Skip to content

Instantly share code, notes, and snippets.

@mvastola

mvastola/rack2.diff

Created September 10, 2016 17:53
Show Gist options
  • Save mvastola/a80211b6134afb34ba5bcd330ec1d98e to your computer and use it in GitHub Desktop.
Save mvastola/a80211b6134afb34ba5bcd330ec1d98e to your computer and use it in GitHub Desktop.
Download ZIP
Changes in Rack 2
Raw
rack2.diff
diff --git a/HISTORY.md b/HISTORY.md
index 2635c60..406d175 100644
--- a/HISTORY.md
+++ b/HISTORY.md
@@ -1,14 +1,162 @@
-Fri Jun 19 07:14:50 2015 Matthew Draper <[email protected]>
+Sun Dec 4 18:48:03 2015 Jeremy Daer <[email protected]>
- * Work around a Rails incompatibility in our private API
+ * First-party "SameSite" cookies. Browsers omit SameSite cookies
+ from third-party requests, closing the door on many CSRF attacks.
+
+ Pass `same_site: true` (or `:strict`) to enable:
+ response.set_cookie 'foo', value: 'bar', same_site: true
+ or `same_site: :lax` to use Lax enforcement:
+ response.set_cookie 'foo', value: 'bar', same_site: :lax
+
+ Based on version 7 of the Same-site Cookies internet draft:
+ https://tools.ietf.org/html/draft-west-first-party-cookies-07
+
+ Thanks to Ben Toews (@mastahyeti) and Bob Long (@bobjflong) for
+ updating to drafts 5 and 7.
+
+Tue Nov 3 16:17:26 2015 Aaron Patterson <[email protected]>
+
+ * Add `Rack::Events` middleware for adding event based middleware:
+ middleware that does not care about the response body, but only cares
+ about doing work at particular points in the request / response
+ lifecycle.
+
+Thu Oct 8 14:58:46 2015 Aaron Patterson <[email protected]>
+
+ * Add `Rack::Request#authority` to calculate the authority under which
+ the response is being made (this will be handy for h2 pushes).
+
+Tue Oct 6 13:19:04 2015 Aaron Patterson <[email protected]>
+
+ * Add `Rack::Response::Helpers#cache_control` and `cache_control=`.
+ Use this for setting cache control headers on your response objects.
+
+Tue Oct 6 13:12:21 2015 Aaron Patterson <[email protected]>
+
+ * Add `Rack::Response::Helpers#etag` and `etag=`. Use this for
+ setting etag values on the response.
+
+Sun Oct 3 18:25:03 2015 Jeremy Daer <[email protected]>
+
+ * Introduce `Rack::Response::Helpers#add_header` to add a value to a
+ multi-valued response header. Implemented in terms of other
+ `Response#*_header` methods, so it's available to any response-like
+ class that includes the `Helpers` module.
+
+ * Add `Rack::Request#add_header` to match.
+
+Fri Sep 4 18:34:53 2015 Aaron Patterson <[email protected]>
+
+ * `Rack::Session::Abstract::ID` IS DEPRECATED. Please switch to
+ `Rack::Session::Abstract::Persisted`.
+ `Rack::Session::Abstract::Persisted` uses a request object rather than
+ the `env` hash.
+
+Fri Sep 4 17:32:12 2015 Aaron Patterson <[email protected]>
+
+ * Pull `ENV` access inside the request object in to a module. This
+ will help with legacy Request objects that are ENV based but don't
+ want to inherit from Rack::Request
+
+Fri Sep 4 16:09:11 2015 Aaron Patterson <[email protected]>
+
+ * Move most methods on the `Rack::Request` to a module
+ `Rack::Request::Helpers` and use public API to get values from the
+ request object. This enables users to mix `Rack::Request::Helpers` in
+ to their own objects so they can implement
+ `(get|set|fetch|each)_header` as they see fit (for example a proxy
+ object).
+
+Fri Sep 4 14:15:32 2015 Aaron Patterson <[email protected]>
+
+ * Files and directories with + in the name are served correctly.
+ Rather than unescaping paths like a form, we unescape with a URI
+ parser using `Rack::Utils.unescape_path`. Fixes #265
+
+Thu Aug 27 15:43:48 2015 Aaron Patterson <[email protected]>
+
+ * Tempfiles are automatically closed in the case that there were too
+ many posted.
+
+Thu Aug 27 11:00:03 2015 Aaron Patterson <[email protected]>
+
+ * Added methods for manipulating response headers that don't assume
+ they're stored as a Hash. Response-like classes may include the
+ Rack::Response::Helpers module if they define these methods:
+
+ * Rack::Response#has_header?
+ * Rack::Response#get_header
+ * Rack::Response#set_header
+ * Rack::Response#delete_header
+
+Mon Aug 24 18:05:23 2015 Aaron Patterson <[email protected]>
+
+ * Introduce Util.get_byte_ranges that will parse the value of the
+ HTTP_RANGE string passed to it without depending on the `env` hash.
+ `byte_ranges` is deprecated in favor of this method.
+
+Sat Aug 22 17:49:49 2015 Aaron Patterson <[email protected]>
+
+ * Change Session internals to use Request objects for looking up
+ session information. This allows us to only allocate one request
+ object when dealing with session objects (rather than doing it every
+ time we need to manipulate cookies, etc).
+
+Fri Aug 21 16:30:51 2015 Aaron Patterson <[email protected]>
+
+ * Add `Rack::Request#initialize_copy` so that the env is duped when
+ the request gets duped.
+
+Thu Aug 20 16:20:58 2015 Aaron Patterson <[email protected]>
+
+ * Added methods for manipulating request specific data. This includes
+ data set as CGI parameters, and just any arbitrary data the user wants
+ to associate with a particular request. New methods:
+
+ * Rack::Request#has_header?
+ * Rack::Request#get_header
+ * Rack::Request#fetch_header
+ * Rack::Request#each_header
+ * Rack::Request#set_header
+ * Rack::Request#delete_header
+
+Thu Jun 18 16:00:05 2015 Aaron Patterson <[email protected]>
+
+ * lib/rack/utils.rb: add a method for constructing "delete" cookie
+ headers. This allows us to construct cookie headers without depending
+ on the side effects of mutating a hash.
Fri Jun 12 11:37:41 2015 Aaron Patterson <[email protected]>
* Prevent extremely deep parameters from being parsed. CVE-2015-3225
-### December 18th, Thirty sixth public release 1.6.0
-
-### February 7th, Thirty fifth public release 1.5.2
+### May 6th, 2015, Thirty seventh public release 1.6.1
+ - Fix CVE-2014-9490, denial of service attack in OkJson ([8cd610](https://github.com/rack/rack/commit/8cd61062954f70e0a03e2855704e95ff4bdd4f6e))
+ - Use a monotonic time for Rack::Runtime, if available ([d170b2](https://github.com/rack/rack/commit/d170b2363c949dce60871f9d5a6bfc83da2bedb5))
+ - RACK_MULTIPART_LIMIT changed to RACK_MULTIPART_PART_LIMIT (RACK_MULTIPART_LIMIT is deprecated and will be removed in 1.7.0) ([c096c5](https://github.com/rack/rack/commit/c096c50c00230d8eee13ad5f79ad027d9a3f3ca9))
+ - See the full [git history](https://github.com/rack/rack/compare/1.6.0...1.6.1) and [milestone tag](https://github.com/rack/rack/issues?utf8=%E2%9C%93&q=milestone%3A%22Rack+1.6%22)
+
+### May 6th, 2015, Thirty seventh public release 1.5.3
+ - Fix CVE-2014-9490, denial of service attack in OkJson ([99f725](https://github.com/rack/rack/commit/99f725b583b357376ffbb7b3b042c5daa3106ad6))
+ - Backport bug fixes to 1.5 series ([#585](https://github.com/rack/rack/pull/585), [#711](https://github.com/rack/rack/pull/711), [#756](https://github.com/rack/rack/pull/756))
+ - See the full [git history](https://github.com/rack/rack/compare/1.5.2...1.5.3) and [milestone tag](https://github.com/rack/rack/issues?utf8=%E2%9C%93&q=milestone%3A%22Rack+1.5.3%22)
+
+### December 18th, 2014, Thirty sixth public release 1.6.0
+ - Response#unauthorized? helper ([#580](https://github.com/rack/rack/pull/580))
+ - Deflater now accepts an options hash to control compression on a per-request level ([#457](https://github.com/rack/rack/pull/457))
+ - Builder#warmup method for app preloading ([#617](https://github.com/rack/rack/pull/617))
+ - Request#accept_language method to extract HTTP_ACCEPT_LANGUAGE ([#623](https://github.com/rack/rack/pull/623))
+ - Add quiet mode of rack server, rackup --quiet ([#674](https://github.com/rack/rack/pull/674))
+ - Update HTTP Status Codes to RFC 7231 ([#754](https://github.com/rack/rack/pull/754))
+ - Less strict header name validation according to [RFC 2616](https://tools.ietf.org/html/rfc2616) ([#399](https://github.com/rack/rack/pull/399))
+ - SPEC updated to specify headers conform to RFC7230 specification ([6839fc](https://github.com/rack/rack/commit/6839fc203339f021cb3267fb09cba89410f086e9))
+ - Etag correctly marks etags as weak ([#681](https://github.com/rack/rack/issues/681))
+ - Request#port supports multiple x-http-forwarded-proto values ([#669](https://github.com/rack/rack/pull/669))
+ - Utils#multipart_part_limit configures the maximum number of parts a request can contain ([#684](https://github.com/rack/rack/pull/684))
+ - Default host to localhost when in development mode ([#514](https://github.com/rack/rack/pull/514))
+ - Various bugfixes and performance improvements (See the full [git history](https://github.com/rack/rack/compare/1.5.2...1.6.0) and [milestone tag](https://github.com/rack/rack/issues?utf8=%E2%9C%93&q=milestone%3A%22Rack+1.6%22))
+
+### February 7th, 2013, Thirty fifth public release 1.5.2
- Fix CVE-2013-0263, timing attack against Rack::Session::Cookie
- Fix CVE-2013-0262, symlink path traversal in Rack::File
- Add various methods to Session for enhanced Rails compatibility
@@ -18,7 +166,7 @@ Fri Jun 12 11:37:41 2015 Aaron Patterson <[email protected]>
- Fix a race condition that could result in overwritten pidfiles
- Various documentation additions
-### February 7th, Thirty fifth public release 1.4.5
+### February 7th, 2013, Thirty fifth public release 1.4.5
- Fix CVE-2013-0263, timing attack against Rack::Session::Cookie
- Fix CVE-2013-0262, symlink path traversal in Rack::File
@@ -353,3 +501,5 @@ Fri Jun 12 11:37:41 2015 Aaron Patterson <[email protected]>
- Removed Rails adapter, was too alpha.
### March 3rd, 2007: First public release 0.1.
+
+/* vim: set filetype=changelog */
@mvastola
Copy link
Author

How Obtained:

git clone https://github.com/rack/rack.git
cd rack
git diff 1.6.4 2.0.0 HISTORY.md | gist -f rack2.diff -d 'Changes in Rack 2'

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment