sinatra 2.0.0 → 2.0.1.rc1

data/README.zh.md

@@ -239,6 +239,17 @@ end
 ```
 顺便一提，除非你禁用了路径遍历攻击防护（见下文），请求路径可能在匹配路由前发生改变。
 
+你也可以通过`:mustermann_opt`选项定义[Mustermann](https://github.com/sinatra/mustermann)来匹配路由。
+
+```ruby
+get '\A/posts\z', :mustermann_opts => { :type => :regexp, :check_anchors => false } do
+  # matches /posts exactly, with explicit anchoring
+  "If you match an anchored pattern clap your hands!"
+end
+```
+
+它看起来像一个[条件](https://github.com/sinatra/sinatra/blob/master/README.zh.md#%E6%9D%A1%E4%BB%B6)，但实际不是！这些选项将被合并到全局的`mustermann_opts`。
+
 ### 条件
 
 路由可以包含各种匹配条件，比如 user agent：
@@ -1302,33 +1313,59 @@ get '/:value' do
 end
 ```
 
-请注意 `enable :sessions` 实际将所有的数据保存在一个 cookie 中。
-这可能并不总是你想要的（cookie 中存储大量的数据会增加你的流量）。
-你可以使用任何 Rack session 中间件：要达到此目的，**不要**使用 `enable :sessions`，
-而是按照自己的需要引入想使用的中间件：
+#### 会话加密
+
+为提高安全性，cookie 中的会话数据使用`HMAC-SHA1`进行加密。会话加密的最佳实践应当是像`HMAC-SHA1`这样生成大于或等于64字节 (512 bits, 128 hex characters)的随机值。应当避免使用少于32字节(256 bits, 64 hex characters)的随机值。应当使用生成器来创建安全的密钥，而不是拍脑袋决定。
+
+默认情况下，Sinatra会生成一个32字节的密钥，但随着应用程序的每次重新启动，它都会发生改变。如果有多个应用程序的实例，使用Sinatra生成密钥，每个实例将有不同的密钥，这可能不是您想要的。
+
+为了更好的安全性和可用性，[建议](https://12factor.net/config)生成安全的随机密钥，并将其存储在运行应用程序的每个主机上的环境变量中，以便所有应用程序实例都将共享相同的密钥。并且应该定期更新会话密钥。下面是一些创建64比特密钥的例子:
+
+#### 生成密钥
 
 ```ruby
-use Rack::Session::Pool, :expire_after => 2592000
+$ ruby -e "require 'securerandom'; puts SecureRandom.hex(64)"
+99ae8af...snip...ec0f262ac
+```
 
-get '/' do
-  "value = " << session['value'].inspect
-end
+#### 生成密钥(小贴士)
 
-get '/:value' do
-  session['value'] = params['value']
-end
+MRI Ruby目前认为[sysrandom gem](https://github.com/cryptosphere/sysrandom)使用系统的随机数生成器要比用户态的`OpenSSL`好。
+
+```ruby
+$ gem install sysrandom
+Building native extensions.  This could take a while...
+Successfully installed sysrandom-1.x
+1 gem installed
+
+$ ruby -e "require 'sysrandom/securerandom'; puts SecureRandom.hex(64)"
+99ae8af...snip...ec0f262ac
 ```
 
-为提高安全性，cookie 中的会话数据会被一个会话密码保护。Sinatra 会为你生成一个随机的密码。
-然而，每次启动应用时，该密码都会变化，你也可以自己设置该密码，以便所有的应用实例共享：
+#### 从环境变量使用密钥
 
+将Sinatra的SESSION_SECRET环境变量设置为生成的值。在主机的重新启动之间保存这个值。由于这样做的方法会因系统而异，仅供说明之用：
 ```
-set :session_secret, 'super secret'
+# echo "export SESSION_SECRET=99ae8af...snip...ec0f262ac" >> ~/.bashrc
 ```
 
-如果你想进一步配置会话，可以在设置 `sessions` 时提供一个选项 hash 作为第二个参数：
+#### 应用的密钥配置
 
+如果SESSION SECRET环境变量不可用，将把应用的随机密钥设置为不安全的。
+
+关于[sysrandom gem](https://github.com/cryptosphere/sysrandom)的更多用法:
+
+```ruby
+require 'securerandom'
+# -or- require 'sysrandom/securerandom'
+set :session_secret, ENV.fetch('SESSION_SECRET') { SecureRandom.hex(64) }
 ```
+
+#### 会话配置
+
+如果你想进一步配置会话，可以在设置 `sessions` 时提供一个选项 hash 作为第二个参数：
+
+```ruby
 set :sessions, :domain => 'foo.com'
 ```
 
