sinatra-sinatra 0.9.1 → 0.9.1.1

data/CHANGES

@@ -1,3 +1,8 @@
+= 0.9.1.1 / 2009-03-09
+
+ * Fix directory traversal vulnerability in default static files
+   route. See [#177] for more info.
+
 = 0.9.1 / 2009-03-01
 
  * Sinatra now runs under Ruby 1.9.1 [#61]
@@ -10,7 +15,7 @@
 
  * New request-level #forward method for middleware components: passes
    the env to the downstream app and merges the response status, headers,
-   and body into the current context.
+   and body into the current context. [#126]
 
  * Requests are now automatically forwarded to the downstream app when
    running as middleware and no matching route is found or all routes
@@ -43,6 +48,11 @@
    ":session" option to any of the mock request methods. e.g.,
        get '/', {}, :session => { 'foo' => 'bar' }
 
+ * The testing framework specific files ('sinatra/test/spec',
+   'sinatra/test/bacon', 'sinatra/test/rspec', etc.) have been deprecated.
+   See http://sinatrarb.com/testing.html for instructions on setting up
+   a testing environment with these frameworks.
+
  * The request-level #send_data method from Sinatra 0.3.3 has been added
    for compatibility but is deprecated.
 
@@ -57,6 +67,12 @@
  * Fixed some issues with running under Rack's CGI handler caused by
    writing informational stuff to stdout.
 
+ * Fixed that reloading was sometimes enabled when starting from a
+   rackup file [#110]
+
+ * Fixed that "." in route patterns erroneously matched any character
+   instead of a literal ".". [#124]
+
 = 0.9.0.4 / 2009-01-25
 
  * Using halt with more than 1 args causes ArgumentError [#131]

data/README.rdoc

@@ -159,8 +159,8 @@ Renders the inlined template string.
 
 === Accessing Variables in Templates
 
-Templates are evaluated within the same context as the route blocks. Instance
-variables set in route blocks are available in templates:
+Templates are evaluated within the same context as route handlers. Instance
+variables set in route handlers are direcly accessible by templates:
 
   get '/:id' do
     @foo = Foo.find(params[:id])
@@ -199,12 +199,11 @@ Templates may be defined at the end of the source file:
 
 NOTE: In-file templates defined in the source file that requires sinatra
 are automatically loaded. Call the <tt>use_in_file_templates!</tt>
-method explicitly if you have in-file templates in another source file.
+method explicitly if you have in-file templates in other source files.
 
 === Named Templates
 
-It's possible to define named templates using the top-level <tt>template</tt>
-method:
+Templates may also be defined using the top-level <tt>template</tt> method:
 
   template :layout do
     "%html\n  =yield\n"
@@ -228,7 +227,7 @@ is rendered. You can disable layouts by passing <tt>:layout => false</tt>.
 == Helpers
 
 Use the top-level <tt>helpers</tt> method to define helper methods for use in
-route blocks and templates:
+route handlers and templates:
 
   helpers do
     def bar(name)
@@ -244,7 +243,7 @@ route blocks and templates:
 
 Before filters are evaluated before each request within the context of the
 request and can modify the request and response. Instance variables set in
-filters are accessible by routes and templates.
+filters are accessible by routes and templates:
 
   before do
     @note = 'Hi!'
@@ -272,8 +271,7 @@ Or set the status and body ...
 
 == Passing
 
-A route can punt processing to the next matching route using the <tt>pass</tt>
-statement:
+A route can punt processing to the next matching route using <tt>pass</tt>:
 
   get '/guess/:who' do
     pass unless params[:who] == 'Frank'
@@ -403,85 +401,34 @@ typically don't have to +use+ them explicitly.
 
