sinatra 1.4.8 → 2.0.8.1

data/README.zh.md

@@ -205,7 +205,7 @@ end
 通过正则表达式匹配路由：
 
 ```ruby
-get /\A\/hello\/([\w]+)\z/ do
+get /\/hello\/([\w]+)/ do
   "Hello, #{params['captures'].first}!"
 end
 ```
@@ -239,6 +239,17 @@ end
 ```
 顺便一提，除非你禁用了路径遍历攻击防护（见下文），请求路径可能在匹配路由前发生改变。
 
+你也可以通过`:mustermann_opt`选项定义[Mustermann](https://github.com/sinatra/mustermann)来匹配路由。
+
+```ruby
+get '\A/posts\z', :mustermann_opts => { :type => :regexp, :check_anchors => false } do
+  # matches /posts exactly, with explicit anchoring
+  "If you match an anchored pattern clap your hands!"
+end
+```
+
+它看起来像一个[条件](https://github.com/sinatra/sinatra/blob/master/README.zh.md#%E6%9D%A1%E4%BB%B6)，但实际不是！这些选项将被合并到全局的`mustermann_opts`。
+
 ### 条件
 
 路由可以包含各种匹配条件，比如 user agent：
@@ -313,8 +324,8 @@ Rack 堆栈中的下一个中间件。大多数情况下，返回值是一个字
 
 你可以返回任何对象，该对象要么是一个合理的 Rack 响应，要么是一个 Rack body 对象，要么是 HTTP 状态码：
 
-* 一个包含三个元素的数组: `[状态 (Fixnum), 响应首部 (Hash), 响应主体 (可以响应 #each 方法)]`
-* 一个包含两个元素的数组: `[状态 (Fixnum), 响应主体 (可以响应 #each 方法)]`
+* 一个包含三个元素的数组: `[状态 (Integer), 响应首部 (Hash), 响应主体 (可以响应 #each 方法)]`
+* 一个包含两个元素的数组: `[状态 (Integer), 响应主体 (可以响应 #each 方法)]`
 * 一个响应 `#each` 方法，只传回字符串的对象
 * 一个代表状态码的数字
 
@@ -372,7 +383,7 @@ end
 或者，使用消极向前查找:
 
 ```ruby
-get %r{^(?!/index$)} do
+get %r{(?!/index)} do
   # ...
 end
 ```
@@ -649,7 +660,7 @@ get('/') { markdown :index }
 <table>
   <tr>
     <td>依赖项</td>
-    <td><a href="http://liquidmarkup.org/" title="liquid">liquid</a></td>
+    <td><a href="https://shopify.github.io/liquid/" title="liquid">liquid</a></td>
   </tr>
   <tr>
     <td>文件扩展名</td>
@@ -672,7 +683,7 @@ get('/') { markdown :index }
       下列任一:
         <a href="https://github.com/davidfstr/rdiscount" title="RDiscount">RDiscount</a>,
         <a href="https://github.com/vmg/redcarpet" title="RedCarpet">RedCarpet</a>,
-        <a href="http://deveiate.org/projects/BlueCloth" title="BlueCloth">BlueCloth</a>,
+        <a href="https://github.com/ged/bluecloth" title="bluecloth">BlueCloth</a>,
         <a href="http://kramdown.gettalong.org/" title="kramdown">kramdown</a>,
         <a href="https://github.com/bhollis/maruku" title="maruku">maruku</a>
     </td>
@@ -1302,33 +1313,59 @@ get '/:value' do
 end
 ```
 
-请注意 `enable :sessions` 实际将所有的数据保存在一个 cookie 中。
-这可能并不总是你想要的（cookie 中存储大量的数据会增加你的流量）。
-你可以使用任何 Rack session 中间件：要达到此目的，**不要**使用 `enable :sessions`，
-而是按照自己的需要引入想使用的中间件：
+#### 会话加密
+
+为提高安全性，cookie 中的会话数据使用`HMAC-SHA1`进行加密。会话加密的最佳实践应当是像`HMAC-SHA1`这样生成大于或等于64字节 (512 bits, 128 hex characters)的随机值。应当避免使用少于32字节(256 bits, 64 hex characters)的随机值。应当使用生成器来创建安全的密钥，而不是拍脑袋决定。
+
+默认情况下，Sinatra会生成一个32字节的密钥，但随着应用程序的每次重新启动，它都会发生改变。如果有多个应用程序的实例，使用Sinatra生成密钥，每个实例将有不同的密钥，这可能不是您想要的。
+
+为了更好的安全性和可用性，[建议](https://12factor.net/config)生成安全的随机密钥，并将其存储在运行应用程序的每个主机上的环境变量中，以便所有应用程序实例都将共享相同的密钥。并且应该定期更新会话密钥。下面是一些创建64比特密钥的例子:
+
+#### 生成密钥
 
 ```ruby
-use Rack::Session::Pool, :expire_after => 2592000
+$ ruby -e "require 'securerandom'; puts SecureRandom.hex(64)"
+99ae8af...snip...ec0f262ac
+```
 
-get '/' do
-  "value = " << session['value'].inspect
-end
+#### 生成密钥(小贴士)
 
-get '/:value' do
-  session['value'] = params['value']
-end
+MRI Ruby目前认为[sysrandom gem](https://github.com/cryptosphere/sysrandom)使用系统的随机数生成器要比用户态的`OpenSSL`好。
+
+```ruby
+$ gem install sysrandom
+Building native extensions.  This could take a while...
+Successfully installed sysrandom-1.x
+1 gem installed
+
+$ ruby -e "require 'sysrandom/securerandom'; puts SecureRandom.hex(64)"
+99ae8af...snip...ec0f262ac
 ```
 
-为提高安全性，cookie 中的会话数据会被一个会话密码保护。Sinatra 会为你生成一个随机的密码。
-然而，每次启动应用时，该密码都会变化，你也可以自己设置该密码，以便所有的应用实例共享：
+#### 从环境变量使用密钥
 
+将Sinatra的SESSION_SECRET环境变量设置为生成的值。在主机的重新启动之间保存这个值。由于这样做的方法会因系统而异，仅供说明之用：
 ```
-set :session_secret, 'super secret'
+# echo "export SESSION_SECRET=99ae8af...snip...ec0f262ac" >> ~/.bashrc
 ```
 
-如果你想进一步配置会话，可以在设置 `sessions` 时提供一个选项 hash 作为第二个参数：
+#### 应用的密钥配置
 
+如果SESSION SECRET环境变量不可用，将把应用的随机密钥设置为不安全的。
+
+关于[sysrandom gem](https://github.com/cryptosphere/sysrandom)的更多用法:
+
+```ruby
+require 'securerandom'
+# -or- require 'sysrandom/securerandom'
+set :session_secret, ENV.fetch('SESSION_SECRET') { SecureRandom.hex(64) }
 ```
+
+#### 会话配置
+
+如果你想进一步配置会话，可以在设置 `sessions` 时提供一个选项 hash 作为第二个参数：
+
+```ruby
 set :sessions, :domain => 'foo.com'
 ```
 
@@ -1338,6 +1375,31 @@ set :sessions, :domain => 'foo.com'
 set :sessions, :domain => '.foo.com'
 ```
 
+#### 选择你自己的会话中间件
+
+请注意 `enable :sessions` 实际将所有的数据保存在一个 cookie 中。
+这可能并不总是你想要的（cookie 中存储大量的数据会增加你的流量）。
+你可以使用任何 Rack session 中间件：要达到此目的，**不要**使用 `enable :sessions`，
+而是按照自己的需要引入想使用的中间件：
+
+```ruby
+enable :sessions
+set :session_store, Rack::Session::Pool
+```
+
+另一种选择是不要调用enable：sessions，而是像你想要的其他中间件一样加入你的中间件。
+
+重要的是要注意，使用此方法时，默认情况下不会启用基于会话的保护。
+
+还需要添加Rack中间件：
+
+```ruby
+use Rack::Session::Pool, :expire_after => 2592000
+use Rack::Protection::RemoteToken
+use Rack::Protection::SessionHijacking
+```
+更多[安全防护配置](https://github.com/sinatra/sinatra#configuring-attack-protection)的信息。
+
 ### 中断请求
 
 要想在过滤器或路由中立即中断一个请求：
@@ -1933,7 +1995,7 @@ configure do
 end
 ```
 
