All Versions
Latest Version
Avg Release Cycle
136 days
Latest Release
843 days ago

Changelog History
Page 4

  • v1.5.2 Changes

    February 07, 2013
    • Fix CVE-2013-0263, timing attack against Rack::Session::Cookie
    • Fix CVE-2013-0262, symlink path traversal in Rack::File
    • Add various methods to Session for enhanced Rails compatibility
    • Request#trusted_proxy? now only matches whole stirngs
    • Add JSON cookie coder, to be default in Rack 1.6+ due to security concerns
    • URLMap host matching in environments that don't set the Host header fixed
    • Fix a race condition that could result in overwritten pidfiles
    • Various documentation additions
  • v1.5.1 Changes

    January 28, 2013
    • Rack::Lint check_hijack now conforms to other parts of SPEC
    • Added hash-like methods to Abstract::ID::SessionHash for compatibility
    • Various documentation corrections
  • v1.5.0 Changes

    January 21, 2013
    • Introduced hijack SPEC, for before-response and after-response hijacking
    • SessionHash is no longer a Hash subclass
    • Rack::File cache_control parameter is removed, in place of headers options
    • Rack::Auth::AbstractRequest#scheme now yields strings, not symbols
    • Rack::Utils cookie functions now format expires in RFC 2822 format
    • Rack::File now has a default mime type
    • rackup -b 'run".")', option provides command line configs
    • Rack::Deflater will no longer double encode bodies
    • Rack::Mime#match? provides convenience for Accept header matching
    • Rack::Utils#q_values provides splitting for Accept headers
    • Rack::Utils#best_q_match provides a helper for Accept headers
    • Rack::Handler.pick provides convenience for finding available servers
    • Puma added to the list of default servers (preferred over Webrick)
    • Various middleware now correctly close body when replacing it
    • Rack::Request#params is no longer persistent with only GET params
    • Rack::Request#update_param and #delete_param provide persistent operations
    • Rack::Request#trusted_proxy? now returns true for local unix sockets
    • Rack::Response no longer forces Content-Types
    • Rack::Sendfile provides local mapping configuration options
    • Rack::Utils#rfc2109 provides old netscape style time output
    • Updated HTTP status codes
    • Ruby 1.8.6 likely no longer passes tests, and is no longer fully supported
  • v1.4.5 Changes

    February 07, 2013
    • Fix CVE-2013-0263, timing attack against Rack::Session::Cookie
    • Fix CVE-2013-0262, symlink path traversal in Rack::File
  • v1.4.4 Changes

    January 13, 2013
    • [SEC] Rack::Auth::AbstractRequest no longer symbolizes arbitrary strings
    • Fixed erroneous test case in the 1.3.x series
  • v1.4.3 Changes

    January 07, 2013
    • Security: Prevent unbounded reads in large multipart boundaries
  • v1.4.2 Changes

    January 06, 2013
    • Add warnings when users do not provide a session secret
    • Fix parsing performance for unquoted filenames
    • Updated URI backports
    • Fix URI backport version matching, and silence constant warnings
    • Correct parameter parsing with empty values
    • Correct rackup '-I' flag, to allow multiple uses
    • Correct rackup pidfile handling
    • Report rackup line numbers correctly
    • Fix request loops caused by non-stale nonces with time limits
    • Fix reloader on Windows
    • Prevent infinite recursions from Response#to_ary
    • Various middleware better conforms to the body close specification
    • Updated language for the body close specification
    • Additional notes regarding ECMA escape compatibility issues
    • Fix the parsing of multiple ranges in range headers
    • Prevent errors from empty parameter keys
    • Added PATCH verb to Rack::Request
    • Various documentation updates
    • Fix session merge semantics (fixes rack-test)
    • Rack::Static :index can now handle multiple directories
    • All tests now utilize Rack::Lint (special thanks to Lars Gierth)
    • Rack::File cache_control parameter is now deprecated, and removed by 1.5
    • Correct Rack::Directory script name escaping
    • Rack::Static supports header rules for sophisticated configurations
    • Multipart parsing now works without a Content-Length header
    • New logos courtesy of Zachary Scott!
    • Rack::BodyProxy now explicitly defines #each, useful for C extensions
    • Cookies that are not URI escaped no longer cause exceptions
  • v1.4.1 Changes

    January 22, 2012
    • Alter the keyspace limit calculations to reduce issues with nested params
    • Add a workaround for multipart parsing where files contain unescaped "%"
    • Added Rack::Response::Helpers#method_not_allowed? (code 405)
    • Rack::File now returns 404 for illegal directory traversals
    • Rack::File now returns 405 for illegal methods (non HEAD/GET)
    • Rack::Cascade now catches 405 by default, as well as 404
    • Cookies missing '--' no longer cause an exception to be raised
    • Various style changes and documentation spelling errors
    • Rack::BodyProxy always ensures to execute its block
    • Additional test coverage around cookies and secrets
    • Rack::Session::Cookie can now be supplied either secret or old_secret
    • Tests are no longer dependent on set order
    • Rack::Static no longer defaults to serving index files
    • Rack.release was fixed
  • v1.4.0 Changes

    December 28, 2011
    • Ruby 1.8.6 support has officially been dropped. Not all tests pass.
    • Raise sane error messages for broken
    • Allow combining run and map in a
    • Rack::ContentType will not set Content-Type for responses without a body
    • Status code 205 does not send a response body
    • Rack::Response::Helpers will not rely on instance variables
    • Rack::Utils.build_query no longer outputs '=' for nil query values
    • Various mime types added
    • Rack::MockRequest now supports HEAD
    • Rack::Directory now supports files that contain RFC3986 reserved chars
    • Rack::File now only supports GET and HEAD requests
    • Rack::Server#start now passes the block to Rack::Handler::#run
    • Rack::Static now supports an index option
    • Added the Teapot status code
    • rackup now defaults to Thin instead of Mongrel (if installed)
    • Support added for HTTP_X_FORWARDED_SCHEME
    • Numerous bug fixes, including many fixes for new and alternate rubies
  • v1.3.8 Changes

    January 07, 2013
    • Security: Prevent unbounded reads in large multipart boundaries