Rack v3.0.0.beta1 Release Notes
Release Date: 2022-08-08 // over 1 year ago-
๐ Security
- Do not use semicolon as GET parameter separator. (#1733, [@jeremyevans])
SPEC Changes
- Response array must now be non-frozen.
- Response
status
must now be an integer greater than or equal to 100. - Response
headers
must now be an unfrozen hash. - Response header keys can no longer include uppercase characters.
- ๐ Response header values can be an
Array
to handle multiple values (and no longer supports\n
encoded headers). - Response body can now respond to
#call
(streaming body) instead of#each
(enumerable body), for the equivalent of response hijacking in previous versions. - Middleware must no longer call
#each
on the body, but they can call#to_ary
on the body if it responds to#to_ary
. rack.input
is no longer required to be rewindable.rack.multithread
/rack.multiprocess
/rack.run_once
/rack.version
are no longer required environment keys.SERVER_PROTOCOL
is now a required environment key, matching the HTTP protocol used in the request.rack.hijack?
(partial hijack) andrack.hijack
(full hijack) are now independently optional.- ๐
rack.hijack_io
has been removed completely. rack.response_finished
is an optional environment key which contains an array of callable objects that must accept#call(env, status, headers, error)
and are invoked after the response is finished (either successfully or unsucessfully).- It is okay to call
#close
onrack.input
to indicate that you no longer need or care about the input. - ๐ The stream argument supplied to the streaming body and hijack must support
#<<
for writing output.
โ Removed
- โ Remove
rack.multithread
/rack.multiprocess
/rack.run_once
. These variables generally come too late to be useful. (#1720, [@ioquatix], [@jeremyevans])) - โ Remove deprecated Rack::Request::SCHEME_WHITELIST. ([@jeremyevans])
- โ Remove internal cookie deletion using pattern matching, there are very few practical cases where it would be useful and browsers handle it correctly without us doing anything special. (#1844, [@ioquatix])
- โ Remove
rack.version
as it comes too late to be useful. (#1938, [@ioquatix]) - Extract
rackup
command,Rack::Server
,Rack::Handler
,Rack::Lobster
and related code into a separate gem. (#1937, [@ioquatix])
โ Added
- ๐
Rack::Headers
added to support lower-case header keys. ([@jeremyevans]) Rack::Utils#set_cookie_header
now supportsescape_key: false
to avoid key escaping. ([@jeremyevans])- ๐
Rack::RewindableInput
supports size. (@ahorek) Rack::RewindableInput::Middleware
added for makingrack.input
rewindable. ([@jeremyevans])- The RFC 7239 Forwarded header is now supported and considered by default when looking for information on forwarding, falling back to the X-Forwarded-* headers.
Rack::Request.forwarded_priority
accessor has been added for configuring the priority of which header to check. (#1423, [@jeremyevans]) - ๐ Allow response headers to contain array of values. (#1598, [@ioquatix])
- ๐ Support callable body for explicit streaming support and clarify streaming response body behaviour. (#1745, [@ioquatix], #1748, [@wjordan])
- ๐ Allow
Rack::Builder#run
to take a block instead of an argument. (#1942, [@ioquatix]) - โ Add
rack.response_finished
toRack::Lint
. (#1802, [@BlakeWilliams], #1952, [@ioquatix]) - The stream argument must implement
#<<
. (#1959, [@ioquatix])
๐ Changed
- ๐ฅ BREAKING CHANGE: Require
status
to be an Integer. (#1662, @olleolleolle) - ๐ฅ BREAKING CHANGE: Query parsing now treats parameters without
=
as having the empty string value instead of nil value, to conform to the URL spec. (#1696, [@jeremyevans]) - ๐ Relax validations around
Rack::Request#host
andRack::Request#hostname
. (#1606, @pvande) - โ Removed antiquated handlers: FCGI, LSWS, SCGI, Thin. (#1658, [@ioquatix])
- ๐ Removed options from
Rack::Builder.parse_file
andRack::Builder.load_file
. (#1663, [@ioquatix]) - ๐
Rack::HTTP_VERSION
has been removed and theHTTP_VERSION
env setting is no longer set in the CGI and Webrick handlers. (#970, [@jeremyevans]) Rack::Request#[]
and#[]=
now warn even in non-verbose mode. (#1277, [@jeremyevans])- โฌ Decrease default allowed parameter recursion level from 100 to 32. (#1640, [@jeremyevans])
- ๐ Attempting to parse a multipart response with an empty body now raises Rack::Multipart::EmptyContentError. (#1603, [@jeremyevans])
Rack::Utils.secure_compare
uses OpenSSL's faster implementation if available. (#1711, @bdewater)- ๐
Rack::Request#POST
now caches an empty hash if input content type is not parseable. (#749, [@jeremyevans]) - ๐ฅ BREAKING CHANGE: Updated
trusted_proxy?
to match full 127.0.0.0/8 network. (#1781, @snbloch) - ๐ Explicitly deprecate
Rack::File
which was an alias forRack::Files
. (#1811, [@ioquatix]). - ๐ Moved
Rack::Session
into separate gem. (#1805, [@ioquatix]) rackup -D
option to daemonizes no longer changes the working directory to the root. (#1813, [@jeremyevans])- The
x-forwarded-proto
header is now considered before thex-forwarded-scheme
header for determining the forwarded protocol.Rack::Request.x_forwarded_proto_priority
accessor has been added for configuring the priority of which header to check. (#1809, [@jeremyevans]) - โช
Rack::Request.forwarded_authority
(and methods that call it, such ashost
) now returns the last authority in the forwarded header, instead of the first, as earlier forwarded authorities can be forged by clients. This restores the Rack 2.1 behavior. (#1829, [@jeremyevans]) - ๐ Use lower case cookie attributes when creating cookies, and fold cookie attributes to lower case when reading cookies (specifically impacting
secure
andhttponly
attributes). (#1849, [@ioquatix]) - The response array must now be mutable (non-frozen) so middleware can modify it without allocating a new Array,therefore reducing object allocations. (#1887, #1927, [@amatsuda], [@ioquatix])
rack.hijack?
(partial hijack) andrack.hijack
(full hijack) are now independently optional.rack.hijack_io
is no longer required/specified. (#1939, [@ioquatix])- ๐ Allow calling close on
rack.input
. (#1956, [@ioquatix])
๐ Fixed
- ๐คก Make Rack::MockResponse handle non-hash headers. (#1629, [@jeremyevans])
- ๐ป TempfileReaper now deletes temp files if application raises an exception. (#1679, [@jeremyevans])
- ๐ Handle cookies with values that end in '=' (#1645, @lukaso)
- ๐ Make
Rack::NullLogger
respond to#fatal!
[@jeremyevans]) - ๐ Fix multipart filename generation for filenames that contain spaces. Encode spaces as "%20" instead of "+" which will be decoded properly by the multipart parser. (#1736, @muirdm)
Rack::Request#scheme
returnsws
orwss
when one of theX-Forwarded-Scheme
/X-Forwarded-Proto
headers is set tows
orwss
, respectively. (#1730, @erwanst)