-只有当环境 (`RACK_ENV` 环境变量) 被设定为 `:production` 时才运行：
+只有当环境 (`APP_ENV` 环境变量) 被设定为 `:production` 时才运行：
 
 ```ruby
 configure :production do
@@ -1965,7 +2027,7 @@ end
 
 ### 配置攻击防护
 
-Sinatra 使用 [Rack::Protection](https://github.com/sinatra/rack-protection#readme)
+Sinatra 使用 [Rack::Protection](https://github.com/sinatra/sinatra/tree/master/rack-protection#readme)
 来抵御常见的攻击。你可以轻易地禁用该行为（但这会大大增加应用被攻击的概率）。
 
 ```ruby
@@ -2033,8 +2095,8 @@ set :protection, :session => true
 
   <dt>environment</dt>
   <dd>
-    当前环境，默认是 <tt>ENV['RACK_ENV']</tt>，
-    或者 <tt>"development"</tt> (如果 ENV['RACK_ENV'] 不可用)。
+    当前环境，默认是 <tt>ENV['APP_ENV']</tt>，
+    或者 <tt>"development"</tt> (如果 ENV['APP_ENV'] 不可用)。
   </dd>
 
   <dt>logging</dt>
@@ -2145,15 +2207,15 @@ set :protection, :session => true
 ## 环境
 
 Sinatra 中有三种预先定义的环境："development"、"production" 和 "test"。
-环境可以通过 `RACK_ENV` 环境变量设置。默认值为 "development"。
+环境可以通过 `APP_ENV` 环境变量设置。默认值为 "development"。
 在开发环境下，每次请求都会重新加载所有模板，
 特殊的 `not_found` 和 `error` 错误处理器会在浏览器中显示 stack trace。
 在测试和生产环境下，模板默认会缓存。
 
-在不同的环境下运行，设置 `RACK_ENV` 环境变量：
+在不同的环境下运行，设置 `APP_ENV` 环境变量：
 
 ```shell
-RACK_ENV=production ruby my_app.rb
+APP_ENV=production ruby my_app.rb
 ```
 
 可以使用预定义的三种方法： `development?`、`test?` 和 `production?` 来检查当前环境：

data/Rakefile

@@ -3,22 +3,13 @@ require 'rake/testtask'
 require 'fileutils'
 require 'date'
 
-# CI Reporter is only needed for the CI
-begin
-  require 'ci/reporter/rake/test_unit'
-rescue LoadError
-end
-
 task :default => :test
 task :spec => :test
 
 CLEAN.include "**/*.rbc"
 
 def source_version
-  @source_version ||= begin
-    load './lib/sinatra/version.rb'
-    Sinatra::VERSION
-  end
+  @source_version ||= File.read(File.expand_path("../VERSION", __FILE__)).strip
 end
 
 def prev_feature
@@ -39,7 +30,7 @@ end
 
 Rake::TestTask.new(:test) do |t|
   t.test_files = FileList['test/*_test.rb']
-  t.ruby_opts = ['-rubygems'] if defined? Gem
+  t.ruby_opts = ['-r rubygems'] if defined? Gem
   t.ruby_opts << '-I.'
   t.warning = true
 end
@@ -50,7 +41,7 @@ Rake::TestTask.new(:"test:core") do |t|
      readme request response result route_added_hook
      routing server settings sinatra static templates]
   t.test_files = core_tests.map {|n| "test/#{n}_test.rb"}
-  t.ruby_opts = ["-rubygems"] if defined? Gem
+  t.ruby_opts = ["-r rubygems"] if defined? Gem
   t.ruby_opts << "-I."
   t.warning = true
 end
@@ -61,7 +52,8 @@ namespace :test do
   desc 'Measures test coverage'
   task :coverage do
     rm_f "coverage"
-    sh "rcov -Ilib test/*_test.rb"
+    ENV['COVERAGE'] = '1'
+    Rake::Task['test'].invoke
   end
 end
 
@@ -95,9 +87,9 @@ end
 
 # Thanks in announcement ===============================================
 
-team = ["Ryan Tomayko", "Blake Mizerany", "Simon Rozet", "Konstantin Haase"]
+team = ["Ryan Tomayko", "Blake Mizerany", "Simon Rozet", "Konstantin Haase", "Zachary Scott"]
 desc "list of contributors"
-task :thanks, [:release,:backports] do |t, a|
+task :thanks, ['release:all', :backports] do |t, a|
   a.with_defaults :release => "#{prev_version}..HEAD",
     :backports => "#{prev_feature}.0..#{prev_feature}.x"
   included = `git log --format=format:"%aN\t%s" #{a.release}`.lines.map { |l| l.force_encoding('binary') }
@@ -146,54 +138,88 @@ end
 # PACKAGING ============================================================
 
 if defined?(Gem)
-  # Load the gemspec using the same limitations as github
-  def spec
-    require 'rubygems' unless defined? Gem::Specification
-    @spec ||= eval(File.read('sinatra.gemspec'))
+  GEMS_AND_ROOT_DIRECTORIES = {
+    "sinatra" => ".",
+    "sinatra-contrib" => "./sinatra-contrib",
+    "rack-protection" => "./rack-protection"
+  }
+
+  def package(gem, ext='')
+    "pkg/#{gem}-#{source_version}" + ext
   end
 
-  def package(ext='')
-    "pkg/sinatra-#{spec.version}" + ext
-  end
+  directory 'pkg/'
+  CLOBBER.include('pkg')
 
-  desc 'Build packages'
-  task :package => %w[.gem .tar.gz].map {|e| package(e)}
+  GEMS_AND_ROOT_DIRECTORIES.each do |gem, directory|
+    file package(gem, '.gem') => ["pkg/", "#{directory + '/' + gem}.gemspec"] do |f|
+      sh "cd #{directory} && gem build #{gem}.gemspec"
+      mv directory + "/" + File.basename(f.name), f.name
+    end
 
-  desc 'Build and install as local gem'
-  task :install => package('.gem') do
-    sh "gem install #{package('.gem')}"
+    file package(gem, '.tar.gz') => ["pkg/"] do |f|
+      sh <<-SH
+        git archive \
+          --prefix=#{gem}-#{source_version}/ \
+          --format=tar \
+          HEAD -- #{directory} | gzip > #{f.name}
+      SH
+    end
   end
 
-  directory 'pkg/'
-  CLOBBER.include('pkg')
+  namespace :package do
+    GEMS_AND_ROOT_DIRECTORIES.each do |gem, directory|
+      desc "Build #{gem} packages"
+      task gem => %w[.gem .tar.gz].map { |e| package(gem, e) }
+    end
 
-  file package('.gem') => %w[pkg/ sinatra.gemspec] + spec.files do |f|
-    sh "gem build sinatra.gemspec"
-    mv File.basename(f.name), f.name
+    desc "Build all packages"
+    task :all => GEMS_AND_ROOT_DIRECTORIES.keys
   end
 
-  file package('.tar.gz') => %w[pkg/] + spec.files do |f|
-    sh <<-SH
-      git archive \
-        --prefix=sinatra-#{source_version}/ \
-        --format=tar \
-        HEAD | gzip > #{f.name}
-    SH
+  namespace :install do
+    GEMS_AND_ROOT_DIRECTORIES.each do |gem, directory|
+      desc "Build and install #{gem} as local gem"
+      task gem => package(gem, '.gem') do
+        sh "gem install #{package(gem, '.gem')}"
+      end
+    end
+
+    desc "Build and install all of the gems as local gems"
+    task :all => GEMS_AND_ROOT_DIRECTORIES.keys
   end
 
-  task 'release' => ['test', package('.gem')] do
-    if File.binread("CHANGELOG.md") =~ /= \d\.\d\.\d . not yet released$/i
-      fail 'please update the changelog first' unless %x{git symbolic-ref HEAD} == "refs/heads/prerelease\n"
+  namespace :release do
+    GEMS_AND_ROOT_DIRECTORIES.each do |gem, directory|
+      desc "Release #{gem} as a package"
+      task gem => "package:#{gem}" do
+        sh <<-SH
+          gem install #{package(gem, '.gem')} --local &&
+          gem push #{package(gem, '.gem')}
+        SH
+      end
+    end
+
+    desc "Commits the version to github repository"
+    task :commit_version do
+      %w[
+        lib/sinatra
+        sinatra-contrib/lib/sinatra/contrib
+        rack-protection/lib/rack/protection
+      ].each do |path|
+        path = File.join(path, 'version.rb')
+        File.write(path, File.read(path).sub(/VERSION = '(.+?)'/, "VERSION = '#{source_version}'"))
+      end
+
+      sh <<-SH
+        git commit --allow-empty -a -m '#{source_version} release'  &&
+        git tag -s v#{source_version} -m '#{source_version} release'  &&
+        git push && (git push origin || true) &&
+        git push --tags && (git push origin --tags || true)
+      SH
     end
 
-    sh <<-SH
-      gem install #{package('.gem')} --local &&
-      gem push #{package('.gem')}  &&
-      git commit --allow-empty -a -m '#{source_version} release'  &&
-      git tag -s v#{source_version} -m '#{source_version} release'  &&
-      git tag -s #{source_version} -m '#{source_version} release'  &&
-      git push && (git push sinatra || true) &&
-      git push --tags && (git push sinatra --tags || true)
-    SH
+    desc "Release all gems as packages"
+    task :all => [:test, :commit_version] + GEMS_AND_ROOT_DIRECTORIES.keys
   end
 end

data/SECURITY.md

@@ -0,0 +1,35 @@
+# Reporting a security bug
+
+All security bugs in Sinatra should be reported to the core team through our private mailing list [sinatra-security@googlegroups.com](https://groups.google.com/group/sinatra-security). Your report will be acknowledged within 24 hours, and you’ll receive a more detailed response to your email within 48 hours indicating the next steps in handling your report.
+
+After the initial reply to your report the security team will endeavor to keep you informed of the progress being made towards a fix and full announcement. These updates will be sent at least every five days, in reality this is more likely to be every 24-48 hours.
+
+If you have not received a reply to your email within 48 hours, or have not heard from the security team for the past five days there are a few steps you can take:
+
+* Contact the current security coordinator [Zachary Scott](mailto:zzak@ruby-lang.org) directly
+
+## Disclosure Policy
+
+Sinatra has a 5 step disclosure policy, that is upheld to the best of our ability.
+
+1. Security report received and is assigned a primary handler. This person will coordinate the fix and release process.
+2. Problem is confirmed and, a list of all affected versions is determined. Code is audited to find any potential similar problems.
+3. Fixes are prepared for all releases which are still supported. These fixes are not committed to the public repository but rather held locally pending the announcement.
+4. A suggested embargo date for this vulnerability is chosen and distros@openwall is notified. This notification will include patches for all versions still under support and a contact address for packagers who need advice back-porting patches to older versions.
+5. On the embargo date, the [mailing list][mailing-list] and [security list][security-list] are sent a copy of the announcement. The changes are pushed to the public repository and new gems released to rubygems.
+
+Typically the embargo date will be set 72 hours from the time vendor-sec is first notified, however this may vary depending on the severity of the bug or difficulty in applying a fix.
+
+This process can take some time, especially when coordination is required with maintainers of other projects. Every effort will be made to handle the bug in as timely a manner as possible, however it’s important that we follow the release process above to ensure that the disclosure is handled in a consistent manner.
+
+## Security Updates
+
+Security updates will be posted on the [mailing list][mailing-list] and [security list][security-list].
+
+## Comments on this Policy
+
+If you have any suggestions to improve this policy, please send an email the core team at [sinatrarb@googlegroups.com](https://groups.google.com/group/sinatrarb).
+
+
+[mailing-list]: http://groups.google.com/group/sinatrarb/topics
+[security-list]: http://groups.google.com/group/sinatra-security/topics

data/VERSION

@@ -0,0 +1 @@
+2.0.8.1