 == Testing
 
-The Sinatra::Test module includes a variety of helper methods for testing
-your Sinatra app. Sinatra includes support for Test::Unit, test-spec, RSpec,
-and Bacon through separate source files.
+The Sinatra::Test mixin and Sinatra::TestHarness class include a variety of
+helper methods for testing your Sinatra app:
 
-=== Test::Unit
-
-  require 'sinatra'
-  require 'sinatra/test/unit'
   require 'my_sinatra_app'
+  require 'test/unit'
+  require 'sinatra/test'
 
   class MyAppTest < Test::Unit::TestCase
-    def test_my_default
-      get '/'
-      assert_equal 'My Default Page!', @response.body
-    end
+    include Sinatra::Test
 
-    def test_with_agent
-      get '/', :env => { :agent => 'Songbird' }
-      assert_equal "You're in Songbird!", @response.body
-    end
-
-    ...
-  end
-
-=== Test::Spec
-
-Install the test-spec gem and require <tt>'sinatra/test/spec'</tt> before
-your app:
-
-  require 'sinatra'
-  require 'sinatra/test/spec'
-  require 'my_sinatra_app'
-
-  describe 'My app' do
-    it "should show a default page" do
+    def test_my_default
       get '/'
-      should.be.ok
-      body.should.equal 'My Default Page!'
+      assert_equal 'Hello World!', @response.body
     end
 
-    ...
-  end
-
-=== RSpec
-
-Install the rspec gem and require <tt>'sinatra/test/rspec'</tt> before
-your app:
-
-  require 'sinatra'
-  require 'sinatra/test/rspec'
-  require 'my_sinatra_app'
-
-  describe 'My app' do
-    it 'should show a default page' do
-      get '/'
-      @response.should be_ok
-      @response.body.should == 'My Default Page!'
+    def test_with_params
+      get '/meet', {:name => 'Frank'}
+      assert_equal 'Hello Frank!', @response.body
     end
 
-    ...
-
-  end
-
-=== Bacon
-
-  require 'sinatra'
-  require 'sinatra/test/bacon'
-  require 'my_sinatra_app'
-
-  describe 'My app' do
-    it 'should be ok' do
-      get '/'
-      should.be.ok
-      body.should == 'Im OK'
+    def test_with_rack_env
+      get '/', {}, :agent => 'Songbird'
+      assert_equal "You're using Songbird!", @response.body
     end
   end
 
-See Sinatra::Test for more information on +get+, +post+, +put+, and
-friends.
+See http://www.sinatrarb.com/testing.html for more on Sinatra::Test and using it
+with other test frameworks such as RSpec, Bacon, and test/spec.
 
 == Command line
 
@@ -531,5 +478,6 @@ To update the Sinatra sources in the future:
   help? Have a patch?
 * {Lighthouse}[http://sinatra.lighthouseapp.com] - Issue tracking and release
   planning.
+* {Twitter}[http://twitter.com/sinatra]
 * {Mailing List}[http://groups.google.com/group/sinatrarb]
 * {IRC: #sinatra}[irc://chat.freenode.net/#sinatra] on http://freenode.net

data/lib/sinatra/base.rb

@@ -5,7 +5,7 @@ require 'rack'
 require 'rack/builder'
 
 module Sinatra
-  VERSION = '0.9.1'
+  VERSION = '0.9.1.1'
 
   # The request object. See Rack::Request for more info:
   # http://rack.rubyforge.org/doc/classes/Rack/Request.html
@@ -100,6 +100,12 @@ module Sinatra
       error 404, body
     end
 
+    # Set multiple response headers with Hash.
+    def headers(hash=nil)
+      response.headers.merge! hash if hash
+      response.headers
+    end
+
     # Access the underlying Rack session.
     def session
       env['rack.session'] ||= {}
@@ -379,7 +385,7 @@ module Sinatra
       status, headers, body = @app.call(@request.env)
       @response.status = status
       @response.body = body
-      headers.each { |k, v| @response[k] = v }
+      @response.headers.merge! headers
       nil
     end
 
@@ -878,7 +884,9 @@ module Sinatra
     # static files route
     get(/.*[^\/]$/) do
       pass unless options.static? && options.public?
-      path = options.public + unescape(request.path_info)
+      public_dir = File.expand_path(options.public)
+      path = File.expand_path(public_dir + unescape(request.path_info))
+      pass if path[0, public_dir.length] != public_dir
       pass unless File.file?(path)
       send_file path, :disposition => nil
     end

data/lib/sinatra/compat.rb

@@ -87,12 +87,10 @@ module Sinatra
     end
 
     # Deprecated. Use: response['Header-Name']
-    def headers(header=nil)
-      sinatra_warn "The 'headers' method is deprecated; use 'response' instead."
-      response.headers.merge!(header) if header
-      response.headers
+    def header(header=nil)
+      sinatra_warn "The 'header' method is deprecated; use 'headers' instead."
+      headers(header)
     end
-    alias :header :headers
 
