RubyGems - sinatra - Versions diffs - 4.0.1 → 4.1.0 - Mend

sinatra 4.0.1 → 4.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (9) hide show

checksums.yaml +4 -4
data/CHANGELOG.md +17 -28
data/README.md +30 -10
data/VERSION +1 -1
data/lib/sinatra/base.rb +32 -11
data/lib/sinatra/indifferent_hash.rb +1 -1
data/lib/sinatra/version.rb +1 -1
data/sinatra.gemspec +1 -2
metadata +9 -7

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 931652dc91884a733d4cab3fd2679533de8a78d80a9c7d19d2cecf2798a678c6
-  data.tar.gz: b6b633d00b67e7318547f5b066aeee0956ecd8b448f910f829d2cf33cb2d208c
+  metadata.gz: a487551e0b40831dadeffd669ae0a8fb408fc5880825f2257105beec8be727ec
+  data.tar.gz: f7999f252d7d1c2192a3c909911ff5879075a811a8c742c89a2d700bf1db8b82
 SHA512:
-  metadata.gz: 8181093ece483ffdde4f660feb8c9bfe821260fa7af456820a0ecbafcd74a2932a835f7bee35b79d070755bb36b75d14077aa3e9fbf9ee8a33eebd92f13195ba
-  data.tar.gz: 280db78b6907477f15d9bdb9def5985f6ef62a70e697c61f85d00dc35a0e21397656d5ab862ee17fbafe05ff5e45c1eac1d14dfa73d75cb1e4f5d4e91f81001b
+  metadata.gz: 611bf8733959bae4110a357e22be091cd3c044a5f810d133a9833993c84e2ae7a3b2c3999fd13991338c44e72ac5ab6b9b3af8bc9d4667384fd97b7715c086d2
+  data.tar.gz: 824f4f37c5cc5fde671bdf286c63cd67672566c10fadcf80b841eddc9685f92b88a9032ee8b711a2b859a5529afc082fe11f09ac1204f8b04659501f13a03747

data/CHANGELOG.md CHANGED Viewed

@@ -1,29 +1,18 @@
-## 4.0.1 / 2025-05-24
-* Rack 3.1 compatibility ([#2035])
-* Fix malformed Content-Type headers ([#2081])
-* Avoid crash for integer values in `content_type` parameters ([#2078])
-* Fix compatibility with --enable-frozen-string-literal ([#2033])
-* Declare missing dependencies for Ruby 3.5 ([#2032])
-* Fix warning about Hash construction. ([#2028])
-* Support Zeitwerk 2.7.0+ ([#2050])
-* Address URI depreciation ([#2060])
-[#2035]: https://github.com/sinatra/sinatra/pull/2035
-[#2081]: https://github.com/sinatra/sinatra/pull/2081
-[#2078]: https://github.com/sinatra/sinatra/pull/2078
-[#2033]: https://github.com/sinatra/sinatra/pull/2033
-[#2032]: https://github.com/sinatra/sinatra/pull/2032
-[#2028]: https://github.com/sinatra/sinatra/pull/2028
-[#2050]: https://github.com/sinatra/sinatra/pull/2050
-[#2060]: https://github.com/sinatra/sinatra/pull/2060
+## 4.1.0 / 2024-11-18
+* New: Add `host_authorization` setting ([#2053](https://github.com/sinatra/sinatra/pull/2053))
+  * Defaults to `.localhost`, `.test` and any IP address in development mode.
+  * Security: addresses [CVE-2018-11627](https://github.com/advisories/GHSA-hxx2-7vcw-mqr3).
+* Fix: Return an instance of `Sinatra::IndifferentHash` when calling `#except` ([#2044](https://github.com/sinatra/sinatra/pull/2044))
+* Fix: Address warning from `URI` for Ruby 3.4 ([#2060](https://github.com/sinatra/sinatra/pull/2060))
+* Fix: `rackup` no longer depends on WEBrick, recommend Puma instead ([`4a558503`](https://github.com/sinatra/sinatra/commit/4a558503a0ee41f26d4ebc07b478340e8a8a5ed6))
+* Fix: Zeitwerk 2.7.0+ compatibility ([#2050](https://github.com/sinatra/sinatra/pull/2050))
+* Fix: Address warning about Hash construction for Ruby 3.4 ([#2028](https://github.com/sinatra/sinatra/pull/2028))
+* Fix: Declare missing dependencies for Ruby 3.5 ([#2032](https://github.com/sinatra/sinatra/pull/2032))
+* Fix: Compatibility with `--enable-frozen-string-literal` ([#2033](https://github.com/sinatra/sinatra/pull/2033))
+* Fix: Rack 3.1 compatibility ([#2035](https://github.com/sinatra/sinatra/pull/2035))
+  * Don't depend on `Rack::Logger`
+  * Don't delete `content-length` header when `Rack::Files` is used
 ## 4.0.0. / 2024-01-19
@@ -270,7 +259,7 @@
 * Fix issue with passed routes and provides Fixes [#1095](https://github.com/sinatra/sinatra/pull/1095) [#1606](https://github.com/sinatra/sinatra/pull/1606) by Mike Pastore, Jordan Owens
-* Add QuietLogger that excludes pathes from Rack::CommonLogger [1250](https://github.com/sinatra/sinatra/pull/1250) by Christoph Wagner
+* Add QuietLogger that excludes paths from Rack::CommonLogger [1250](https://github.com/sinatra/sinatra/pull/1250) by Christoph Wagner
 * Sinatra::Contrib dependency updates. Fixes [#1207](https://github.com/sinatra/sinatra/pull/1207) [#1411](https://github.com/sinatra/sinatra/pull/1411) by Mike Pastore
@@ -1636,7 +1625,7 @@ the 1.0 release:
    Hash structure. e.g., "post[title]=Hello&post[body]=World" yields
    params: {'post' => {'title' => 'Hello', 'body' => 'World'}}.
- * Regular expressions may now be used in route pattens; captures are
+ * Regular expressions may now be used in route patterns; captures are
    available at "params[:captures]".
  * New ":provides" route condition takes an array of mime types and

