Rack changelog

Changelog History

Page 1

• v3.0.0 Changes

  September 06, 2022

  • No changes

• v3.0.0.rc1 Changes

  September 04, 2022

  SPEC Changes

  • Stream argument must implement << https://github.com/rack/rack/pull/1959
  • close may be called on rack.input https://github.com/rack/rack/pull/1956
  • rack.response_finished may be used for executing code after the response has been finished https://github.com/rack/rack/pull/1952

• v3.0.0.beta1 Changes

  August 08, 2022

  🔒 Security

  • Do not use semicolon as GET parameter separator. (#1733, [@jeremyevans])

  SPEC Changes

  • Response array must now be non-frozen.
  • Response status must now be an integer greater than or equal to 100.
  • Response headers must now be an unfrozen hash.
  • Response header keys can no longer include uppercase characters.
  • 👍 Response header values can be an Array to handle multiple values (and no longer supports \n encoded headers).
  • Response body can now respond to #call (streaming body) instead of #each (enumerable body), for the equivalent of response hijacking in previous versions.
  • Middleware must no longer call #each on the body, but they can call #to_ary on the body if it responds to #to_ary.
  • rack.input is no longer required to be rewindable.
  • rack.multithread/rack.multiprocess/rack.run_once/rack.version are no longer required environment keys.
  • SERVER_PROTOCOL is now a required environment key, matching the HTTP protocol used in the request.
  • rack.hijack? (partial hijack) and rack.hijack (full hijack) are now independently optional.
  • 🚚 rack.hijack_io has been removed completely.
  • rack.response_finished is an optional environment key which contains an array of callable objects that must accept #call(env, status, headers, error) and are invoked after the response is finished (either successfully or unsucessfully).
  • It is okay to call #close on rack.input to indicate that you no longer need or care about the input.
  • 👍 The stream argument supplied to the streaming body and hijack must support #<< for writing output.

  ✂ Removed

  • ✂ Remove rack.multithread/rack.multiprocess/rack.run_once. These variables generally come too late to be useful. (#1720, [@ioquatix], [@jeremyevans]))
  • ✂ Remove deprecated Rack::Request::SCHEME_WHITELIST. ([@jeremyevans])
  • ✂ Remove internal cookie deletion using pattern matching, there are very few practical cases where it would be useful and browsers handle it correctly without us doing anything special. (#1844, [@ioquatix])
  • ✂ Remove rack.version as it comes too late to be useful. (#1938, [@ioquatix])
  • Extract rackup command, Rack::Server, Rack::Handler, Rack::Lobster and related code into a separate gem. (#1937, [@ioquatix])

  ➕ Added

  • 👍 Rack::Headers added to support lower-case header keys. ([@jeremyevans])
  • Rack::Utils#set_cookie_header now supports escape_key: false to avoid key escaping. ([@jeremyevans])
  • 👍 Rack::RewindableInput supports size. (@ahorek)
  • Rack::RewindableInput::Middleware added for making rack.input rewindable. ([@jeremyevans])
  • The RFC 7239 Forwarded header is now supported and considered by default when looking for information on forwarding, falling back to the X-Forwarded-* headers. Rack::Request.forwarded_priority accessor has been added for configuring the priority of which header to check. (#1423, [@jeremyevans])
  • 👍 Allow response headers to contain array of values. (#1598, [@ioquatix])
  • 👌 Support callable body for explicit streaming support and clarify streaming response body behaviour. (#1745, [@ioquatix], #1748, [@wjordan])
  • 👍 Allow Rack::Builder#run to take a block instead of an argument. (#1942, [@ioquatix])
  • ➕ Add rack.response_finished to Rack::Lint. (#1802, [@BlakeWilliams], #1952, [@ioquatix])
  • The stream argument must implement #<<. (#1959, [@ioquatix])

