 @@ class Roda
         if opts[:strip] == :all
           app::TypecastParams.send(:include, StringStripper)
         end
+        if opts[:allow_null_bytes]
+          app::TypecastParams.send(:include, AllowNullByte)
+        end
       end
 
       module ClassMethods

data/lib/roda/request.rb

@@ -24,7 +24,7 @@ class Roda
 
         # Return the cached pattern for the given object.  If the object is
         # not already cached, yield to get the basic pattern, and convert the
-        # basic pattern to a pattern that does not partial segments.
+        # basic pattern to a pattern that does not match partial segments.
         def cached_matcher(obj)
           cache = @match_pattern_cache
 
@@ -234,9 +234,7 @@ class Roda
 
         # An alias of remaining_path. If a plugin changes remaining_path then
         # it should override this method to return the untouched original.
-        def real_remaining_path
-          remaining_path
-        end
+        alias real_remaining_path remaining_path
 
         # Match POST requests.  If no arguments are provided, matches all POST
         # requests, otherwise, matches only POST requests where the arguments
@@ -336,7 +334,7 @@ class Roda
         # Use <tt>r.get true</tt> to handle +GET+ requests where the current
         # path is empty.
         def root(&block)
-          if remaining_path == "/" && is_get?
+          if @remaining_path == "/" && is_get?
             always(&block)
           end
         end
@@ -468,8 +466,8 @@ class Roda
             if last = rp.index('/', 1)
               @captures << rp[1, last-1]
               @remaining_path = rp[last, rp.length]
-            elsif rp.length > 1
-              @captures << rp[1,rp.length]
+            elsif (len = rp.length) > 1
+              @captures << rp[1, len]
               @remaining_path = ""
             end
           end
@@ -519,7 +517,7 @@ class Roda
         # SCRIPT_NAME to include the matched path, removes the matched
         # path from PATH_INFO, and updates captures with any regex captures.
         def consume(pattern)
-          if matchdata = remaining_path.match(pattern)
+          if matchdata = @remaining_path.match(pattern)
             @remaining_path = matchdata.post_match
             captures = matchdata.captures
             captures = yield(*captures) if block_given?
@@ -548,7 +546,7 @@ class Roda
 
         # Whether the current path is considered empty.
         def empty_path?
-          remaining_path.empty?
+          @remaining_path.empty?
         end
 
         # If all of the arguments match, yields to the match block and

data/lib/roda/version.rb

@@ -4,7 +4,7 @@ class Roda
   RodaMajorVersion = 3
 
   # The minor version of Roda, updated for new feature releases of Roda.
-  RodaMinorVersion = 42
+  RodaMinorVersion = 46
 
   # The patch version of Roda, updated only for bug fixes from the last
   # feature release.

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: roda
 version: !ruby/object:Gem::Version
-  version: 3.42.0
+  version: 3.46.0
 platform: ruby
 authors:
 - Jeremy Evans
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2021-03-12 00:00:00.000000000 Z
+date: 2021-07-12 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rack
@@ -213,6 +213,10 @@ extra_rdoc_files:
 - doc/release_notes/3.40.0.txt
 - doc/release_notes/3.41.0.txt
 - doc/release_notes/3.42.0.txt
+- doc/release_notes/3.43.0.txt
+- doc/release_notes/3.44.0.txt
+- doc/release_notes/3.45.0.txt
+- doc/release_notes/3.46.0.txt
 - doc/release_notes/3.5.0.txt
 - doc/release_notes/3.6.0.txt
 - doc/release_notes/3.7.0.txt
@@ -262,6 +266,10 @@ files:
 - doc/release_notes/3.40.0.txt
 - doc/release_notes/3.41.0.txt
 - doc/release_notes/3.42.0.txt
+- doc/release_notes/3.43.0.txt
+- doc/release_notes/3.44.0.txt
+- doc/release_notes/3.45.0.txt
+- doc/release_notes/3.46.0.txt
 - doc/release_notes/3.5.0.txt
 - doc/release_notes/3.6.0.txt
 - doc/release_notes/3.7.0.txt
@@ -272,6 +280,7 @@ files:
 - lib/roda/plugins.rb
 - lib/roda/plugins/_after_hook.rb
 - lib/roda/plugins/_before_hook.rb
+- lib/roda/plugins/_optimized_matching.rb
 - lib/roda/plugins/_symbol_regexp_matchers.rb
 - lib/roda/plugins/all_verbs.rb
 - lib/roda/plugins/assets.rb
@@ -312,6 +321,7 @@ files:
 - lib/roda/plugins/header_matchers.rb
 - lib/roda/plugins/heartbeat.rb
 - lib/roda/plugins/hooks.rb
+- lib/roda/plugins/host_authorization.rb
 - lib/roda/plugins/indifferent_params.rb
 - lib/roda/plugins/json.rb
 - lib/roda/plugins/json_parser.rb
@@ -330,6 +340,7 @@ files:
 - lib/roda/plugins/named_templates.rb
 - lib/roda/plugins/not_allowed.rb
 - lib/roda/plugins/not_found.rb
+- lib/roda/plugins/optimized_segment_matchers.rb
 - lib/roda/plugins/optimized_string_matchers.rb
 - lib/roda/plugins/padrino_render.rb
 - lib/roda/plugins/param_matchers.rb
@@ -401,7 +412,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.2.3
+rubygems_version: 3.2.22
 signing_key: 
 specification_version: 4
 summary: Routing tree web toolkit