sinatra 1.4.8 → 2.0.0.beta1

data/README.pt-br.md

@@ -180,7 +180,7 @@ end
 Rotas podem casar com expressões regulares:
 
 ```ruby
-get /\A\/ola\/([\w]+)\z/ do
+get /\/ola\/([\w]+)/ do
   "Olá, #{params['captures'].first}!"
 end
 ```
@@ -362,7 +362,7 @@ end
 Ou, usando algo mais denso à frente:
 
 ```ruby
-get %r{^(?!/index$)} do
+get %r{(?!/index)} do
   # ...
 end
 ```
@@ -1417,7 +1417,7 @@ configure do
 end
 ```
 
-Rodando somente quando o ambiente (`RACK_ENV` environment variável) é
+Rodando somente quando o ambiente (`APP_ENV` environment variável) é
 setado para `:production`:
 
 ```ruby

data/README.pt-pt.md

@@ -88,7 +88,7 @@ end
 Rotas correspondem-se com expressões regulares:
 
 ```ruby
-get /\A\/ola\/([\w]+)\z/ do
+get /\/ola\/([\w]+)/ do
   "Olá, #{params['captures'].first}!"
 end
 ```
@@ -477,7 +477,7 @@ configure do
 end
 ```
 
-Correndo somente quando o ambiente (`RACK_ENV` environment variável) é
+Correndo somente quando o ambiente (`APP_ENV` environment variável) é
 definido para `:production`:
 
 ```ruby

data/README.ru.md

@@ -42,6 +42,7 @@
     * [Фильтры](#Фильтры)
     * [Методы-помощники](#Методы-помощники)
         * [Использование сессий](#Использование-сессий)
+          * [Выбор вашей собственной "прослойки" сессии](#Выбор-вашей-собственной-прослойки-сессий)
         * [Прерывание](#Прерывание)
         * [Передача](#Передача)
         * [Вызов другого маршрута](#Вызов-другого-маршрута)
@@ -208,7 +209,7 @@ end
 Регулярные выражения в качестве шаблонов маршрутов:
 
 ```ruby
-get /\A\/hello\/([\w]+)\z/ do
+get /\/hello\/([\w]+)/ do
   "Hello, #{params['captures'].first}!"
 end
 ```
@@ -377,7 +378,7 @@ end
 Или с использованием негативного просмотра вперед:
 
 ```ruby
-get %r{^(?!/index$)} do
+get %r{(?!/index)} do
   # ...
 end
 ```
@@ -1341,25 +1342,6 @@ get '/:value' do
 end
 ```
 
-Заметьте, что при использовании `enable :sessions` все данные сохраняются в
-куках (cookies). Это может быть не совсем то, что вы хотите (например,
-сохранение больших объемов данных увеличит ваш трафик). В таком случае вы
-можете использовать альтернативную Rack "прослойку" (middleware), реализующую
-механизм сессий. Для этого *не надо* вызывать `enable :sessions`, вместо этого
-следует подключить ее так же, как и любую другую "прослойку":
-
-```ruby
-use Rack::Session::Pool, :expire_after => 2592000
-
-get '/' do
-  "value = " << session['value'].inspect
-end
-
-get '/:value' do
-  session['value'] = params['value']
-end
-```
-
 Для повышения безопасности данные сессии в куках подписываются секретным
 ключом. Секретный ключ генерируется Sinatra. Тем не менее, так как этот ключ
 будет меняться с каждым запуском приложения, вы, возможно, захотите установить
@@ -1384,6 +1366,40 @@ foo.com, добавьте *.* перед доменом:
 set :sessions, :domain => '.foo.com'
 ```
 
+#### Выбор вашей собственной "прослойки" сессии
+
+Заметьте, что при использовании `enable :sessions` все данные сохраняются в
+куках (cookies). Это может быть не совсем то, что вы хотите (например,
+сохранение больших объемов данных увеличит ваш трафик). В таком случае вы
+можете использовать альтернативную Rack "прослойку" (middleware), реализующую
+механизм сессий. Для этого используете один из способов ниже:
+
+```ruby
+enable :sessions
+set :session_store, Rack::Session::Pool
+```
+
+Или установите параметры сессии с помощью хеша опций:
+
+```ruby
+set :sessions, :expire_after => 2592000
+set :session_store, Rack::Session::Pool
+```
+
+Вы так же можете не вызывать `enable :sessions`, а вместо этого вызывать
+необходимую вам прослойку так же, как вы это обычно делаете. Очень важно
+обратить внимание на то, что когда вы используете этот метод, основной способ
+защиты сессии **не будет включен по умолчанию**. Если вы хотите включить защиту,
+вам нужно добавить следующие строчки:
+
+```ruby
+use Rack::Session::Pool, :expire_after => 2592000
+use Rack::Protection::RemoteToken
+use Rack::Protection::SessionHijacking
+```
+
+Смотрите секцию "Настройка защиты от атак" для более подробной информации.
+
 ### Прерывание
 
 Чтобы незамедлительно прервать обработку запроса внутри фильтра или маршрута,
@@ -2022,7 +2038,7 @@ configure do
 end
 ```
 
-Будет запущено, когда окружение (RACK_ENV переменная) `:production`:
+Будет запущено, когда окружение (APP_ENV переменная) `:production`:
 
 ```ruby
 configure :production do
@@ -2121,8 +2137,8 @@ set :protection, :except => [:path_traversal, :session_hijacking]
 
   <dt>environment</dt>
   <dd>
-    текущее окружение, по умолчанию, значение <tt>ENV['RACK_ENV']</tt> или
-    <tt>"development"</tt>, если <tt>ENV['RACK_ENV']</tt> недоступна.
+    текущее окружение, по умолчанию, значение <tt>ENV['APP_ENV']</tt> или
+    <tt>"development"</tt>, если <tt>ENV['APP_ENV']</tt> недоступна.
   </dd>
 
   <dt>logging</dt>
@@ -2249,7 +2265,7 @@ set :protection, :except => [:path_traversal, :session_hijacking]
 ## Режим, окружение
 
 Есть 3 предопределенных режима, окружения: `"development"`, `"production"` и
-`"test"`. Режим может быть задан через переменную окружения `RACK_ENV`.
+`"test"`. Режим может быть задан через переменную окружения `APP_ENV`.
 Значение по умолчанию — `"development"`. В этом режиме работы все шаблоны
 перезагружаются между запросами. А также задаются специальные обработчики
 `not_found` и `error`, чтобы вы могли увидеть стек вызовов. В окружениях
@@ -2412,7 +2428,7 @@ class MyAppTest < Minitest::Test
     assert_equal 'Hello Frank!', last_response.body
   end
 
-  def test_with_rack_env
+  def test_with_user_agent
     get '/', {}, 'HTTP_USER_AGENT' => 'Songbird'
     assert_equal "You're using Songbird!", last_response.body
   end

data/README.zh.md

@@ -205,7 +205,7 @@ end
 通过正则表达式匹配路由：
 
 ```ruby
-get /\A\/hello\/([\w]+)\z/ do
+get /\/hello\/([\w]+)/ do
   "Hello, #{params['captures'].first}!"
 end
 ```
@@ -372,7 +372,7 @@ end
 或者，使用消极向前查找:
 
 ```ruby
-get %r{^(?!/index$)} do
+get %r{(?!/index)} do
   # ...
 end
 ```
@@ -1933,7 +1933,7 @@ configure do
 end
 ```
 
-只有当环境 (`RACK_ENV` 环境变量) 被设定为 `:production` 时才运行：
+只有当环境 (`APP_ENV` 环境变量) 被设定为 `:production` 时才运行：
 
 ```ruby
 configure :production do
@@ -2033,8 +2033,8 @@ set :protection, :session => true
 
   <dt>environment</dt>
   <dd>
-    当前环境，默认是 <tt>ENV['RACK_ENV']</tt>，
-    或者 <tt>"development"</tt> (如果 ENV['RACK_ENV'] 不可用)。
+    当前环境，默认是 <tt>ENV['APP_ENV']</tt>，
+    或者 <tt>"development"</tt> (如果 ENV['APP_ENV'] 不可用)。
   </dd>
 
   <dt>logging</dt>
@@ -2145,15 +2145,15 @@ set :protection, :session => true
 ## 环境
 
 Sinatra 中有三种预先定义的环境："development"、"production" 和 "test"。
-环境可以通过 `RACK_ENV` 环境变量设置。默认值为 "development"。
+环境可以通过 `APP_ENV` 环境变量设置。默认值为 "development"。
 在开发环境下，每次请求都会重新加载所有模板，
 特殊的 `not_found` 和 `error` 错误处理器会在浏览器中显示 stack trace。
 在测试和生产环境下，模板默认会缓存。
 