  🔄 Changed

  • 💥 BREAKING CHANGE: Require status to be an Integer. (#1662, @olleolleolle)
  • 💥 BREAKING CHANGE: Query parsing now treats parameters without = as having the empty string value instead of nil value, to conform to the URL spec. (#1696, [@jeremyevans])
  • 😌 Relax validations around Rack::Request#host and Rack::Request#hostname. (#1606, @pvande)
  • ✂ Removed antiquated handlers: FCGI, LSWS, SCGI, Thin. (#1658, [@ioquatix])
  • 🏗 Removed options from Rack::Builder.parse_file and Rack::Builder.load_file. (#1663, [@ioquatix])
  • 🔖 Rack::HTTP_VERSION has been removed and the HTTP_VERSION env setting is no longer set in the CGI and Webrick handlers. (#970, [@jeremyevans])
  • Rack::Request#[] and #[]= now warn even in non-verbose mode. (#1277, [@jeremyevans])
  • ⬇ Decrease default allowed parameter recursion level from 100 to 32. (#1640, [@jeremyevans])
  • 📜 Attempting to parse a multipart response with an empty body now raises Rack::Multipart::EmptyContentError. (#1603, [@jeremyevans])
  • Rack::Utils.secure_compare uses OpenSSL's faster implementation if available. (#1711, @bdewater)
  • 📜 Rack::Request#POST now caches an empty hash if input content type is not parseable. (#749, [@jeremyevans])
  • 💥 BREAKING CHANGE: Updated trusted_proxy? to match full 127.0.0.0/8 network. (#1781, @snbloch)
  • 🗄 Explicitly deprecate Rack::File which was an alias for Rack::Files. (#1811, [@ioquatix]).
  • 🚚 Moved Rack::Session into separate gem. (#1805, [@ioquatix])
  • rackup -D option to daemonizes no longer changes the working directory to the root. (#1813, [@jeremyevans])
  • The x-forwarded-proto header is now considered before the x-forwarded-scheme header for determining the forwarded protocol. Rack::Request.x_forwarded_proto_priority accessor has been added for configuring the priority of which header to check. (#1809, [@jeremyevans])
  • ⏪ Rack::Request.forwarded_authority (and methods that call it, such as host) now returns the last authority in the forwarded header, instead of the first, as earlier forwarded authorities can be forged by clients. This restores the Rack 2.1 behavior. (#1829, [@jeremyevans])
  • 👉 Use lower case cookie attributes when creating cookies, and fold cookie attributes to lower case when reading cookies (specifically impacting secure and httponly attributes). (#1849, [@ioquatix])
  • The response array must now be mutable (non-frozen) so middleware can modify it without allocating a new Array,therefore reducing object allocations. (#1887, #1927, [@amatsuda], [@ioquatix])
  • rack.hijack? (partial hijack) and rack.hijack (full hijack) are now independently optional. rack.hijack_io is no longer required/specified. (#1939, [@ioquatix])
  • 👍 Allow calling close on rack.input. (#1956, [@ioquatix])

  🛠 Fixed

  • 🤡 Make Rack::MockResponse handle non-hash headers. (#1629, [@jeremyevans])
  • 👻 TempfileReaper now deletes temp files if application raises an exception. (#1679, [@jeremyevans])
  • 🖐 Handle cookies with values that end in '=' (#1645, @lukaso)
  • 👉 Make Rack::NullLogger respond to #fatal! [@jeremyevans])
  • 🛠 Fix multipart filename generation for filenames that contain spaces. Encode spaces as "%20" instead of "+" which will be decoded properly by the multipart parser. (#1736, @muirdm)
  • Rack::Request#scheme returns ws or wss when one of the X-Forwarded-Scheme / X-Forwarded-Proto headers is set to ws or wss, respectively. (#1730, @erwanst)

• v2.2.4 Changes

  June 30, 2022

  • 👍 Better support for lower case headers in Rack::ETag middleware. (#1919, @ioquatix)
  • 👻 Use custom exception on params too deep error. (#1838, @simi)