@@ -1338,6 +1375,31 @@ set :sessions, :domain => 'foo.com'
 set :sessions, :domain => '.foo.com'
 ```
 
+#### 选择你自己的会话中间件
+
+请注意 `enable :sessions` 实际将所有的数据保存在一个 cookie 中。
+这可能并不总是你想要的（cookie 中存储大量的数据会增加你的流量）。
+你可以使用任何 Rack session 中间件：要达到此目的，**不要**使用 `enable :sessions`，
+而是按照自己的需要引入想使用的中间件：
+
+```ruby
+enable :sessions
+set :session_store, Rack::Session::Pool
+```
+
+另一种选择是不要调用enable：sessions，而是像你想要的其他中间件一样加入你的中间件。
+
+重要的是要注意，使用此方法时，默认情况下不会启用基于会话的保护。
+
+还需要添加Rack中间件：
+
+```ruby
+use Rack::Session::Pool, :expire_after => 2592000
+use Rack::Protection::RemoteToken
+use Rack::Protection::SessionHijacking
+```
+更多[安全防护配置](https://github.com/sinatra/sinatra#configuring-attack-protection)的信息。
+
 ### 中断请求
 
 要想在过滤器或路由中立即中断一个请求：

data/VERSION

@@ -0,0 +1 @@
+2.0.1.rc1

data/lib/sinatra/base.rb

@@ -915,6 +915,7 @@ module Sinatra
 
     def call!(env) # :nodoc:
       @env      = env
+      @params   = IndifferentHash.new
       @request  = Request.new(env)
       @response = Response.new
       template_cache.clear if settings.reload_templates
@@ -1024,7 +1025,8 @@ module Sinatra
       params.delete("ignore") # TODO: better params handling, maybe turn it into "smart" object or detect changes
       original, @params = @params, @params.merge(params) if params.any?
 
-      if pattern.is_a? Mustermann::Regular
+      regexp_exists = pattern.is_a?(Mustermann::Regular) || (pattern.respond_to?(:patterns) && pattern.patterns.any? {|subpattern| subpattern.is_a?(Mustermann::Regular)} )
+      if regexp_exists
         captures           = pattern.match(route).captures
         values            += captures
         @params[:captures] = captures
@@ -1086,7 +1088,7 @@ module Sinatra
 
     # Dispatch a request with error handling.
     def dispatch!
-      force_encoding(@params = IndifferentHash[@request.params])
+      force_encoding(@params.merge!(@request.params))
 
       invoke do
         static! if settings.static? && (request.get? || request.head?)
@@ -1160,7 +1162,7 @@ module Sinatra
 
     class << self
       CALLERS_TO_IGNORE = [ # :nodoc:
-        /\/sinatra(\/(base|main|show_exceptions))?\.rb$/,    # all sinatra code
+        /\/sinatra(\/(base|main|show_exceptions))?\.rb$/,   # all sinatra code
         /lib\/tilt.*\.rb$/,                                 # all tilt code
         /^\(.*\)$/,                                         # generated code
         /rubygems\/(custom|core_ext\/kernel)_require\.rb$/, # rubygems require hacks
@@ -1434,7 +1436,7 @@ module Sinatra
         return unless running?
         # Use Thin's hard #stop! if available, otherwise just #stop.
         running_server.respond_to?(:stop!) ? running_server.stop! : running_server.stop
-        $stderr.puts "== Sinatra has ended his set (crowd applauds)" unless supress_messages?
+        $stderr.puts "== Sinatra has ended his set (crowd applauds)" unless suppress_messages?
         set :running_server, nil
         set :handler_name, nil
       end
@@ -1520,7 +1522,7 @@ module Sinatra
         prototype
         # Run the instance we created:
         handler.run(self, server_settings) do |server|
-          unless supress_messages?
+          unless suppress_messages?
             $stderr.puts "== Sinatra (v#{Sinatra::VERSION}) has taken the stage on #{port} for #{environment} with backup from #{handler_name}"
           end
 
@@ -1533,7 +1535,7 @@ module Sinatra
         end
       end
 
-      def supress_messages?
+      def suppress_messages?
         handler_name =~ /cgi/i || quiet
       end
 

data/lib/sinatra/show_exceptions.rb

@@ -25,28 +25,63 @@ module Sinatra
 
       if prefers_plain_text?(env)
         content_type = "text/plain"
-        exception = dump_exception(e)
+        body = dump_exception(e)
       else
         content_type = "text/html"
-        exception = pretty(env, e)
+        body = pretty(env, e)
       end
 
       env["rack.errors"] = errors
 
-      # Post 893a2c50 in rack/rack, the #pretty method above, implemented in
-      # Rack::ShowExceptions, returns a String instead of an array.
-      body = Array(exception)
-
       [
         500,
         {
           "Content-Type" => content_type,
-          "Content-Length" => body.join.bytesize.to_s
+          "Content-Length" => body.bytesize.to_s
         },
-        body
+        [body]
       ]
     end
 
+    # Pulled from Rack::ShowExceptions in order to override TEMPLATE.
+    # If Rack provides another way to override, this could be removed
+    # in the future.
+    def pretty(env, exception)
+      req = Rack::Request.new(env)
+
+      # This double assignment is to prevent an "unused variable" warning on
+      # Ruby 1.9.3.  Yes, it is dumb, but I don't like Ruby yelling at me.
+      path = path = (req.script_name + req.path_info).squeeze("/")
+
+      # This double assignment is to prevent an "unused variable" warning on
+      # Ruby 1.9.3.  Yes, it is dumb, but I don't like Ruby yelling at me.
+      frames = frames = exception.backtrace.map { |line|
+        frame = OpenStruct.new
+        if line =~ /(.*?):(\d+)(:in `(.*)')?/
+          frame.filename = $1
+          frame.lineno = $2.to_i
+          frame.function = $4
+
+          begin
+            lineno = frame.lineno-1
+            lines = ::File.readlines(frame.filename)
+            frame.pre_context_lineno = [lineno-CONTEXT, 0].max
+            frame.pre_context = lines[frame.pre_context_lineno...lineno]
+            frame.context_line = lines[lineno].chomp
+            frame.post_context_lineno = [lineno+CONTEXT, lines.size].min
+            frame.post_context = lines[lineno+1..frame.post_context_lineno]
+          rescue
+          end
+
+          frame
+        else
+          nil
+        end
+      }.compact
+
+      TEMPLATE.result(binding)
+    end
+
     private
 
     def bad_request?(e)
@@ -360,6 +395,3 @@ enabled the <code>show_exceptions</code> setting.</p>
 HTML
   end
 end
-
-Rack::ShowExceptions.send :remove_const, "TEMPLATE"
-Rack::ShowExceptions.const_set "TEMPLATE", Sinatra::ShowExceptions::TEMPLATE

data/lib/sinatra/version.rb

@@ -1,3 +1,3 @@
 module Sinatra
-  VERSION = '2.0.0'
+  VERSION = '2.0.1.rc1'
 end

data/sinatra.gemspec

@@ -17,7 +17,8 @@ Gem::Specification.new 'sinatra', version do |s|
     "MAINTENANCE.md",
     "Rakefile",
     "SECURITY.md",
-    "sinatra.gemspec"]
+    "sinatra.gemspec",
+    "VERSION"]
   s.test_files        = s.files.select { |p| p =~ /^test\/.*_test.rb/ }
   s.extra_rdoc_files  = s.files.select { |p| p =~ /^README/ } << 'LICENSE'
   s.rdoc_options      = %w[--line-numbers --inline-source --title Sinatra --main README.rdoc --encoding=UTF-8]

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: sinatra
 version: !ruby/object:Gem::Version
-  version: 2.0.0
+  version: 2.0.1.rc1
 platform: ruby
 authors:
 - Blake Mizerany
@@ -11,7 +11,7 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2017-05-07 00:00:00.000000000 Z
+date: 2018-02-12 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rack
@@ -47,14 +47,14 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 2.0.0
+        version: 2.0.1.rc1
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 2.0.0
+        version: 2.0.1.rc1
 - !ruby/object:Gem::Dependency
   name: mustermann
   requirement: !ruby/object:Gem::Requirement
@@ -108,6 +108,7 @@ files:
 - README.zh.md
 - Rakefile
 - SECURITY.md
+- VERSION
 - examples/chat.rb
 - examples/simple.rb
 - examples/stream.ru
@@ -142,12 +143,12 @@ required_ruby_version: !ruby/object:Gem::Requirement
       version: 2.2.0
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
-  - - ">="
+  - - ">"
     - !ruby/object:Gem::Version
-      version: '0'
+      version: 1.3.1
 requirements: []
 rubyforge_project: 
-rubygems_version: 2.6.11
+rubygems_version: 2.6.8
 signing_key: 
 specification_version: 4
 summary: Classy web-development dressed in a DSL