-在不同的环境下运行，设置 `RACK_ENV` 环境变量：
+在不同的环境下运行，设置 `APP_ENV` 环境变量：
 
 ```shell
-RACK_ENV=production ruby my_app.rb
+APP_ENV=production ruby my_app.rb
 ```
 
 可以使用预定义的三种方法： `development?`、`test?` 和 `production?` 来检查当前环境：

data/Rakefile

@@ -3,12 +3,6 @@ require 'rake/testtask'
 require 'fileutils'
 require 'date'
 
-# CI Reporter is only needed for the CI
-begin
-  require 'ci/reporter/rake/test_unit'
-rescue LoadError
-end
-
 task :default => :test
 task :spec => :test
 

data/SECURITY.md

@@ -0,0 +1,35 @@
+# Reporting a security bug
+
+All security bugs in Sinatra should be reported to the core team through our private mailing list [sinatra-security@googlegroups.com](https://groups.google.com/group/sinatra-security). Your report will be acknowledged within 24 hours, and you’ll receive a more detailed response to your email within 48 hours indicating the next steps in handling your report.
+
+After the initial reply to your report the security team will endeavor to keep you informed of the progress being made towards a fix and full announcement. These updates will be sent at least every five days, in reality this is more likely to be every 24-48 hours.
+
+If you have not received a reply to your email within 48 hours, or have not heard from the security team for the past five days there are a few steps you can take:
+
+* Contact the current security coordinator [Zachary Scott](mailto:zzak@ruby-lang.org) directly
+
+## Disclosure Policy
+
+Sinatra has a 5 step disclosure policy, that is upheld to the best of our ability.
+
+1. Security report received and is assigned a primary handler. This person will coordinate the fix and release process.
+2. Problem is confirmed and, a list of all affected versions is determined. Code is audited to find any potential similar problems.
+3. Fixes are prepared for all releases which are still supported. These fixes are not committed to the public repository but rather held locally pending the announcement.
+4. A suggested embargo date for this vulnerability is chosen and distros@openwall is notified. This notification will include patches for all versions still under support and a contact address for packagers who need advice back-porting patches to older versions.
+5. On the embargo date, the [mailing list][mailing-list] and [security list][security-list] are sent a copy of the announcement. The changes are pushed to the public repository and new gems released to rubygems.
+
+Typically the embargo date will be set 72 hours from the time vendor-sec is first notified, however this may vary depending on the severity of the bug or difficulty in applying a fix.
+
+This process can take some time, especially when coordination is required with maintainers of other projects. Every effort will be made to handle the bug in as timely a manner as possible, however it’s important that we follow the release process above to ensure that the disclosure is handled in a consistent manner.
+
+## Security Updates
+
+Security updates will be posted on the [mailing list][mailing-list] and [security list][security-list].
+
+## Comments on this Policy
+
+If you have any suggestions to improve this policy, please send an email the core team at [sinatrarb@googlegroups.com](https://groups.google.com/group/sinatrarb).
+
+
+[mailing-list]: http://groups.google.com/group/sinatrarb/topics
+[security-list]: http://groups.google.com/group/sinatra-security/topics

data/lib/sinatra/base.rb

@@ -1,7 +1,12 @@
+# frozen_string_literal: true
+
 # external dependencies
 require 'rack'
 require 'tilt'
 require 'rack/protection'
+require 'mustermann'
+require 'mustermann/sinatra'
+require 'mustermann/regular'
 
 # stdlib dependencies
 require 'thread'
@@ -10,7 +15,6 @@ require 'uri'
 
 # other files we need
 require 'sinatra/show_exceptions'
-require 'sinatra/ext'
 require 'sinatra/version'
 
 module Sinatra
@@ -69,6 +73,12 @@ module Sinatra
       request_method == "UNLINK"
     end
 
+    def params
+      super
+    rescue Rack::Utils::ParameterTypeError, Rack::Utils::InvalidParameterError => e
+      raise BadRequest, "Invalid query parameters: #{e.message}"
+    end
+
     private
 
     class AcceptEntry
@@ -151,7 +161,7 @@ module Sinatra
       if calculate_content_length?
         # if some other code has already set Content-Length, don't muck with it
         # currently, this would be the static file-handler
-        headers["Content-Length"] = body.inject(0) { |l, p| l + Rack::Utils.bytesize(p) }.to_s
+        headers["Content-Length"] = body.inject(0) { |l, p| l + p.bytesize }.to_s
       end
 