• v2.2.3 Changes

  June 15, 2020

  🔒 Security

  • [CVE-2020-8184] Do not allow percent-encoded cookie name to override existing cookie names. BREAKING CHANGE: Accessing cookie names that require URL encoding with decoded name no longer works. (@fletchto99)

• v2.2.3.1 Changes

  May 27, 2022

  • [CVE-2022-30123] Fix shell escaping issue in Common Logger
  • 📜 [CVE-2022-30122] Restrict parsing of broken MIME attachments

• v2.2.2 Changes

  February 11, 2020

  🛠 Fixed

  • 🛠 Fix incorrect Rack::Request#host value. (#1591, @ioquatix)
  • ⏪ Revert Rack::Handler::Thin implementation. (#1583, @jeremyevans)
  • ⚠ Double assignment is still needed to prevent an "unused variable" warning. (#1589, @kamipo)
  • 🛠 Fix to handle same_site option for session pool. (#1587, @kamipo)

• v2.2.1 Changes

  February 09, 2020

  🛠 Fixed

  • Rework Rack::Request#ip to handle empty forwarded_for. (#1577, @ioquatix)

• v2.2.0 Changes

  February 08, 2020

  SPEC Changes

  • rack.session request environment entry must respond to to_hash and return unfrozen Hash. (@jeremyevans)
  • Request environment cannot be frozen. (@jeremyevans)
  • CGI values in the request environment with non-ASCII characters must use ASCII-8BIT encoding. (@jeremyevans)
  • Improve SPEC/lint relating to SERVER_NAME, SERVER_PORT and HTTP_HOST. (#1561, @ioquatix)

  ➕ Added

  • 👍 rackup supports multiple -r options and will require all arguments. (@jeremyevans)
  • 👍 Server supports an array of paths to require for the :require option. (@khotta)
  • 👍 Files supports multipart range requests. (@fatkodima)
  • 👍 Multipart::UploadedFile supports an IO-like object instead of using the filesystem, using :filename and :io options. (@jeremyevans)
  • 👍 Multipart::UploadedFile supports keyword arguments :path, :content_type, and :binary in addition to positional arguments. (@jeremyevans)
  • 👍 Static supports a :cascade option for calling the app if there is no matching file. (@jeremyevans)
  • Session::Abstract::SessionHash#dig. (@jeremyevans)
  • 🤡 Response.[] and MockResponse.[] for creating instances using status, headers, and body. (@ioquatix)
  • Convenient cache and content type methods for Rack::Response. (#1555, @ioquatix)

  🔄 Changed

  • Request#params no longer rescues EOFError. (@jeremyevans)
  • Directory uses a streaming approach, significantly improving time to first byte for large directories. (@jeremyevans)
  • Directory no longer includes a Parent directory link in the root directory index. (@jeremyevans)
  • QueryParser#parse_nested_query uses original backtrace when reraising exception with new class. (@jeremyevans)
  • ConditionalGet follows RFC 7232 precedence if both If-None-Match and If-Modified-Since headers are provided. (@jeremyevans)
  • 👍 .ru files supports the frozen-string-literal magic comment. (@eregon)
  • Rely on autoload to load constants instead of requiring internal files, make sure to require 'rack' and not just 'rack/...'. (@jeremyevans)
  • 💥 BREAKING CHANGE: Etag will continue sending ETag even if the response should not be cached. Streaming no longer works without a workaround, see #1619. (@henm)
  • Request#host_with_port no longer includes a colon for a missing or empty port. (@AlexWayfer)
  • All handlers uses keywords arguments instead of an options hash argument. (@ioquatix)
  • 👍 Files handling of range requests no longer return a body that supports to_path, to ensure range requests are handled correctly. (@jeremyevans)
  • Multipart::Generator only includes Content-Length for files with paths, and Content-Disposition filename if the UploadedFile instance has one. (@jeremyevans)
  • Request#ssl? is true for the wss scheme (secure websockets). (@jeremyevans)
  • 0️⃣ Rack::HeaderHash is memoized by default. (#1549, @ioquatix)
  • Rack::Directory allow directory traversal inside root directory. (#1417, @ThomasSevestre)
  • Sort encodings by server preference. (#1184, @ioquatix, @wjordan)
  • Rework host/hostname/authority implementation in Rack::Request. #host and #host_with_port have been changed to correctly return IPv6 addresses formatted with square brackets, as defined by RFC3986. (#1561, @ioquatix)
  • 🏗 Rack::Builder parsing options on first #\ line is deprecated. (#1574, @ioquatix)

  ✂ Removed

  • Directory#path as it was not used and always returned nil. (@jeremyevans)
  • ↪ BodyProxy#each as it was only needed to work around a bug in Ruby <1.9.3. (@jeremyevans)
  • URLMap::INFINITY and URLMap::NEGATIVE_INFINITY, in favor of Float::INFINITY. (@ch1c0t)
  • 🗄 Deprecation of Rack::File. It will be deprecated again in rack 2.2 or 3.0. (@rafaelfranca)
  • 👌 Support for Ruby 2.2 as it is well past EOL. (@ioquatix)
  • ✂ Remove Rack::Files#response_body as the implementation was broken. (#1153, @ioquatix)
  • ✂ Remove SERVER_ADDR which was never part of the original SPEC. (#1573, @ioquatix)

  🛠 Fixed

  • Directory correctly handles root paths containing glob metacharacters. (@jeremyevans)
  • Cascade uses a new response object for each call if initialized with no apps. (@jeremyevans)
  • 💎 BodyProxy correctly delegates keyword arguments to the body object on Ruby 2.7+. (@jeremyevans)
  • BodyProxy#method correctly handles methods delegated to the body object. (@jeremyevans)
  • Request#host and Request#host_with_port handle IPv6 addresses correctly. (@AlexWayfer)
  • 👕 Lint checks when response hijacking that rack.hijack is called with a valid object. (@jeremyevans)
  • ⚡️ Response#write correctly updates Content-Length if initialized with a body. (@jeremyevans)
  • 🌲 CommonLogger includes SCRIPT_NAME when logging. (@Erol)
  • Utils.parse_nested_query correctly handles empty queries, using an empty instance of the params class instead of a hash. (@jeremyevans)
  • Directory correctly escapes paths in links. (@yous)
  • Request#delete_cookie and related Utils methods handle :domain and :path options in same call. (@jeremyevans)
  • Request#delete_cookie and related Utils methods do an exact match on :domain and :path options. (@jeremyevans)
  • Static no longer adds headers when a gzipped file request has a 304 response. (@chooh)
  • ContentLength sets Content-Length response header even for bodies not responding to to_ary. (@jeremyevans)
  • 👍 Thin handler supports options passed directly to Thin::Controllers::Controller. (@jeremyevans)
  • WEBrick handler no longer ignores :BindAddress option. (@jeremyevans)
  • ShowExceptions handles invalid POST data. (@jeremyevans)
  • Basic authentication requires a password, even if the password is empty. (@jeremyevans)
  • 👕 Lint checks response is array with 3 elements, per SPEC. (@jeremyevans)
  • 👌 Support for using :SSLEnable option when using WEBrick handler. (Gregor Melhorn)
  • Close response body after buffering it when buffering. (@ioquatix)
  • 📜 Only accept ; as delimiter when parsing cookies. (@mrageh)
  • Utils::HeaderHash#clear clears the name mapping as well. (@raxoft)
  • 👌 Support for passing nil Rack::Files.new, which notably fixes Rails' current ActiveStorage::FileServer implementation. (@ioquatix)

  📚 Documentation

  • ⚡️ CHANGELOG updates. (@aupajo)
  • ➕ Added [CONTRIBUTING](CONTRIBUTING.md). (@dblock)

• v2.1.4

  June 15, 2020

• 1
• 2
• 3
• 4
• 5
• Next ›
• Last »