| Commit message (Collapse) | Author | Age | Files | Lines |
... | |
|
|
|
|
|
|
|
|
|
| |
Change error message for .ru file with embedded options, since it's not
just deprecated, the support has been fully removed.
Coverage after this commit:
3282 relevant lines, 3282 lines covered and 0 lines missed. ( 100.0% )
1110 total branches, 1068 branches covered and 42 branches missed. ( 96.22% )
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Remove dead code in _normalize_params. There are two different types of
dead code. First, directly before this dead code, you have
`v ||= String.new`, so `!v.nil?` is always true and could be removed.
The remaining conditions for the dead branch are `k.empty?` and
`name = '[]'`. Looking at the conditional above, it's never possible
for these two conditions to be simultaneously true:
```ruby
if !name
# name != '[]'
elsif depth == 0
if start = name.index('[', 1)
k = name[0, start]
# !k.empty?
else
k = name
# !k.empty? || name != '[]'
end
elsif name.start_with?('[]')
k = '[]'
# !k.empty?
else # all remaining branches
# name != '[]', otherwise previous branch taken
end
```
Coverage after this commit:
3283 relevant lines, 3282 lines covered and 1 lines missed. ( 99.97% )
1112 total branches, 1068 branches covered and 44 branches missed. ( 96.04% )
|
| |
|
|
|
|
|
| |
The comment says this should be removed in Rack 3. This was added
in Rack 2.2, so it should be safe to remove now.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Simplify #server_port now that it is required to be an integer.
Simplify #port.
Remove nested conditional in #ip.
Remove private #extract_proto_header, unused since
b87d1828bd90b24eb0fa4a99abf580d9ddde4a0e (added in
6f349e1d2d1f528c486417d3421609be6e033e31, so only available since
2.1).
Coverage after this commit:
3286 relevant lines, 3282 lines covered and 4 lines missed. ( 99.88% )
1114 total branches, 1067 branches covered and 47 branches missed. ( 95.78% )
|
|
|
|
|
|
|
|
|
|
|
| |
Raise for HeadersHash.allocate, don't define HeadersHash#allocate.
Remove unnecessary character class in regexp for parsing cookies.
Coverage after this commit:
3301 relevant lines, 3287 lines covered and 14 lines missed. ( 99.58% )
1130 total branches, 1067 branches covered and 63 branches missed. ( 94.42% )
|
|
|
|
|
|
|
|
|
| |
Fix obviously broken code in respond_to? implementation.
Coverage after this commit:
3305 relevant lines, 3280 lines covered and 25 lines missed. ( 99.24% )
1133 total branches, 1061 branches covered and 72 branches missed. ( 93.65% )
|
|
|
|
|
|
|
| |
Coverage after this commit:
3305 relevant lines, 3266 lines covered and 39 lines missed. ( 98.82% )
1133 total branches, 1039 branches covered and 94 branches missed. ( 91.7% )
|
|
|
|
|
|
|
|
|
|
|
| |
Fix handling of accept-encoding in vary header, since Array#include?
when called with an array doesn't check if any element in the array
matches.
Coverage after this commit:
3305 relevant lines, 3257 lines covered and 48 lines missed. ( 98.55% )
1133 total branches, 1036 branches covered and 97 branches missed. ( 91.44% )
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Remove unnecessary conditional in -D option handling.
Simplify code in --profile-mode option handling.
Remove unnecessary begin clause in handler_opts, since it
covers the whole method.
Remove use of SPEC_ARGV, just use ARGV and set Rack::Server::ARGV
in the specs, relying on normal constant lookup.
Simplify server method now that Rack::Handler::FastCGI is no longer
present.
Coverage after this change:
3305 relevant lines, 3254 lines covered and 51 lines missed. ( 98.46% )
1134 total branches, 1028 branches covered and 106 branches missed. ( 90.65% )
|
|
|
|
|
|
|
|
|
| |
Simplify coverage testing code while here.
Current coverage:
3311 relevant lines, 3243 lines covered and 68 lines missed. ( 97.95% )
1140 total branches, 1021 branches covered and 119 branches missed. ( 89.56% )
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
SPEC currently does not currently specify a way to get the HTTP
version in use. However, both Chunked and CommonLogger need access
to the http version for correct functioning, and other users in
the rack ecosystem need it as well (Roda needs it, and I've just
identified a need for it in rack-test).
Unicorn, Webrick, and Puma all currently set SERVER_PROTOCOL.
However, Puma currently sets SERVER_PROTOCOL statically to
HTTP/1.1, unlike Unicorn and Webrick, which set it to the
protocol used by the client. Unicorn and Puma set HTTP_VERSION
to the protocol used by the client.
This specifies that SERVER_PROTOCOL should match the protocol
used by the client, that it should be a valid protocol matching
HTTP/\d(\.\d)?, and that if HTTP_VERSION is provided, it must
match SERVER_PROTOCOL. This will require minor changes to Puma
to be compliant with the new SPEC.
Set SERVER_PROTOCOL to HTTP/1.1 by default in Rack::MockRequest,
allowing it to be set by the :http_version option. Update
CommonLogger specs to include the version.
This removes a spec in Chunked for usage without SERVER_PROTOCOL.
A comment in the removed lines indicate unicorn will not set
SERVER_PROTOCOL for HTTP/0.9 requests, but that is incorrect, as
unicorn has set SERVER_PROTOCOL to HTTP/0.9 since 2009 (see unicorn
commit bd0599c4ac91d95cae1f34df3ae99c92f3225391). The related
comment was correct when added in 2009 (rack commit
895beec0622d3cafdc5fbae20d665c6d5f6c8e7c), but has been incorrect
since the code was changed from HTTP_VERSION to SERVER_PROTOCOL in
2015 (rack commit e702d31335c1a820e99c3acdd9d3368ac25da010).
|
|
|
|
|
|
|
|
|
|
|
|
| |
This commit adds two new predicate methods to the `Rack::Response`
class:
- `not_acceptable?` which returns true on HTTP 406 Not Acceptable
- `request_timeout?` which returns true on HTTP 408 Request Timeout
Links to MDN documentation for each status code:
- https://developer.mozilla.org/en-US/docs/Web/HTTP/Status/406
- https://developer.mozilla.org/en-US/docs/Web/HTTP/Status/408
|
| |
|
| |
|
|
|
|
|
|
|
|
|
|
| |
At least on OpenBSD, this test occasionally hangs, because the
`wr.write` does not return/raise after the `rd.close` in the other
thread. Switch to `write_nonblock` with `exception: false`, using
Thread.pass if the write would block.
With this change, the test takes less than two seconds and does
not hang.
|
|
|
|
|
|
|
|
| |
There isn't a reason the constant needs to be autoloaded. If puma or
falcon is not installed, the try_require will still load the webrick
handler file, so register the the handler in the handler file, similar
to how puma and falcon handle it. This makes webrick support less
special.
|
| |
|
| |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The Request.forwarded_priority accessor sets the priority. Default to
considering Forwarded first, since it is now the official standard.
Also allow configuring whether X-Forwarded-Proto or X-Forwarded-Scheme
has priority, using the Request.x_forwarded_proto_priority
accessor.
Allowing configurable priorities for these headers is necessary,
because which headers should be checked depends on the environment
the application runs in.
Make Request#forwarded_authority use the last forwarded authority
instead of the first forwarded authority, since earlier forwarded
authorities can be forged by the client.
Fixes #1809
Fixes #1829
Implements #1423
Implements #1832
|
|
|
|
|
| |
Co-authored-by: Matt Bostock <matt@mattbostock.com>
Co-authored-by: Jeremy Evans <code@jeremyevans.net>
|
| |
|
|
|
|
|
|
|
|
|
| |
This can be set to false to avoid escaping the key.
This is a very explicit approach to allowing some cookie names to
not be escaped.
Fixes #1796
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Tighten up IPv6 parsing rules using regexp extracted from resolv in stdlib,
simplified to avoid creating additional groups.
Tighten up hostname matching to graphical characters, except square brackets
(so it doesn't overlap with IPv6 parsing).
Avoid unnecessary IPv4 matching, since anything that matches as an IPv4
address would match as a hostname.
Remove unnecessary named group creation.
Don't allow trailing newlines in host names.
Fixes #1607
Co-authored-by: Pieter van de Bruggen <pvande@gmail.com>
|
| |
|
|
|
|
|
| |
* Allow headers to be an Array of String instances.
* Add deprecated compatibility shims.
|
|\
| |
| | |
Change SPEC to not allow uppercase header keys
|
| |
| |
| |
| |
| |
| | |
Also, update CHANGELOG with other spec changes made since 2.2.
Implements #1592
|
| | |
|
|/
|
|
|
|
|
|
|
|
|
|
|
| |
Add Rack::Encryptor which uses AES-256-CTR with HMAC-SHA-256 for
authentication. The secret key must be 64 bytes long and the first 32
bytes are used for the base encryption key and the remaining bytes are
used for the authentication code. A random value is generated at
encryption time to create a per-message encryption key. This key is
generated using HMAC-SHA-256 and the initial base secret key.
For a complete history of these changes please see:
- https://github.com/rack/rack/pull/1177
- https://github.com/mjc-gh/rack/tree/rack-aead-session-cookie-pr-1177-archive
|
|
|
|
|
|
|
|
|
|
| |
This will automatically wrap rack.input with Rack::RewindableInput,
for compatibility with middleware and applications that expect
rewindable input.
Related to #1148, but this does not contain any SPEC changes. It's
possible for servers targetting Rack 2 compatibility to use this
middleware to implement the compatibility.
|
| |
|
| |
|
|\
| |
| | |
Enable directly requiring Rack components
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Add test:separate task to test run each test file separately.
This is to test that directly requiring a rack component will work.
With test:separate, the test helper will not require rack, and each
test file should call separate_testing with a block that uses
require_relative to only require that component being tested.