       [status.to_i, headers, result]
@@ -221,6 +231,10 @@ module Sinatra
     end
   end
 
+  class BadRequest < TypeError #:nodoc:
+    def http_status; 400 end
+  end
+
   class NotFound < NameError #:nodoc:
     def http_status; 404 end
   end
@@ -229,7 +243,7 @@ module Sinatra
   module Helpers
     # Set or retrieve the response status code.
     def status(value = nil)
-      response.status = value if value
+      response.status = Rack::Utils.status_code(value) if value
       response.status
     end
 
@@ -240,7 +254,11 @@ module Sinatra
         def block.each; yield(call) end
         response.body = block
       elsif value
-        headers.delete 'Content-Length' unless request.head? || value.is_a?(Rack::File) || value.is_a?(Stream)
+        # Rack 2.0 returns a Rack::File::Iterator here instead of
+        # Rack::File as it was in the previous API.
+        unless request.head? || value.is_a?(Rack::File::Iterator) || value.is_a?(Stream)
+          headers.delete 'Content-Length'
+        end
         response.body = value
       else
         response.body
@@ -264,8 +282,8 @@ module Sinatra
     # Generates the absolute URI for a given path in the app.
     # Takes Rack routers and reverse proxies into account.
     def uri(addr = nil, absolute = true, add_script_name = true)
-      return addr if addr =~ /\A[A-z][A-z0-9\+\.\-]*:/
-      uri = [host = ""]
+      return addr if addr =~ /\A[a-z][a-z0-9\+\.\-]*:/i
+      uri = [host = String.new]
       if absolute
         host << "http#{'s' if request.secure?}://"
         if request.forwarded? or request.port != (request.secure? ? 443 : 80)
@@ -339,7 +357,7 @@ module Sinatra
 
     # Set the Content-Disposition to "attachment" with the specified filename,
     # instructing the user agents to prompt to save.
-    def attachment(filename = nil, disposition = 'attachment')
+    def attachment(filename = nil, disposition = :attachment)
       response['Content-Disposition'] = disposition.to_s
       if filename
         params = '; filename="%s"' % File.basename(filename)
@@ -357,19 +375,19 @@ module Sinatra
 
       disposition = opts[:disposition]
       filename    = opts[:filename]
-      disposition = 'attachment' if disposition.nil? and filename
-      filename    = path         if filename.nil?
+      disposition = :attachment if disposition.nil? and filename
+      filename    = path        if filename.nil?
       attachment(filename, disposition) if disposition
 
       last_modified opts[:last_modified] if opts[:last_modified]
 
-      file      = Rack::File.new nil
-      file.path = path
-      result    = file.serving env
+      file   = Rack::File.new(File.dirname(settings.app_file))
+      result = file.serving(request, path)
+
       result[1].each { |k,v| headers[k] ||= v }
       headers['Content-Length'] = result[1]['Content-Length']
       opts[:status] &&= Integer(opts[:status])
-      halt opts[:status] || result[0], result[2]
+      halt (opts[:status] || result[0]), result[2]
     rescue Errno::ENOENT
       not_found
     end
@@ -441,7 +459,7 @@ module Sinatra
     # Specify response freshness policy for HTTP caches (Cache-Control header).
     # Any number of non-value directives (:public, :private, :no_cache,
     # :no_store, :must_revalidate, :proxy_revalidate) may be passed along with
-    # a Hash of value directives (:max_age, :min_stale, :s_max_age).
+    # a Hash of value directives (:max_age, :min_stale, :s_maxage).
     #
     #   cache_control :public, :must_revalidate, :max_age => 60
     #   => Cache-Control: public, must-revalidate, max-age=60
@@ -460,7 +478,7 @@ module Sinatra
       values.map! { |value| value.to_s.tr('_','-') }
       hash.each do |key, value|
         key = key.to_s.tr('_', '-')
-        value = value.to_i if key == "max-age"
+        value = value.to_i if ['max-age', 's-maxage'].include? key
         values << "#{key}=#{value}"
       end
 
@@ -473,7 +491,7 @@ module Sinatra
     # "values" arguments are passed to the #cache_control helper:
     #
     #   expires 500, :public, :must_revalidate
-    #   => Cache-Control: public, must-revalidate, max-age=60
+    #   => Cache-Control: public, must-revalidate, max-age=500
     #   => Expires: Mon, 08 Jun 2009 08:50:17 GMT
     #
     def expires(amount, *values)
@@ -585,6 +603,11 @@ module Sinatra
       status.between? 500, 599
     end
 
+    # whether or not the status is set to 400
+    def bad_request?
+      status == 400
+    end
+
     # whether or not the status is set to 404
     def not_found?
       status == 404
@@ -593,22 +616,12 @@ module Sinatra
     # Generates a Time object from the given value.
     # Used by #expires and #last_modified.
     def time_for(value)
-      if value.respond_to? :to_time
-        value.to_time
-      elsif value.is_a? Time
-        value
-      elsif value.respond_to? :new_offset
-        # DateTime#to_time does the same on 1.9
-        d = value.new_offset 0
-        t = Time.utc d.year, d.mon, d.mday, d.hour, d.min, d.sec + d.sec_fraction
-        t.getlocal
-      elsif value.respond_to? :mday
-        # Date#to_time does the same on 1.9
-        Time.local(value.year, value.mon, value.mday)
-      elsif value.is_a? Numeric
+      if value.is_a? Numeric
         Time.at value
-      else
+      elsif value.respond_to? :to_s
         Time.parse value.to_s
+      else
+        value.to_time
       end
     rescue ArgumentError => boom
       raise boom
@@ -806,7 +819,8 @@ module Sinatra
       layout          = engine_options[:layout] if layout.nil? or (layout == true && engine_options[:layout] != false)
       layout          = @default_layout         if layout.nil? or layout == true
       layout_options  = options.delete(:layout_options) || {}
-      content_type    = options.delete(:content_type)   || options.delete(:default_content_type)
+      content_type    = options.delete(:default_content_type)
+      content_type    = options.delete(:content_type)   || content_type
       layout_engine   = options.delete(:layout_engine)  || engine
       scope           = options.delete(:scope)          || self
       options.delete(:layout)
@@ -863,7 +877,9 @@ module Sinatra
           end
         when Proc, String
           body = data.is_a?(String) ? Proc.new { data } : data
-          path, line = settings.caller_locations.first
+          caller = settings.caller_locations.first
+          path = options[:path] || caller[0]
+          line = options[:line] || caller[1]
           template.new(path, line.to_i, options, &body)
         else
           raise ArgumentError, "Sorry, don't know how to render #{data.inspect}."
@@ -878,7 +894,7 @@ module Sinatra
     include Helpers
     include Templates
 
-    URI_INSTANCE = URI.const_defined?(:Parser) ? URI::Parser.new : URI
+    URI_INSTANCE = URI::Parser.new
 
     attr_accessor :app, :env, :request, :response, :params
     attr_reader   :template_cache
@@ -899,9 +915,7 @@ module Sinatra
       @env      = env
       @request  = Request.new(env)
       @response = Response.new
-      @params   = indifferent_params(@request.params)
       template_cache.clear if settings.reload_templates
-      force_encoding(@params)
 
       @response['Content-Type'] = nil
       invoke { dispatch! }
@@ -969,9 +983,9 @@ module Sinatra
     # Run routes defined on the class and all superclasses.
     def route!(base = settings, pass_block = nil)
       if routes = base.routes[@request.request_method]
-        routes.each do |pattern, keys, conditions, block|
-          returned_pass_block = process_route(pattern, keys, conditions) do |*args|
-            env['sinatra.route'] = block.instance_variable_get(:@route_name)
+        routes.each do |pattern, conditions, block|
+          returned_pass_block = process_route(pattern, conditions) do |*args|
+            env['sinatra.route'] = "#{@request.request_method} #{pattern}"
             route_eval { block[*args] }
           end
 
@@ -999,21 +1013,29 @@ module Sinatra
     # Revert params afterwards.
     #
     # Returns pass block.
-    def process_route(pattern, keys, conditions, block = nil, values = [])
+    def process_route(pattern, conditions, block = nil, values = [])
       route = @request.path_info
       route = '/' if route.empty? and not settings.empty_path_info?
-      return unless match = pattern.match(route)
-      values += match.captures.map! { |v| force_encoding URI_INSTANCE.unescape(v) if v }
+      return unless params = pattern.params(route)
 