data/README.md CHANGED Viewed

@@ -15,11 +15,10 @@ get '/' do
 end
 ```
-Install the gem:
+Install the gems needed:
 ```shell
-gem install sinatra
-gem install puma # or any other server
+gem install sinatra rackup puma
 ```
 And run with:
@@ -1993,6 +1992,31 @@ set :protection, :session => true
       <tt>"development"</tt> if not available.
     </dd>
+  <dt>host_authorization</dt>
+  <dd>
+    You can pass a hash of options to <tt>host_authorization</tt>,
+    to be used by the <tt>Rack::Protection::HostAuthorization</tt> middleware.
+  <dd>
+  <dd>
+    The middleware can block requests with unrecognized hostnames, to prevent DNS rebinding
+    and other host header attacks. It checks the <tt>Host</tt>, <tt>X-Forwarded-Host</tt>
+    and <tt>Forwarded</tt> headers.
+  </dd>
+  <dd>
+    Useful options are:
+    <ul>
+      <li><tt>permitted_hosts</tt> – an array of hostnames (and <tt>IPAddr</tt> objects) your app recognizes
+        <ul>
+          <li>in the <tt>development</tt> environment, it is set to <tt>.localhost</tt>, <tt>.test</tt> and any IPv4/IPv6 address</li>
+          <li>if empty, any hostname is permitted (the default for any other environment)</li>
+        </ul>
+      </li>
+      <li><tt>status</tt> – the HTTP status code used in the response when a request is blocked (defaults to <tt>403</tt>)</li>
+      <li><tt>message</tt> – the body used in the response when a request is blocked (defaults to <tt>Host not permitted</tt>)</li>
+      <li><tt>allow_if</tt> – supply a <tt>Proc</tt> to use custom allow/deny logic, the proc is passed the request environment</li>
+    </ul>
+  </dd>
   <dt>logging</dt>
     <dd>Use the logger.</dd>
@@ -2086,12 +2110,8 @@ set :protection, :session => true
   <dt>server_settings</dt>
     <dd>
-      If you are using a WEBrick web server, presumably for your development
-      environment, you can pass a hash of options to <tt>server_settings</tt>,
-      such as <tt>SSLEnable</tt> or <tt>SSLVerifyClient</tt>. However, web
-      servers such as Puma do not support this, so you can set
-      <tt>server_settings</tt> by defining it as a method when you call
-      <tt>configure</tt>.
+      You can pass a hash of options to <tt>server_settings</tt>,
+      such as <tt>Host</tt> or <tt>Port</tt>.
     </dd>
   <dt>sessions</dt>
@@ -2812,7 +2832,7 @@ _Paraphrasing from
 by Konstantin_
 Sinatra doesn't impose any concurrency model but leaves that to the
-underlying Rack handler (server) like Puma or WEBrick. Sinatra
+underlying Rack handler (server) like Puma or Falcon. Sinatra
 itself is thread-safe, so there won't be any problem if the Rack handler
 uses a threaded model of concurrency.

data/VERSION CHANGED Viewed

	@@ -1 +1 @@
1	- 4.0.1
1	+ 4.1.0

data/lib/sinatra/base.rb CHANGED Viewed

@@ -14,6 +14,7 @@ require 'mustermann/sinatra'
 require 'mustermann/regular'
 # stdlib dependencies
+require 'ipaddr'
 require 'time'
 require 'uri'
@@ -63,7 +64,7 @@ module Sinatra
     alias secure? ssl?
     def forwarded?
-      @env.include? 'HTTP_X_FORWARDED_HOST'
+      !forwarded_authority.nil?
     end
     def safe?
@@ -395,11 +396,11 @@ module Sinatra
       end
       params.delete :charset if mime_type.include? 'charset'
       unless params.empty?
-        mime_type << ';'
+        mime_type << (mime_type.include?(';') ? ', ' : ';')
         mime_type << params.map do |key, val|
-          val = val.inspect if val.to_s =~ /[";,]/
+          val = val.inspect if val =~ /[";,]/
           "#{key}=#{val}"
-        end.join(';')
+        end.join(', ')
       end
       response['content-type'] = mime_type
     end
@@ -1600,20 +1601,20 @@ module Sinatra
       alias stop! quit!
       # Run the Sinatra app as a self-hosted server using
-      # Puma, Falcon, or WEBrick (in that order). If given a block, will call
+      # Puma, Falcon (in that order). If given a block, will call
       # with the constructed handler once we have taken the stage.
       def run!(options = {}, &block)
         unless defined?(Rackup::Handler)
           rackup_warning = <<~MISSING_RACKUP
-            Sinatra could not start, the "rackup" gem was not found!
+            Sinatra could not start, the required gems weren't found!
-            Add it to your bundle with:
+            Add them to your bundle with:
-                bundle add rackup
+                bundle add rackup puma
-            or install it with:
+            or install them with:
-                gem install rackup
+                gem install rackup puma
           MISSING_RACKUP
           warn rackup_warning
@@ -1821,6 +1822,7 @@ module Sinatra
         setup_logging    builder
         setup_sessions   builder
         setup_protection builder
+        setup_host_authorization builder
       end
       def setup_middleware(builder)
@@ -1869,6 +1871,10 @@ module Sinatra
         builder.use Rack::Protection, options
       end
+      def setup_host_authorization(builder)
+        builder.use Rack::Protection::HostAuthorization, host_authorization
+      end
       def setup_sessions(builder)
         return unless sessions?
@@ -1963,10 +1969,25 @@ module Sinatra
     set :running_server, nil
     set :handler_name, nil
     set :traps, true
-    set :server, %w[HTTP webrick]
+    set :server, %w[]
     set :bind, proc { development? ? 'localhost' : '0.0.0.0' }
     set :port, Integer(ENV['PORT'] && !ENV['PORT'].empty? ? ENV['PORT'] : 4567)
     set :quiet, false
+    set :host_authorization, ->() do
+      if development?
+        {
+          permitted_hosts: [
+            "localhost",
+            ".localhost",
+            ".test",
+            IPAddr.new("0.0.0.0/0"),
+            IPAddr.new("::/0"),
+          ]
+        }
+      else
+        {}
+      end
+    end
     ruby_engine = defined?(RUBY_ENGINE) && RUBY_ENGINE

data/lib/sinatra/indifferent_hash.rb CHANGED Viewed

@@ -185,7 +185,7 @@ module Sinatra
     def except(*keys)
       keys.map!(&method(:convert_key))
-      super(*keys)
+      self.class[super(*keys)]
     end if Gem::Version.new(RUBY_VERSION) >= Gem::Version.new("3.0")
     private

data/lib/sinatra/version.rb CHANGED Viewed

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 module Sinatra
-  VERSION = '4.0.1'
+  VERSION = '4.1.0'
 end

data/sinatra.gemspec CHANGED Viewed

@@ -40,8 +40,7 @@ RubyGems 2.0 or newer is required to protect against public gem pushes. You can
     'homepage_uri' => 'http://sinatrarb.com/',
     'bug_tracker_uri' => 'https://github.com/sinatra/sinatra/issues',
     'mailing_list_uri' => 'http://groups.google.com/group/sinatrarb',
-    'documentation_uri' => 'https://www.rubydoc.info/gems/sinatra',
-    'rubygems_mfa_required' => 'true',
+    'documentation_uri' => 'https://www.rubydoc.info/gems/sinatra'
   }
   s.required_ruby_version = '>= 2.7.8'

metadata CHANGED Viewed

@@ -1,16 +1,17 @@
 --- !ruby/object:Gem::Specification
 name: sinatra
 version: !ruby/object:Gem::Version
-  version: 4.0.1
+  version: 4.1.0
 platform: ruby
 authors:
 - Blake Mizerany
 - Ryan Tomayko
 - Simon Rozet
 - Konstantin Haase
+autorequire:
 bindir: bin
 cert_chain: []
-date: 1980-01-02 00:00:00.000000000 Z
+date: 2024-11-18 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: logger
@@ -66,14 +67,14 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 4.0.1
+        version: 4.1.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 4.0.1
+        version: 4.1.0
 - !ruby/object:Gem::Dependency
   name: rack-session
   requirement: !ruby/object:Gem::Requirement
@@ -114,8 +115,8 @@ email: sinatrarb@googlegroups.com
 executables: []
 extensions: []
 extra_rdoc_files:
-- LICENSE
 - README.md
+- LICENSE
 files:
 - ".yardopts"
 - AUTHORS.md
@@ -152,7 +153,7 @@ metadata:
   bug_tracker_uri: https://github.com/sinatra/sinatra/issues
   mailing_list_uri: http://groups.google.com/group/sinatrarb
   documentation_uri: https://www.rubydoc.info/gems/sinatra
-  rubygems_mfa_required: 'true'
+post_install_message:
 rdoc_options:
 - "--line-numbers"
 - "--title"
@@ -173,7 +174,8 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.6.7
+rubygems_version: 3.5.22
+signing_key:
 specification_version: 4
 summary: Classy web-development dressed in a DSL
 test_files: []