Add the appropriate relative requires to get all tests passing
when run separately.
Note that this isn't foolproof. In many cases, the tests use
Rack components that are not under test (such as lint and mock),
and both of those other other rack components, so it's possible
the tests are loading hidden dependencies. I attempted to check
each component to try to find the hidden dependencies, but it is
certainly possible I missed something.
Implements #1621.
|
|/
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This implements a Hash subclass that lower-cases keys passed to it.
The expected usage is for Rack 2 libraries/frameworks that want to be
compatible with Rack 3, assuming that we require response header
keys to be lower-case in Rack 3 (as discussed in #1592).
I've tested this implementation in Roda (a web framework), and only
minimal changes were needed to get Roda's tests passing with it,
even though Roda uses mixed-case headers throughout its implementation
and tests. It was simple to get the tests passing both with the
implementation and without, showing that it's possible to get a
framework that can support both Rack 2 and Rack 3.
Additionally, I tested Rodauth (an authentication framework built on
top of Roda), with the modified version of Roda, and again, only
minimal changes were needed to keep the tests passing.
I also tested a handful of small applications based on Roda using the
modified version of Roda, and none of those applications needed any
changes to keep their tests passing. I think that shows that
requiring lower-case response header keys is probably acceptable,
since it should result in minimal if any churn to applications, and
only minor churn to libraries.
The implementation of Rack::Headers is based on ruby-cicphash
(a case-insensitive, case-preserving hash implementation),
but streamlined as case doesn't need to be preserved, and it
is a Hash subclass (as required by Rack 3 SPEC), instead of
an Object subclass that uses a hash internally.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This avoids a RegexpError when trying to parse long key input.
It also avoids an invalid InvalidParameterError when trying
to parse non-UTF8 keys, which was only raised previously
because regexps were used without marking them as ASCII-8BIT.
Flip the depth parameter to QueryParser#normalize_params to
be the current parsing depth, instead of a downward counter
from the maximum depth.
Fix a bunch of questionable behavior in parameter parsing
when using [ and ] outside cases that are expected. Treat
[ and ] as normal characters if the occur outside expected
usage.
This leaves one questionable parameter parsing behavior that
also existed previously, which is that: a[b]c is parsed the
same as a[b][c].
Fixes #1704.
|
|
|
|
|
|
| |
These variables generally come too late to be useful. Make `Rack::Lock`
always use a mutex.
Co-authored-by: Samuel Williams <samuel.williams@oriontransfer.co.nz>
|
|
|
|
|
|
|
|
| |
(Fixes #749)
In all other cases, the result was cached, so not caching in this
case is inconsistent, and can result in unexpected behavior if
POST is called multiple times on the same request.
|
|
|
| |
It was determined that as this limit did not affect nested parameter hashes, it didn't actually prevent an attacker from using more than limited number of bytes for parameter keys, so this limit isn't actually doing anything useful. It is confusing people when it gets in the way of desired large parameter requests.
|
|
|
|
|
|
|
|
|
|
|
| |
This is stricter than what was previously required. However,
non-hash response headers would break most of the middleware
that accesses response headers.
Middleware in many cases adds or removes headers, so require
the hash not be frozen, so that this can be done efficiently.
Fixes #1222
|
|
|
|
|
|
|
|
|
|
|
| |
Prior to this change, cookies with the `Expires` attribute would have the attribute stored as a `String` object rather than a `Time` object. `CGI::Cookie` expects a `Time` object [1]. Having strings could lead to confusing errors later on. For example, calling `Rack::MockResponse#inspect` would lead to `undefined method `gmtime' for "Fri, 03 Jun 2022 19:37:33 GMT":String`.
As per RFC 6265, if a cookie has both the `Max-Age` and the `Expires` attribute, `Max-Age` has precedence. [2]
Close #1758
[1]: https://ruby-doc.org/stdlib-3.0.1/libdoc/cgi/rdoc/CGI/Cookie.html
[2]: https://datatracker.ietf.org/doc/html/rfc6265#section-4.1.2.2
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The URL spec section 5.1.3.3 specifies that if = is not present
in the byte sequence, it should be treated as if the byte sequence
is the name of the tuple and the value is the empty string.
This affects all parameters without =, not just arrays:
```ruby
Rack::Utils.parse_nested_query("foo[bar]&baz[]&quux")
{"foo"=>{"bar"=>nil}, "baz"=>[nil], "quux"=>nil} # Before
{"foo"=>{"bar"=>""}, "baz"=>[""], "quux"=>""} # After
```
Fixes #1696
|
| |
|
|
|
|
|
|
|
|
| |
It does not appear to be defined with the YAML shipped in Ruby
2.4-2.7. If not defined, define it to call load. Fixes tests
when you don't force a psych version beyond the one that ships
with Ruby. Remove psych from Gemfile so we test the version
that ships with Ruby.
|
|\
| |
| | |
Support callable body for explicit streaming support.
|
| | |
|
|/ |
|
| |
|