-      if values.any?
-        original, @params = params, params.merge('splat' => [], 'captures' => values)
-        keys.zip(values) { |k,v| Array === @params[k] ? @params[k] << v : @params[k] = v if v }
+      params.delete("ignore") # TODO: better params handling, maybe turn it into "smart" object or detect changes
+      original, @params = @params, @params.merge(params) if params.any?
+
+      if pattern.is_a? Mustermann::Regular
+        captures           = pattern.match(route).captures
+        values            += captures
+        @params[:captures] = captures
+      else
+        values += params.values.flatten
       end
 
       catch(:pass) do
         conditions.each { |c| throw :pass if c.bind(self).call == false }
         block ? block[self, values] : yield(self, values)
       end
+    rescue
+      @env['sinatra.error.params'] = @params
+      raise
     ensure
       @params = original if original
     end
@@ -1065,8 +1087,9 @@ module Sinatra
     # Run the block with 'throw :halt' support and apply result to the response.
     def invoke
       res = catch(:halt) { yield }
-      res = [res] if Integer === res or String === res
-      if Array === res and Integer === res.first
+
+      res = [res] if Fixnum === res or String === res
+      if Array === res and Fixnum === res.first
         res = res.dup
         status(res.shift)
         body(res.pop)
@@ -1079,6 +1102,9 @@ module Sinatra
 
     # Dispatch a request with error handling.
     def dispatch!
+      @params = indifferent_params(@request.params)
+      force_encoding(@params)
+
       invoke do
         static! if settings.static? && (request.get? || request.head?)
         filter! :before
@@ -1096,6 +1122,9 @@ module Sinatra
 
     # Error handling during requests.
     def handle_exception!(boom)
+      if error_params = @env['sinatra.error.params']
+        @params = @params.merge(error_params)
+      end
       @env['sinatra.error'] = boom
 
       if boom.respond_to? :http_status
@@ -1111,11 +1140,12 @@ module Sinatra
       if server_error?
         dump_errors! boom if settings.dump_errors?
         raise boom if settings.show_exceptions? and settings.show_exceptions != :after_handler
-      end
-
-      if not_found?
+      elsif not_found?
         headers['X-Cascade'] = 'pass' if settings.x_cascade?
         body '<h1>Not Found</h1>'
+      elsif bad_request?
+        dump_errors! boom if settings.dump_errors?
+        halt status
       end
 
       res = error_block!(boom.class, boom) || error_block!(status, boom)
@@ -1223,7 +1253,7 @@ module Sinatra
         case value
         when Proc
           getter = value
-        when Symbol, Integer, FalseClass, TrueClass, NilClass
+        when Symbol, Fixnum, FalseClass, TrueClass, NilClass
           getter = value.inspect
         when Hash
           setter = proc do |val|
@@ -1252,16 +1282,16 @@ module Sinatra
       # class, or an HTTP status code to specify which errors should be
       # handled.
       def error(*codes, &block)
-        args  = compile! "ERROR", //, block
+        args  = compile! "ERROR", /.*/, block
         codes = codes.map { |c| Array(c) }.flatten
         codes << Exception if codes.empty?
+        codes << Sinatra::NotFound if codes.include?(404)
         codes.each { |c| (@errors[c] ||= []) << args }
       end
 
       # Sugar for `error(404) { ... }`
       def not_found(&block)
         error(404, &block)
-        error(Sinatra::NotFound, &block)
       end
 
       # Define a named template. The block must return the template source.
@@ -1299,7 +1329,7 @@ module Sinatra
           data.each_line do |line|
             lines += 1
             if line =~ /^@@\s*(.*\S)\s*$/
-              template = force_encoding('', encoding)
+              template = force_encoding(String.new, encoding)
               templates[$1.to_sym] = [template, file, lines]
             elsif template
               template << line
@@ -1328,21 +1358,20 @@ module Sinatra
       # Define a before filter; runs before all requests within the same
       # context as route handlers and may access/modify the request and
       # response.
-      def before(path = nil, options = {}, &block)
+      def before(path = /.*/, **options, &block)
         add_filter(:before, path, options, &block)
       end
 
       # Define an after filter; runs after all requests within the same
       # context as route handlers and may access/modify the request and
       # response.
-      def after(path = nil, options = {}, &block)
+      def after(path = /.*/, **options, &block)
         add_filter(:after, path, options, &block)
       end
 
       # add a filter
-      def add_filter(type, path = nil, options = {}, &block)
-        path, options = //, path if path.respond_to?(:each_pair)
-        filters[type] << compile!(type, path || //, block, options)
+      def add_filter(type, path = /.*/, **options, &block)
+        filters[type] << compile!(type, path, block, options)
       end
 
       # Add a route condition. The route is considered non-matching when the
@@ -1422,7 +1451,7 @@ module Sinatra
         return unless running?
         # Use Thin's hard #stop! if available, otherwise just #stop.
         running_server.respond_to?(:stop!) ? running_server.stop! : running_server.stop
-        $stderr.puts "== Sinatra has ended his set (crowd applauds)" unless handler_name =~/cgi/i
+        $stderr.puts "== Sinatra has ended his set (crowd applauds)" unless supress_messages?
         set :running_server, nil
         set :handler_name, nil
       end
@@ -1504,7 +1533,7 @@ module Sinatra
       # Starts the server by running the Rack Handler.
       def start_server(handler, server_settings, handler_name)
         handler.run(self, server_settings) do |server|
-          unless handler_name =~ /cgi/i
+          unless supress_messages?
             $stderr.puts "== Sinatra (v#{Sinatra::VERSION}) has taken the stage on #{port} for #{environment} with backup from #{handler_name}"
           end
 
@@ -1517,6 +1546,10 @@ module Sinatra
         end
       end
 
+      def supress_messages?
+        handler_name =~ /cgi/i || quiet
+      end
+
       def setup_traps
         if traps?
           at_exit { quit! }
@@ -1534,8 +1567,7 @@ module Sinatra
 
       # Dynamically defines a method on settings.
       def define_singleton(name, content = Proc.new)
-        # replace with call to singleton_class once we're 1.9 only
-        (class << self; self; end).class_eval do
+        singleton_class.class_eval do
           undef_method(name) if method_defined? name
           String === content ? class_eval("def #{name}() #{content}; end") : define_method(name, &content)
         end
@@ -1599,108 +1631,22 @@ module Sinatra
         method
       end
 
-      def compile!(verb, path, block, options = {})
+      def compile!(verb, path, block, **options)
         options.each_pair { |option, args| send(option, *args) }
+
+        pattern                 = compile(path)
         method_name             = "#{verb} #{path}"
         unbound_method          = generate_method(method_name, &block)
-        pattern, keys           = compile path
         conditions, @conditions = @conditions, []
-
         wrapper                 = block.arity != 0 ?
           proc { |a,p| unbound_method.bind(a).call(*p) } :
           proc { |a,p| unbound_method.bind(a).call }
-        wrapper.instance_variable_set(:@route_name, method_name)
 
-        [ pattern, keys, conditions, wrapper ]
+        [ pattern, conditions, wrapper ]
       end
 