     # Deprecated. Use: halt
     def stop(*args, &block)

data/lib/sinatra/test.rb

@@ -4,6 +4,10 @@ module Sinatra
   module Test
     include Rack::Utils
 
+    def self.included(base)
+      Sinatra::Default.set(:environment, :test)
+    end
+
     attr_reader :app, :request, :response
 
     def self.deprecate(framework)
@@ -116,6 +120,7 @@ for more information.
 
     def initialize(app=nil)
       @app = app || Sinatra::Application
+      @app.set(:environment, :test)
     end
   end
 end

data/sinatra.gemspec

@@ -3,8 +3,8 @@ Gem::Specification.new do |s|
   s.required_rubygems_version = Gem::Requirement.new(">= 0") if s.respond_to? :required_rubygems_version=
 
   s.name = 'sinatra'
-  s.version = '0.9.1'
-  s.date = '2009-03-01'
+  s.version = '0.9.1.1'
+  s.date = '2009-03-09'
 
   s.description = "Classy web-development dressed in a DSL"
   s.summary     = "Classy web-development dressed in a DSL"

data/test/helper.rb

@@ -19,10 +19,6 @@ end
 class Test::Unit::TestCase
   include Sinatra::Test
 
-  def setup
-    Sinatra::Default.set :environment, :test
-  end
-
   # Sets up a Sinatra::Base subclass defined with the block
   # given. Used in setup or individual spec methods to establish
   # the application.

data/test/helpers_test.rb

@@ -140,6 +140,36 @@ describe 'Helpers#not_found' do
   end
 end
 
+describe 'Helpers#headers' do
+  it 'sets headers on the response object when given a Hash' do
+    mock_app {
+      get '/' do
+        headers 'X-Foo' => 'bar', 'X-Baz' => 'bling'
+        'kthx'
+      end
+    }
+
+    get '/'
+    assert ok?
+    assert_equal 'bar', response['X-Foo']
+    assert_equal 'bling', response['X-Baz']
+    assert_equal 'kthx', body
+  end
+
+  it 'returns the response headers hash when no hash provided' do
+    mock_app {
+      get '/' do
+        headers['X-Foo'] = 'bar'
+        'kthx'
+      end
+    }
+
+    get '/'
+    assert ok?
+    assert_equal 'bar', response['X-Foo']
+  end
+end
+
 describe 'Helpers#session' do
   it 'uses the existing rack.session' do
     mock_app {

data/test/static_test.rb

@@ -62,4 +62,19 @@ describe 'Static' do
     get "/foobarbaz.txt"
     assert not_found?
   end
+
+  it 'serves files when .. path traverses within public directory' do
+    get "/data/../#{File.basename(__FILE__)}"
+    assert ok?
+    assert_equal File.read(__FILE__), body
+  end
+
+  it '404s when .. path traverses outside of public directory' do
+    mock_app {
+      set :static, true
+      set :public, File.dirname(__FILE__) + '/data'
+    }
+    get "/../#{File.basename(__FILE__)}"
+    assert not_found?
+  end
 end

data/test/test_test.rb

@@ -130,6 +130,12 @@ describe 'Sinatra::Test' do
     assert called
   end
 
+  it 'sets the environment to :test on include' do
+    Sinatra::Default.set(:environment, :production)
+    Class.new { include Sinatra::Test }
+    assert_equal :test, Sinatra::Default.environment
+  end
+
   def test_TestHarness
     session  = Sinatra::TestHarness.new(@app)
     response = session.get('/')

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification 
 name: sinatra-sinatra
 version: !ruby/object:Gem::Version 
-  version: 0.9.1
+  version: 0.9.1.1
 platform: ruby
 authors: 
 - Blake Mizerany
@@ -9,7 +9,7 @@ autorequire:
 bindir: bin
 cert_chain: []
 
-date: 2009-03-01 00:00:00 -08:00
+date: 2009-03-09 00:00:00 -07:00
 default_executable: 
 dependencies: 
 - !ruby/object:Gem::Dependency