sinatra 4.1.0 → 4.2.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: a487551e0b40831dadeffd669ae0a8fb408fc5880825f2257105beec8be727ec
-  data.tar.gz: f7999f252d7d1c2192a3c909911ff5879075a811a8c742c89a2d700bf1db8b82
+  metadata.gz: 904d7b82f73deaf163b96f2174229e1a2650ee4e152599b8adb4523ecae6a421
+  data.tar.gz: eeba1a0f1198f512a5bb88dc644bf0bbb0d2c1ac4717e20951d8f3a07c4c7d30
 SHA512:
-  metadata.gz: 611bf8733959bae4110a357e22be091cd3c044a5f810d133a9833993c84e2ae7a3b2c3999fd13991338c44e72ac5ab6b9b3af8bc9d4667384fd97b7715c086d2
-  data.tar.gz: 824f4f37c5cc5fde671bdf286c63cd67672566c10fadcf80b841eddc9685f92b88a9032ee8b711a2b859a5529afc082fe11f09ac1204f8b04659501f13a03747
+  metadata.gz: 68108e3688481b30dba13bd485f393a1daa82bcfde6231b827681b59693b7d8363310653d196e43c38513ca60380d29d4f5dc1bd9cb90c838b0d36975af806a4
+  data.tar.gz: ce6ad419d50d6b7862224e2a611a8ea83e03d8f472b89416008de130892fa744aa05a52032a96abb95a4314947cf03a4b1f6cf97aa14519c03ead32361a24512

data/CHANGELOG.md

@@ -1,8 +1,22 @@
+## Unreleased
+
+## 4.2.0 / 2025-10-08
+
+* New: Add `:static_headers` setting for custom headers in static file responses ([#2089](https://github.com/sinatra/sinatra/pull/2089))
+* Fix: Fix regex in `etag_matches?` to prevent ReDoS ([#2121](https://github.com/sinatra/sinatra/pull/2121)))
+* Fix: `PATH_INFO` can never be empty ([#2114](https://github.com/sinatra/sinatra/pull/2114))
+* Fix: Fix malformed Content-Type headers ([#2081](https://github.com/sinatra/sinatra/pull/2081))
+* Fix: Avoid crash for integer values in `content_type` parameters ([#2078](https://github.com/sinatra/sinatra/pull/2078))
+
+## 4.1.1 / 2024-11-20
+
+* Fix: Restore WEBrick support ([#2067](https://github.com/sinatra/sinatra/pull/2067))
+
 ## 4.1.0 / 2024-11-18
 
 * New: Add `host_authorization` setting ([#2053](https://github.com/sinatra/sinatra/pull/2053))
   * Defaults to `.localhost`, `.test` and any IP address in development mode.
-  * Security: addresses [CVE-2018-11627](https://github.com/advisories/GHSA-hxx2-7vcw-mqr3).
+  * Security: addresses [CVE-2024-21510](https://github.com/advisories/GHSA-hxx2-7vcw-mqr3).
 * Fix: Return an instance of `Sinatra::IndifferentHash` when calling `#except` ([#2044](https://github.com/sinatra/sinatra/pull/2044))
 * Fix: Address warning from `URI` for Ruby 3.4 ([#2060](https://github.com/sinatra/sinatra/pull/2060))
 * Fix: `rackup` no longer depends on WEBrick, recommend Puma instead ([`4a558503`](https://github.com/sinatra/sinatra/commit/4a558503a0ee41f26d4ebc07b478340e8a8a5ed6))
@@ -14,6 +28,33 @@
   * Don't depend on `Rack::Logger`
   * Don't delete `content-length` header when `Rack::Files` is used
 
+## 4.0.1 / 2025-05-24
+
+* Rack 3.1 compatibility ([#2035])
+
+* Fix malformed Content-Type headers ([#2081])
+
+* Avoid crash for integer values in `content_type` parameters ([#2078])
+
+* Fix compatibility with --enable-frozen-string-literal ([#2033])
+
+* Declare missing dependencies for Ruby 3.5 ([#2032])
+
+* Fix warning about Hash construction. ([#2028])
+
+* Support Zeitwerk 2.7.0+ ([#2050])
+
+* Address URI depreciation ([#2060])
+
+[#2035]: https://github.com/sinatra/sinatra/pull/2035
+[#2081]: https://github.com/sinatra/sinatra/pull/2081
+[#2078]: https://github.com/sinatra/sinatra/pull/2078
+[#2033]: https://github.com/sinatra/sinatra/pull/2033
+[#2032]: https://github.com/sinatra/sinatra/pull/2032
+[#2028]: https://github.com/sinatra/sinatra/pull/2028
+[#2050]: https://github.com/sinatra/sinatra/pull/2050
+[#2060]: https://github.com/sinatra/sinatra/pull/2060
+
 ## 4.0.0. / 2024-01-19
 
 * New: Add support for Rack 3 ([#1857])

data/Gemfile

@@ -55,6 +55,7 @@ gem 'redcarpet', platforms: [:ruby]
 gem 'simplecov', require: false
 gem 'slim', '~> 5'
 gem 'yajl-ruby', platforms: [:ruby]
+gem 'webrick'
 
 # sass-embedded depends on google-protobuf
 # which fails to be installed on JRuby and TruffleRuby under aarch64

data/README.md

@@ -34,9 +34,6 @@ Please restart the server every time you change or use a code reloader
 like [rerun](https://github.com/alexch/rerun) or
 [rack-unreloader](https://github.com/jeremyevans/rack-unreloader).
 
-It is recommended to also run `gem install puma`, which Sinatra will
-pick up if available.
-
 ## Table of Contents
 
 - [Sinatra](#sinatra)
@@ -423,6 +420,15 @@ Note that the public directory name is not included in the URL. A file
 Use the `:static_cache_control` setting (see [below](#cache-control)) to add
 `Cache-Control` header info.
 
+By default, Sinatra serves static files from the `public/` folder without running middleware or filters. To add custom headers (e.g, for CORS or caching), use the `:static_headers` setting:
+
+```ruby
+  set :static_headers, {
+    'access-control-allow-origin' => '*',
+    'x-static-asset' => 'served-by-sinatra'
+  }
+```
+
 ## Views / Templates
 
 Each template language is exposed via its own rendering method. These
@@ -1994,27 +2000,29 @@ set :protection, :session => true
 
   <dt>host_authorization</dt>
   <dd>
-    You can pass a hash of options to <tt>host_authorization</tt>,
-    to be used by the <tt>Rack::Protection::HostAuthorization</tt> middleware.
-  <dd>
-  <dd>
-    The middleware can block requests with unrecognized hostnames, to prevent DNS rebinding
-    and other host header attacks. It checks the <tt>Host</tt>, <tt>X-Forwarded-Host</tt>
-    and <tt>Forwarded</tt> headers.
-  </dd>
-  <dd>
-    Useful options are:
-    <ul>
-      <li><tt>permitted_hosts</tt> – an array of hostnames (and <tt>IPAddr</tt> objects) your app recognizes
-        <ul>
-          <li>in the <tt>development</tt> environment, it is set to <tt>.localhost</tt>, <tt>.test</tt> and any IPv4/IPv6 address</li>
-          <li>if empty, any hostname is permitted (the default for any other environment)</li>
-        </ul>
-      </li>
-      <li><tt>status</tt> – the HTTP status code used in the response when a request is blocked (defaults to <tt>403</tt>)</li>
-      <li><tt>message</tt> – the body used in the response when a request is blocked (defaults to <tt>Host not permitted</tt>)</li>
-      <li><tt>allow_if</tt> – supply a <tt>Proc</tt> to use custom allow/deny logic, the proc is passed the request environment</li>
-    </ul>
+    <p>
+      You can pass a hash of options to <tt>host_authorization</tt>,
+      to be used by the <tt>Rack::Protection::HostAuthorization</tt> middleware.
+    </p>
+    <p>
+      The middleware can block requests with unrecognized hostnames, to prevent DNS rebinding
+      and other host header attacks. It checks the <tt>Host</tt>, <tt>X-Forwarded-Host</tt>
+      and <tt>Forwarded</tt> headers.
+    </p>
+    <p>
+      Useful options are:
+      <ul>
+        <li><tt>permitted_hosts</tt> – an array of hostnames (and <tt>IPAddr</tt> objects) your app recognizes
+          <ul>
+            <li>in the <tt>development</tt> environment, it is set to <tt>.localhost</tt>, <tt>.test</tt> and any IPv4/IPv6 address</li>
+            <li>if empty, any hostname is permitted (the default for any other environment)</li>
+          </ul>
+        </li>
+        <li><tt>status</tt> – the HTTP status code used in the response when a request is blocked (defaults to <tt>403</tt>)</li>
+        <li><tt>message</tt> – the body used in the response when a request is blocked (defaults to <tt>Host not permitted</tt>)</li>
+        <li><tt>allow_if</tt> – supply a <tt>Proc</tt> to use custom allow/deny logic, the proc is passed the request environment</li>
+      </ul>
+    </p>
   </dd>
 
   <dt>logging</dt>
@@ -2158,6 +2166,16 @@ set :protection, :session => true
       <tt>set :static_cache_control, [:public, :max_age => 300]</tt>
     </dd>
 
+  <dt>static_headers</dt>
+    <dd>
+      Allows you to define custom header settings for static file responses.
+    </dd>
+    <dd>
+      For example: <br>
+      <tt>set :static_headers, {'access-control-allow-origin' => '*', 'x-static-asset' => 'served-by-sinatra'}</tt>
+    </dd>
+
+
   <dt>threaded</dt>
     <dd>
       If set to <tt>true</tt>, will tell server to use

data/VERSION

@@ -1 +1 @@
-4.1.0
+4.2.0

data/lib/sinatra/base.rb

@@ -396,11 +396,11 @@ module Sinatra
       end
       params.delete :charset if mime_type.include? 'charset'
       unless params.empty?
-        mime_type << (mime_type.include?(';') ? ', ' : ';')
+        mime_type << ';'
         mime_type << params.map do |key, val|
-          val = val.inspect if val =~ /[";,]/
+          val = val.inspect if val.to_s =~ /[";,]/
           "#{key}=#{val}"
-        end.join(', ')
+        end.join(';')
       end
       response['content-type'] = mime_type
     end
@@ -711,7 +711,7 @@ module Sinatra
     def etag_matches?(list, new_resource = request.post?)
       return !new_resource if list == '*'
 
-      list.to_s.split(/\s*,\s*/).include? response['ETag']
+      list.to_s.split(',').map(&:strip).include?(response['ETag'])
     end
 
     def with_params(temp_params)
@@ -1099,7 +1099,6 @@ module Sinatra
     # Returns pass block.
     def process_route(pattern, conditions, block = nil, values = [])
       route = @request.path_info
-      route = '/' if route.empty? && !settings.empty_path_info?
       route = route[0..-2] if !settings.strict_paths? && route != '/' && route.end_with?('/')
 
       params = pattern.params(route)
@@ -1143,6 +1142,7 @@ module Sinatra
 
     # Attempt to serve static files from public directory. Throws :halt when
     # a matching file is found, returns nil otherwise.
+    # If custom static headers are defined, use them.
     def static!(options = {})
       return if (public_dir = settings.public_folder).nil?
 
@@ -1156,6 +1156,9 @@ module Sinatra
 
       env['sinatra.static_file'] = path
       cache_control(*settings.static_cache_control) if settings.static_cache_control?
+
+      headers(settings.static_headers) if settings.static_headers?
+
       send_file path, options.merge(disposition: nil)
     end
 
@@ -1772,7 +1775,6 @@ module Sinatra
       end
 
       def route(verb, path, options = {}, &block)
-        enable :empty_path_info if path == '' && empty_path_info.nil?
         signature = compile!(verb, path, block, **options)
         (@routes[verb] ||= []) << signature
         invoke_hook(:route_added, verb, path, block)
@@ -1969,7 +1971,7 @@ module Sinatra
     set :running_server, nil
     set :handler_name, nil
     set :traps, true
-    set :server, %w[]
+    set :server, %w[webrick]
     set :bind, proc { development? ? 'localhost' : '0.0.0.0' }
     set :port, Integer(ENV['PORT'] && !ENV['PORT'].empty? ? ENV['PORT'] : 4567)
     set :quiet, false
@@ -1998,7 +2000,6 @@ module Sinatra
 
     set :absolute_redirects, true
     set :prefixed_redirects, false
-    set :empty_path_info, nil
     set :strict_paths, true
 
     set :app_file, nil
@@ -2011,6 +2012,8 @@ module Sinatra
     set :public_folder, proc { root && File.join(root, 'public') }
     set :static, proc { public_folder && File.exist?(public_folder) }
     set :static_cache_control, false
+    
+    set :static_headers, {}
 
     error ::Exception do
       response.status = 500

data/lib/sinatra/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module Sinatra
-  VERSION = '4.1.0'
+  VERSION = '4.2.0'
 end

data/sinatra.gemspec

@@ -40,7 +40,8 @@ RubyGems 2.0 or newer is required to protect against public gem pushes. You can
     'homepage_uri' => 'http://sinatrarb.com/',
     'bug_tracker_uri' => 'https://github.com/sinatra/sinatra/issues',
     'mailing_list_uri' => 'http://groups.google.com/group/sinatrarb',
-    'documentation_uri' => 'https://www.rubydoc.info/gems/sinatra'
+    'documentation_uri' => 'https://www.rubydoc.info/gems/sinatra',
+    'rubygems_mfa_required' => 'true',
   }
 
   s.required_ruby_version = '>= 2.7.8'

metadata

@@ -1,17 +1,16 @@
 --- !ruby/object:Gem::Specification
 name: sinatra
 version: !ruby/object:Gem::Version
-  version: 4.1.0
+  version: 4.2.0
 platform: ruby
 authors:
 - Blake Mizerany
 - Ryan Tomayko
 - Simon Rozet
 - Konstantin Haase
-autorequire: 
 bindir: bin
 cert_chain: []
-date: 2024-11-18 00:00:00.000000000 Z
+date: 1980-01-02 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: logger
@@ -67,14 +66,14 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 4.1.0
+        version: 4.2.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 4.1.0
+        version: 4.2.0
 - !ruby/object:Gem::Dependency
   name: rack-session
   requirement: !ruby/object:Gem::Requirement
@@ -115,8 +114,8 @@ email: sinatrarb@googlegroups.com
 executables: []
 extensions: []
 extra_rdoc_files:
-- README.md
 - LICENSE
+- README.md
 files:
 - ".yardopts"
 - AUTHORS.md
@@ -153,7 +152,7 @@ metadata:
   bug_tracker_uri: https://github.com/sinatra/sinatra/issues
   mailing_list_uri: http://groups.google.com/group/sinatrarb
   documentation_uri: https://www.rubydoc.info/gems/sinatra
-post_install_message: 
+  rubygems_mfa_required: 'true'
 rdoc_options:
 - "--line-numbers"
 - "--title"
@@ -174,8 +173,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.5.22
-signing_key: 
+rubygems_version: 3.6.9
 specification_version: 4
 summary: Classy web-development dressed in a DSL
 test_files: []