       def compile(path)
-        if path.respond_to? :to_str
-          keys = []
-
-          # Split the path into pieces in between forward slashes.
-          # A negative number is given as the second argument of path.split
-          # because with this number, the method does not ignore / at the end
-          # and appends an empty string at the end of the return value.
-          #
-          segments = path.split('/', -1).map! do |segment|
-            ignore = []
-
-            # Special character handling.
-            #
-            pattern = segment.to_str.gsub(/[^\?\%\\\/\:\*\w]|:(?!\w)/) do |c|
-              ignore << escaped(c).join if c.match(/[\.@]/)
-              patt = encoded(c)
-              patt.gsub(/%[\da-fA-F]{2}/) do |match|
-                match.split(//).map! { |char| char == char.downcase ? char : "[#{char}#{char.downcase}]" }.join
-              end
-            end
-
-            ignore = ignore.uniq.join
-
-            # Key handling.
-            #
-            pattern.gsub(/((:\w+)|\*)/) do |match|
-              if match == "*"
-                keys << 'splat'
-                "(.*?)"
-              else
-                keys << $2[1..-1]
-                ignore_pattern = safe_ignore(ignore)
-
-                ignore_pattern
-              end
-            end
-          end
-
-          # Special case handling.
-          #
-          if last_segment = segments[-1] and last_segment.match(/\[\^\\\./)
-            parts = last_segment.rpartition(/\[\^\\\./)
-            parts[1] = '[^'
-            segments[-1] = parts.join
-          end
-          [/\A#{segments.join('/')}\z/, keys]
-        elsif path.respond_to?(:keys) && path.respond_to?(:match)
-          [path, path.keys]
-        elsif path.respond_to?(:names) && path.respond_to?(:match)
-          [path, path.names]
-        elsif path.respond_to? :match
-          [path, []]
-        else
-          raise TypeError, path
-        end
-      end
-
-      def encoded(char)
-        enc = URI_INSTANCE.escape(char)
-        enc = "(?:#{escaped(char, enc).join('|')})" if enc == char
-        enc = "(?:#{enc}|#{encoded('+')})" if char == " "
-        enc
-      end
-
-      def escaped(char, enc = URI_INSTANCE.escape(char))
-        [Regexp.escape(enc), URI_INSTANCE.escape(char, /./)]
-      end
-
-      def safe_ignore(ignore)
-        unsafe_ignore = []
-        ignore = ignore.gsub(/%[\da-fA-F]{2}/) do |hex|
-          unsafe_ignore << hex[1..2]
-          ''
-        end
-        unsafe_patterns = unsafe_ignore.map! do |unsafe|
-          chars = unsafe.split(//).map! do |char|
-            char == char.downcase ? char : char + char.downcase
-          end
-
-          "|(?:%[^#{chars[0]}].|%[#{chars[0]}][^#{chars[1]}])"
-        end
-        if unsafe_patterns.length > 0
-          "((?:[^#{ignore}/?#%]#{unsafe_patterns.join()})+)"
-        else
-          "([^#{ignore}/?#]+)"
-        end
+        Mustermann.new(path)
       end
 
       def setup_default_middleware(builder)
@@ -1745,10 +1691,16 @@ module Sinatra
       def setup_protection(builder)
         return unless protection?
         options = Hash === protection ? protection.dup : {}
-        protect_session  = options.fetch(:session) { sessions? }
-        options[:except] = Array options[:except]
-        options[:except] += [:session_hijacking, :remote_token] unless protect_session
+        options = {
+          img_src:  "'self' data:",
+          font_src: "'self'"
+        }.merge options
+
+        protect_session = options.fetch(:session) { sessions? }
+        options[:without_session] = !protect_session
+
         options[:reaction] ||= :drop_session
+
         builder.use Rack::Protection, options
       end
 
@@ -1757,7 +1709,7 @@ module Sinatra
         options = {}
         options[:secret] = session_secret if session_secret?
         options.merge! sessions.to_hash if sessions.respond_to? :to_hash
-        builder.use Rack::Session::Cookie, options
+        builder.use session_store, options
       end
 
       def detect_rack_handler
@@ -1766,8 +1718,6 @@ module Sinatra
           begin
             return Rack::Handler.get(server_name.to_s)
           rescue LoadError, NameError
-          rescue ArgumentError
-            Sinatra::Ext.get_handler(server_name.to_s)
           end
         end
         fail "Server handler (#{servers.join(',')}) not found."
@@ -1826,11 +1776,12 @@ module Sinatra
 
     reset!
 
-    set :environment, (ENV['RACK_ENV'] || :development).to_sym
+    set :environment, (ENV['APP_ENV'] || ENV['RACK_ENV'] || :development).to_sym
     set :raise_errors, Proc.new { test? }
     set :dump_errors, Proc.new { !test? }
     set :show_exceptions, Proc.new { development? }
     set :sessions, false
+    set :session_store, Rack::Session::Cookie
     set :logging, false
     set :protection, true
     set :method_override, false
@@ -1861,6 +1812,7 @@ module Sinatra
     set :server, %w[HTTP webrick]
     set :bind, Proc.new { development? ? 'localhost' : '0.0.0.0' }
     set :port, Integer(ENV['PORT'] && !ENV['PORT'].empty? ? ENV['PORT'] : 4567)
+    set :quiet, false
 
     ruby_engine = defined?(RUBY_ENGINE) && RUBY_ENGINE
 
@@ -1936,7 +1888,7 @@ module Sinatra
             </style>
           </head>
           <body>
-            <h2>Sinatra doesn&rsquo;t know this ditty.</h2>
+            <h2>Sinatra doesn’t know this ditty.</h2>
             <img src='#{uri "/__sinatra__/404.png"}'>
             <div id="c">
               Try this: