Commit 2923d632 authored by Sruthi Chandran's avatar Sruthi Chandran

New upstream version 2.0.6

parent 5e0612e3
......@@ -60,8 +60,8 @@ below.
the presence or absence of the
appropriate HTTP header in the
request. See
{https://tools.ietf.org/html/rfc3875#section-4.1.18
RFC3875 section 4.1.18} for
<a href="https://tools.ietf.org/html/rfc3875#section-4.1.18">
RFC3875 section 4.1.18</a> for
specific behavior.
In addition to this, the Rack environment must include these
Rack-specific variables:
......@@ -98,12 +98,13 @@ Rack-specific variables:
Additional environment specifications have approved to
standardized middleware APIs. None of these are required to
be implemented by the server.
<tt>rack.session</tt>:: A hash like interface for storing request session data.
<tt>rack.session</tt>:: A hash like interface for storing
request session data.
The store must implement:
store(key, value) (aliased as []=);
fetch(key, default = nil) (aliased as []);
delete(key);
clear;
store(key, value) (aliased as []=);
fetch(key, default = nil) (aliased as []);
delete(key);
clear;
<tt>rack.logger</tt>:: A common object interface for logging messages.
The object must implement:
info(message, &block)
......
......@@ -18,7 +18,7 @@ module Rack
VERSION.join(".")
end
RELEASE = "2.0.5"
RELEASE = "2.0.6"
# Return the Rack release as a dotted string.
def self.release
......
......@@ -5,7 +5,7 @@ module Rack
class MultipartPartLimitError < Errno::EMFILE; end
class Parser
BUFSIZE = 1_048_576
BUFSIZE = 16384
TEXT_PLAIN = "text/plain"
TEMPFILE_FACTORY = lambda { |filename, content_type|
Tempfile.new(["RackMultipart", ::File.extname(filename.gsub("\0".freeze, '%00'.freeze))])
......
......@@ -11,6 +11,8 @@ module Rack
# req.params["data"]
class Request
SCHEME_WHITELIST = %w(https http).freeze
def initialize(env)
@params = nil
super(env)
......@@ -188,10 +190,8 @@ module Rack
'https'
elsif get_header(HTTP_X_FORWARDED_SSL) == 'on'
'https'
elsif get_header(HTTP_X_FORWARDED_SCHEME)
get_header(HTTP_X_FORWARDED_SCHEME)
elsif get_header(HTTP_X_FORWARDED_PROTO)
get_header(HTTP_X_FORWARDED_PROTO).split(',')[0]
elsif forwarded_scheme
forwarded_scheme
else
get_header(RACK_URL_SCHEME)
end
......@@ -479,6 +479,19 @@ module Rack
def reject_trusted_ip_addresses(ip_addresses)
ip_addresses.reject { |ip| trusted_proxy?(ip) }
end
def forwarded_scheme
scheme_headers = [
get_header(HTTP_X_FORWARDED_SCHEME),
get_header(HTTP_X_FORWARDED_PROTO).to_s.split(',')[0]
]
scheme_headers.each do |header|
return header if SCHEME_WHITELIST.include?(header)
end
nil
end
end
include Env
......
......@@ -46,7 +46,7 @@ module Rack
end
def prefers_plaintext?(env)
!accepts_html(env)
!accepts_html?(env)
end
def accepts_html?(env)
......
......@@ -572,6 +572,11 @@ class RackRequestTest < Minitest::Spec
request.must_be :ssl?
end
it "prevents scheme abuse" do
request = make_request(Rack::MockRequest.env_for("/", 'HTTP_X_FORWARDED_SCHEME' => 'a."><script>alert(1)</script>'))
request.scheme.must_equal 'http'
end
it "parse cookies" do
req = make_request \
Rack::MockRequest.env_for("", "HTTP_COOKIE" => "foo=bar;quux=h&m")
......
......@@ -77,4 +77,17 @@ describe Rack::ShowExceptions do
assert_match(res, /ShowExceptions/)
assert_match(res, /unknown location/)
end
it "knows to prefer plaintext for non-html" do
# We don't need an app for this
exc = Rack::ShowExceptions.new(nil)
[
[{ "HTTP_ACCEPT" => "text/plain" }, true],
[{ "HTTP_ACCEPT" => "text/foo" }, true],
[{ "HTTP_ACCEPT" => "text/html" }, false]
].each do |env, expected|
assert_equal(expected, exc.prefers_plaintext?(env))
end
end
end
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment