ยซ Changelog History


Rack v3.0.0.beta1 Release Notes

Release Date: 2022-08-08 // over 1 year ago

  • ๐Ÿ”’ Security

    • Do not use semicolon as GET parameter separator. (#1733, [@jeremyevans])

    SPEC Changes

    • Response array must now be non-frozen.
    • Response status must now be an integer greater than or equal to 100.
    • Response headers must now be an unfrozen hash.
    • Response header keys can no longer include uppercase characters.
    • ๐Ÿ‘ Response header values can be an Array to handle multiple values (and no longer supports \n encoded headers).
    • Response body can now respond to #call (streaming body) instead of #each (enumerable body), for the equivalent of response hijacking in previous versions.
    • Middleware must no longer call #each on the body, but they can call #to_ary on the body if it responds to #to_ary.
    • rack.input is no longer required to be rewindable.
    • rack.multithread/rack.multiprocess/rack.run_once/rack.version are no longer required environment keys.
    • SERVER_PROTOCOL is now a required environment key, matching the HTTP protocol used in the request.
    • rack.hijack? (partial hijack) and rack.hijack (full hijack) are now independently optional.
    • ๐Ÿšš rack.hijack_io has been removed completely.
    • rack.response_finished is an optional environment key which contains an array of callable objects that must accept #call(env, status, headers, error) and are invoked after the response is finished (either successfully or unsucessfully).
    • It is okay to call #close on rack.input to indicate that you no longer need or care about the input.
    • ๐Ÿ‘ The stream argument supplied to the streaming body and hijack must support #<< for writing output.

    โœ‚ Removed

    • โœ‚ Remove rack.multithread/rack.multiprocess/rack.run_once. These variables generally come too late to be useful. (#1720, [@ioquatix], [@jeremyevans]))
    • โœ‚ Remove deprecated Rack::Request::SCHEME_WHITELIST. ([@jeremyevans])
    • โœ‚ Remove internal cookie deletion using pattern matching, there are very few practical cases where it would be useful and browsers handle it correctly without us doing anything special. (#1844, [@ioquatix])
    • โœ‚ Remove rack.version as it comes too late to be useful. (#1938, [@ioquatix])
    • Extract rackup command, Rack::Server, Rack::Handler, Rack::Lobster and related code into a separate gem. (#1937, [@ioquatix])

    โž• Added

    • ๐Ÿ‘ Rack::Headers added to support lower-case header keys. ([@jeremyevans])
    • Rack::Utils#set_cookie_header now supports escape_key: false to avoid key escaping. ([@jeremyevans])
    • ๐Ÿ‘ Rack::RewindableInput supports size. (@ahorek)
    • Rack::RewindableInput::Middleware added for making rack.input rewindable. ([@jeremyevans])
    • The RFC 7239 Forwarded header is now supported and considered by default when looking for information on forwarding, falling back to the X-Forwarded-* headers. Rack::Request.forwarded_priority accessor has been added for configuring the priority of which header to check. (#1423, [@jeremyevans])
    • ๐Ÿ‘ Allow response headers to contain array of values. (#1598, [@ioquatix])
    • ๐Ÿ‘Œ Support callable body for explicit streaming support and clarify streaming response body behaviour. (#1745, [@ioquatix], #1748, [@wjordan])
    • ๐Ÿ‘ Allow Rack::Builder#run to take a block instead of an argument. (#1942, [@ioquatix])
    • โž• Add rack.response_finished to Rack::Lint. (#1802, [@BlakeWilliams], #1952, [@ioquatix])
    • The stream argument must implement #<<. (#1959, [@ioquatix])

    ๐Ÿ”„ Changed

    • ๐Ÿ’ฅ BREAKING CHANGE: Require status to be an Integer. (#1662, @olleolleolle)
    • ๐Ÿ’ฅ BREAKING CHANGE: Query parsing now treats parameters without = as having the empty string value instead of nil value, to conform to the URL spec. (#1696, [@jeremyevans])
    • ๐Ÿ˜Œ Relax validations around Rack::Request#host and Rack::Request#hostname. (#1606, @pvande)
    • โœ‚ Removed antiquated handlers: FCGI, LSWS, SCGI, Thin. (#1658, [@ioquatix])
    • ๐Ÿ— Removed options from Rack::Builder.parse_file and Rack::Builder.load_file. (#1663, [@ioquatix])
    • ๐Ÿ”– Rack::HTTP_VERSION has been removed and the HTTP_VERSION env setting is no longer set in the CGI and Webrick handlers. (#970, [@jeremyevans])
    • Rack::Request#[] and #[]= now warn even in non-verbose mode. (#1277, [@jeremyevans])
    • โฌ‡ Decrease default allowed parameter recursion level from 100 to 32. (#1640, [@jeremyevans])
    • ๐Ÿ“œ Attempting to parse a multipart response with an empty body now raises Rack::Multipart::EmptyContentError. (#1603, [@jeremyevans])
    • Rack::Utils.secure_compare uses OpenSSL's faster implementation if available. (#1711, @bdewater)
    • ๐Ÿ“œ Rack::Request#POST now caches an empty hash if input content type is not parseable. (#749, [@jeremyevans])
    • ๐Ÿ’ฅ BREAKING CHANGE: Updated trusted_proxy? to match full 127.0.0.0/8 network. (#1781, @snbloch)
    • ๐Ÿ—„ Explicitly deprecate Rack::File which was an alias for Rack::Files. (#1811, [@ioquatix]).
    • ๐Ÿšš Moved Rack::Session into separate gem. (#1805, [@ioquatix])
    • rackup -D option to daemonizes no longer changes the working directory to the root. (#1813, [@jeremyevans])
    • The x-forwarded-proto header is now considered before the x-forwarded-scheme header for determining the forwarded protocol. Rack::Request.x_forwarded_proto_priority accessor has been added for configuring the priority of which header to check. (#1809, [@jeremyevans])
    • โช Rack::Request.forwarded_authority (and methods that call it, such as host) now returns the last authority in the forwarded header, instead of the first, as earlier forwarded authorities can be forged by clients. This restores the Rack 2.1 behavior. (#1829, [@jeremyevans])
    • ๐Ÿ‘‰ Use lower case cookie attributes when creating cookies, and fold cookie attributes to lower case when reading cookies (specifically impacting secure and httponly attributes). (#1849, [@ioquatix])
    • The response array must now be mutable (non-frozen) so middleware can modify it without allocating a new Array,therefore reducing object allocations. (#1887, #1927, [@amatsuda], [@ioquatix])
    • rack.hijack? (partial hijack) and rack.hijack (full hijack) are now independently optional. rack.hijack_io is no longer required/specified. (#1939, [@ioquatix])
    • ๐Ÿ‘ Allow calling close on rack.input. (#1956, [@ioquatix])

    ๐Ÿ›  Fixed

    • ๐Ÿคก Make Rack::MockResponse handle non-hash headers. (#1629, [@jeremyevans])
    • ๐Ÿ‘ป TempfileReaper now deletes temp files if application raises an exception. (#1679, [@jeremyevans])
    • ๐Ÿ– Handle cookies with values that end in '=' (#1645, @lukaso)
    • ๐Ÿ‘‰ Make Rack::NullLogger respond to #fatal! [@jeremyevans])
    • ๐Ÿ›  Fix multipart filename generation for filenames that contain spaces. Encode spaces as "%20" instead of "+" which will be decoded properly by the multipart parser. (#1736, @muirdm)
    • Rack::Request#scheme returns ws or wss when one of the X-Forwarded-Scheme / X-Forwarded-Proto headers is set to ws or wss, respectively. (#1730, @erwanst)