rack / rack Goto Github PK
View Code? Open in Web Editor NEWA modular Ruby web server interface.
License: Other
A modular Ruby web server interface.
License: Other
Seems like the escape_html algorithm can be significantly optimized (~5x) using this patch: bahuvrihi/rack@3a9c6fc0d250bb44f2ca298771a749dc17da602b
For benchmarks of the optimized version, as well as several variations that came to mind, see http://gist.github.com/436253. I had a hard time believing this but for me the rack specs pass a full 0.5 seconds faster with the patch (~3.6s vs ~3.1s).
Note that I also added a spec for escape_html as there was not one before.
i solve the problem with uninstalling 1.1.0
also there is a thread here: http://www.ruby-forum.com/topic/201603
{ :foo => [1,2] }
should produce
foo[]=1&foo[]=2
not
foo=1&foo=2
ref: https://rails.lighthouseapp.com/projects/8994/tickets/4714-rails-238-breaks-selenium-test
I have been searching for the source of this error. It appears to be within rack.
A git bisect search points to the first bad commit
commit 8f836f4
Author: Eric Wong [email protected]
Date: Thu Dec 10 21:34:17 2009 -0600
The first ip is the client ip. Why is the last ip returned by request.ip?
This is so that it's easier to see what is going on when debugging with tools like Firebug. Instead of formatting the exception in HTML, simply dumping it in plain text makes everything much more readable.
http://github.com/djanowski/rack/commit/f404683f2fb28834299f0bfff044c04c5744c781
With rack-1.1.0, when I send parameters to an rails controller, I see this:
Parameters: {"param"=>"thevalue", ...}
But with 1.2.1, I get this:
Parameters: {"param"=>""thevalue"", ...}
I couldn't reproduce it locally, but it happens everytime I try on ruby 1.9.1 + rack 1.2.1.
All here:
http://github.com/josevalim/rack/commit/5dac45a38c38003f6608ca94fdf40d1d6f4e68ab
This is a giant step forward to make Rails depends on Rack::Session store instead of reimplementing everything from scratch.
Requiring sinatra (which pulls rack) results in the following on Windows XP
C:\temp>ruby test.rb
C:/dev/ruby/lib/ruby/gems/1.8/gems/rack-1.2.1/lib/rack/utils.rb:138:in union': can't convert Array into String (TypeError) from C:/dev/ruby/lib/ruby/gems/1.8/gems/rack-1.2.1/lib/rack/utils.rb:138 from C:/dev/ruby/lib/ruby/site_ruby/1.8/rubygems/custom_require.rb:31:in
gem_original_require'
from C:/dev/ruby/lib/ruby/site_ruby/1.8/rubygems/custom_require.rb:31:in require' from C:/dev/ruby/lib/ruby/gems/1.8/gems/rack-1.2.1/lib/rack/request.rb:1 from C:/dev/ruby/lib/ruby/site_ruby/1.8/rubygems/custom_require.rb:31:in
gem_original_require'
from C:/dev/ruby/lib/ruby/site_ruby/1.8/rubygems/custom_require.rb:31:in require' from C:/dev/ruby/lib/ruby/gems/1.8/gems/rack-1.2.1/lib/rack/showexceptions.rb:3 from C:/dev/ruby/lib/ruby/site_ruby/1.8/rubygems/custom_require.rb:31:in
gem_original_require'
... 7 levels...
from C:/dev/ruby/lib/ruby/gems/1.8/gems/sinatra-1.0/lib/sinatra.rb:4
from C:/dev/ruby/lib/ruby/site_ruby/1.8/rubygems/custom_require.rb:36:in gem_original_require' from C:/dev/ruby/lib/ruby/site_ruby/1.8/rubygems/custom_require.rb:36:in
require'
from test.rb:1
Tested with the newest RubyInstaller and the last OneClickInstaller with all gems updated to 23.06.2010.
test.rb is just one line: require 'sinatra'
Problem does not exist on Mac OS X with the standard Apple Ruby.
Reverting to rack 1.0.1 solves the problem.
The specification says if both IF_NOT_MODIFIED and IF_MODIFIED_SINCE are used, both should match in order to consider the freshness of a response or not. This is fixed in my fork in this commit:
http://github.com/josevalim/rack/commit/93b198c82ad0afeb2864e5f893b87b8310d568e6
Due to this change, I've also changed the ETag middleware to not be triggered if Last-Modified is being used. This makes sense because if the user is setting it (or ETag), it means he wants to handle the http cache mechanism on its own. This other change is available here:
http://github.com/josevalim/rack/commit/999651fbdee6b1d64dbd4f57cf0fec7bfdee7777
I'm looking forward to some feedback in these changes since I want to change Rails to use these middlewares as well. :)
According to the rack spec, a repeated response header is specified by providing a newline-separated string containing the values for the header. When the WEBrick runner is presented with such a header, it only emits the last one. See example.
This seems to be a limitation of WEBrick — AFAICT, its HTTPResponse
has no way to set multiple values for the same header. However, RFC 1945 section 4.2 indicates that a repeated header must be equivalent to a single instance of the header with a comma-separated list of values. Perhaps the WEBrick handler should emit repeated headers this way. I.e., in the example, the WEBrick handler would return
WWW-Authenticate: Bar realm=X, Baz realm=Y
Please apply this patch to the HEAD: http://gist.github.com/393420 and confirm.
Despite the patch I offered with issue http://github.com/rack/rack/issues/closed#issue/10, an HTTP response without a body can still cause an exception after installing the 'thin' gem because bytesize() is given a nil argument. This patch will fix it.
Along with the get?
, post?
, put?
, delete?
and head?
, there should be options?
and trace?
helpers (see the lines involved).
On my Mac 10.6.4 system webrick no longer processes ctrl-C interrupts properly using any rack including and after this commit
http://github.com/rack/rack/commit/e516d89ffcdad1c9d58432aaaff4a382ed3997e7
commit e516d89ffcdad1c9d58432aaaff4a382ed3997e7
Author: raggi <[email protected]>
Date: Tue Mar 23 19:29:44 2010 +0000
Move trap(:INT) to Rack::Server and support optional Handler protocol where handlers may implement .shutdown to do pre-exit cleanup.
I have this problem starting webrick using sc-server (used with the sproutcore gem) and script/server (on rails 2.3.8).
sc-server is cleanly halted using ctrl-C using rack 1.2.1, thin and sproutcore gem v1.0.1046
$ ruby -v
ruby 1.9.1p378 (2010-01-10 revision 26273) [i386-darwin9.8.0]
$ gem list rack
*** LOCAL GEMS ***
rack (1.2.1)
rack-mount (0.6.3)
rack-test (0.5.3)
$ gem list thin
*** LOCAL GEMS ***
thin (1.2.7)
$ gem list sproutcore
*** LOCAL GEMS ***
sproutcore (1.0.1046)
$ sc-server
SproutCore v1.0.1046 Development Server
Starting server at http://0.0.0.0:4020 in debug mode
To quit sc-server, press Control-C
>> Thin web server (v1.2.7 codename No Hup)
>> Maximum connections set to 1024
>> Listening on 0.0.0.0:4020, CTRL+C to stop
^C>> Stopping
If I uninstall thin and run sc-server again (which now uses webrick) I need to kill the process to stop it.
This version of rack works (from Mar 23 -- about 3.5 months after the release of rack 1.1.0):
http://github.com/rack/rack/commit/456fb5fc658fec45a07c765ef22b2ced935808b1
commit 456fb5fc658fec45a07c765ef22b2ced935808b1
Author: raggi <[email protected]>
Date: Tue Mar 23 19:23:43 2010 +0000
Fix a bug in CGI detection
Using ctrl-C with webrick stops working on the next commit later that day:
http://github.com/rack/rack/commit/e516d89ffcdad1c9d58432aaaff4a382ed3997e7
I have the same problem using rails 2.3.8 and rack e516d89...
$ script/server -p 3001
=> Booting WEBrick
=> Rails 2.3.8 application starting on http://0.0.0.0:3001
=> Call with -d to detach
=> Ctrl-C to shutdown server
[2010-07-11 19:36:44] INFO WEBrick 1.3.1
[2010-07-11 19:36:44] INFO ruby 1.9.1 (2010-01-10) [i386-darwin9.8.0]
[2010-07-11 19:36:44] INFO WEBrick::HTTPServer#start: pid=79959 port=3001
Here's what the console reports when I enter ctrl-C:
^C[2010-07-11 19:36:47] ERROR SystemExit: exit
/Users/stephen/.rvm/gems/ruby-1.9.1-p378/gems/rails-2.3.8/lib/commands/server.rb:106:in `exit'
I have to kill the process to stop the server.
If instead I start rails with thin ctrl-C works either using rack e516d89... or rack 1.2.1
$ thin start -p3001
>> Using rails adapter
>> Thin web server (v1.2.7 codename No Hup)
>> Maximum connections set to 1024
>> Listening on 0.0.0.0:3001, CTRL+C to stop
^C>> Stopping ...
Rack (more or less reasonably) assumes that there is no data before the first boundary in multipart/form-data POST data. However, in RFC1521, paragraph 7.2.1, there is a note explaining that data may be present both before the first boundary and after the last, although it is discouraged.
For me, this meant a very hard-to-track-down bug in a REST client I'm writing that was inserting an extra CRLF before the first boundary. Rack should have accepted it, but instead it threw "EOFError (bad content body)".
Here's the RFC: http://www.faqs.org/rfcs/rfc1521.html
Cheers :)
Hi!
Please have a look at this line:
http://github.com/rack/rack/blob/663abfce9b71ab273c8adc0e76c233671bc43e1d/lib/rack/response.rb#L64
value[:expires].clone.gmtime.strftime("%a, %d-%b-%Y %H:%M:%S GMT")
My default system locale is ru_RU.UTF8, therefore this line produces
string with Russian letters. Browsers cant set expiration date in
Russian. FF sets session cookies, Safari doesnt set cookies at all.
Suppose this is a bug. Instead of strftime, rfc2822 should be used.
Thanks.
Although the way rack deletes cookies works on 99% of the browsers out there, it fails on older Windows Mobile phones because it doesn't conform to their stricter interpretation of the RFC2109(http://www.w3.org/Protocols/rfc2109/rfc2109).
From the RFC:
NAME=VALUE
Required. The name of the state information ("cookie") is NAME,
and its value is VALUE. NAMEs that begin with $ are reserved for
other uses and must not be used by applications.
The VALUE is opaque to the user agent and may be anything the
origin server chooses to send, possibly in a server-selected
printable ASCII encoding. "Opaque" implies that the content is of
interest and relevance only to the origin server. The content
may, in fact, be readable by anyone that examines the Set-Cookie
header.
Rack sends 'NAME=;' which Microsoft has interpreted not to be a valid in it's older mobile browsers.
Instead, Rack should return an arbitrary value, say '0', and an expiration of Time.at(0). The cookie will be deleted regardless of the value given, and it will still conform to stricter interpretations of the RFC by having the required NAME=VALUE.
The change would be as follows.
def delete_cookie(key, value={})
unless Array === self["Set-Cookie"]
self["Set-Cookie"] = [self["Set-Cookie"]].compact
end
self["Set-Cookie"].reject! { |cookie|
cookie =~ /\A#{Utils.escape(key)}=/
}
set_cookie(key,
{:value => '0', :path => nil, :domain => nil,
:expires => Time.at(0) }.merge(value))
end
I couldn't get Rack::Auth::Digest::MD5 to work for URLs with query strings. I think this is a bug.
For a request to http://host/foo?bar
, the browser sends the Authorization header uri parameter as uri="/foo?bar"
. The resulting Rack env has "SCRIPT_NAME"=>"", "PATH_INFO"=>"/foo", "QUERY_STRING"=>"bar"
. But the test in Rack::Auth::Digest::Request is:
def correct_uri?
(@env['SCRIPT_NAME'].to_s + @env['PATH_INFO'].to_s) == uri
end
This fails because "/foo" != "/foo?bar"
.
If I patch the method as follows, it seems to work fine:
def correct_uri?
base_uri = @env['SCRIPT_NAME'].to_s + @env['PATH_INFO'].to_s
query_uri = base_uri + "?" + @env['QUERY_STRING']
base_uri == uri || query_uri == uri
end
There are more pleasant ways to write that, but it tests my hypothesis. :) I saw some indication while Googling around that browsers disagree on whether to include the querystring in the uri parameter, so perhaps that's where this came from. Latest Chrome and Firefox do send the query string, and fail.
Hi there,
I just tried to install the hot-off-the-grill 1.2.0 release, and ran into this error:
ERROR: While executing gem ... (SystemCallError)
Unknown error - mkdir failed
After digging into things I found out this is because the gem is trying to create both a file with the name SPEC and a directory with the name spec/. :)
I have a Sinatra app which is using Rack::Session::Cookie
the following code worked when using rack 1.1.0, however in rack 1.2.1 it appears that my session never expires.
use Rack::Session::Cookie, :expire_after => 10*60
http://github.com/josevalim/rack/commit/332d046276e17637a7b95e63eb26685d49661c3c
Fixed here. I hope this is the last one! Thanks! :D
The problem is that the reject statement selecting MemCache options is written backwards. A patch is here: bahuvrihi/rack@34630196450bceafe33f8ecc889f34d7b7ed9f7c
Is there a way to run multiple rack apps completely sandboxed from one another?
I want to allow users to upload their own rack apps to my server and run them side by side while preventing them from messing with each other or the server itself.
lib/rack/utils.rb lines 131-138 seem to be breaking compatibility with Ruby 1.8.6
ESCAPE_HTML = {
"&" => "&",
"<" => "<",
">" => ">",
"'" => "'",
'"' => """,
}
ESCAPE_HTML_PATTERN = Regexp.union(ESCAPE_HTML.keys)
Prior to Ruby 1.8.7, Regexp#union
took String
or Regexp
arguments. The ability to pass in an Array
is new in 1.8.7.
The docs for Rack::Server.new
(below) state that passing in an :app
option should override checking and loading a :config
. This does not seem to be the case (:app is completely ignored).
http://github.com/rack/rack/blob/master/lib/rack/server.rb#L106-107
The example in Rack::Server.start
is also wrong for this reason.
I forked and patched here:
http://github.com/lsegal/rack/commit/45a3ca646020bc8dc868a1a04bef90611fb42632
When uploading a file I get this error:
/!\ FAILSAFE /!\ 2009-07-03 09:31:48 -0600
Status: 500 Internal Server Error
invalid byte sequence in US-ASCII
/Users/tonyh/work/captioncontest/vendor/gems/rack-1.0.0/lib/rack/utils.rb:324:in `=~'
/Users/tonyh/work/captioncontest/vendor/gems/rack-1.0.0/lib/rack/utils.rb:324:in `block in parse_multipart'
/Users/tonyh/work/captioncontest/vendor/gems/rack-1.0.0/lib/rack/utils.rb:319:in `loop'
/Users/tonyh/work/captioncontest/vendor/gems/rack-1.0.0/lib/rack/utils.rb:319:in `parse_multipart'
/Users/tonyh/work/captioncontest/vendor/gems/rack-1.0.0/lib/rack/request.rb:141:in `POST'
/Users/tonyh/work/captioncontest/vendor/gems/rack-1.0.0/lib/rack/methodoverride.rb:15:in `call'
/Users/tonyh/work/captioncontest/vendor/rails/actionpack/lib/action_controller/params_parser.rb:15:in `call'
I'm using:
Ruby 1.9.1p129 (2009-05-12 revision 23412) [i386-darwin9]
RubyGems version 1.3.1
Rack version 1.0
Rails version 2.3.2
Active Record version 2.3.2
Action Pack version 2.3.2
Active Resource version 2.3.2
Action Mailer version 2.3.2
Active Support version 2.3.2
I get this error when testing with cucumber/webrat and also through Webrick (since I haven't gotten Mongrel working)
Here is a fix for it:
http://github.com/josevalim/rack/commit/2c9e8c3ba9af6e3cf11b60074b66e77726fc0f82
Perhaps it's considered hacky to pass changes back up the call stack, but currently you generally can, unless you use urlmap. A simple change to using merge! would be faster and would keep it the same object, also, which means a lower level middleware (or the end-point itself) can modify the env hash and a higher level middleware can access that. Sure other middlewares could cause the same issue, but it'd be nice if rack itself didn't. I'll come up with a fork/patch w/ test if you like.
Hi there.
I've run into a problem using rack with Ruby 1.9.2-preview3 and 1.9.2-head
If I write a super simple sinatra app and try and run it through passenger, I get the following in my Nginx error log:
*** Exception LoadError in PhusionPassenger::Rack::ApplicationSpawner (no such file to load -- rivup) (process 61765):
from config.ru:3:in require' from config.ru:3:in
block in
instance_eval' from /Users/i0n/.rvm/gems/ruby-1.9.2-preview3/gems/rack-1.1.0/lib/rack/builder.rb:46:in
initialize'new' from config.ru:1:in
'eval' from /Users/i0n/.rvm/gems/ruby-1.9.2-preview3/gems/passenger-2.2.14/lib/phusion_passenger/rack/application_spawner.rb:147:in
load_rack_app'block in run' from /Users/i0n/.rvm/gems/ruby-1.9.2-preview3/gems/passenger-2.2.14/lib/phusion_passenger/utils.rb:323:in
report_app_init_status'run' from /Users/i0n/.rvm/gems/ruby-1.9.2-preview3/gems/passenger-2.2.14/lib/phusion_passenger/rack/application_spawner.rb:65:in
block in spawn_application'safe_fork' from /Users/i0n/.rvm/gems/ruby-1.9.2-preview3/gems/passenger-2.2.14/lib/phusion_passenger/rack/application_spawner.rb:58:in
spawn_application'spawn_application' from /Users/i0n/.rvm/gems/ruby-1.9.2-preview3/gems/passenger-2.2.14/lib/phusion_passenger/spawn_manager.rb:159:in
spawn_application'handle_spawn_application' from /Users/i0n/.rvm/gems/ruby-1.9.2-preview3/gems/passenger-2.2.14/lib/phusion_passenger/abstract_server.rb:352:in
main_loop'start_synchronously' from /Users/i0n/.rvm/gems/ruby-1.9.2-preview3/gems/passenger-2.2.14/bin/passenger-spawn-server:61:in
'
If I try and load the same project using shotgun under Ruby 1.9.2 I get a similar error, this leads me to believe that the problem is not with passenger.
If I switch back to Ruby 1.9.1 or Ruby 1.8.7 everything works as expected.
Rails apps work as normal.
Is this a known error?
Hi there,
Found a non-obvious bug in rack's multipart parser.
Have a look at:
http://github.com/bloom/rack/commit/8f4bfced74e7a07d0f0f47705b763c7efc2f2aa7
Please let me know how you feel about this, and feel free to cherry pick it if it's interesting. FWIW, I kept running into the oddest problem with a Rails app that happened to be using a multipart form to submit a fairly large form. It so happened that for a given multipart payload size, I would reliably fall onto a chunking/splitting in rack's multipart parser which, given the 16384 bufsize being used by default, just so happened to expose a bug in the parser. Non-obvious because it took a while to isolate and peg down.
Best,
Bosko
I came across an issue that caused bytesize() to throw an exception because it was being asked to return the size of nil when an HTTP response has status is 204 (no content).
The test on line 16 of content_length.rb should prevent it from ever reaching this code, but neglects to convert status (an instance of String) to an int before checking for inclusion in the the Set instance named by the constant STATUS_WITH_NO_ENTITY_BODY, which contains integers.
Please accept the following patch:
diff --git a/lib/rack/content_length.rb b/lib/rack/content_length.rb
index 1e56d43..ba72ef2 100644
--- a/lib/rack/content_length.rb
+++ b/lib/rack/content_length.rb
@@ -13,7 +13,7 @@ module Rack
status, headers, body = @app.call(env)
headers = HeaderHash.new(headers)
if !STATUS_WITH_NO_ENTITY_BODY.include?(status) &&
if !STATUS_WITH_NO_ENTITY_BODY.include?(status.to_i) &&
!headers['Content-Length'] &&
!headers['Transfer-Encoding'] &&
(body.respond_to?(:to_ary) || body.respond_to?(:to_str))
I hope someone will contact me to let me know whether this has been accepted and what release it will appear in. Thank you and G-d bless.
In Ruby < 1.9, :config and :pid must be absolute paths because Rack::Server does Dir.chdir "/" before reading the :config and writing the :pid. This was unexpected - is it intended?
I have created a test in my fork of the project: http://github.com/diclophis/rack/commit/a59f59ed6eb0701ee651e5b532d38920a29c2324
I have not begun investigating for a fix, I wanted to see if you guys have run across this problem
Hi,
I'm experiencing a huge performance drop with the 1.1.0's Builder and Thin 1.2.7. This is due to Builder#to_app recalculating the middleware stack on each request. I modified #to_app to cache the stack after the first request, as to me it seems unusual to modify it during runtime. Performance increased by >1100%.
Patch is at http://gist.github.com/357078 or at http://github.com/lgierth/rack/commit/20f55a85f46a0e8e8ff7549a6781f4915266c074
Before:
Requests per second: 248.44 [#/sec] (mean)
Time per request: 402.509 [ms] (mean)
After:
Requests per second: 2883.85 [#/sec] (mean)
Time per request: 34.676 [ms] (mean)
Rack appears to incorrectly handle cookies with values that are quoted-strings. RFC2109 states that a value is a word and a word may be a token or a quoted-string. Rack is handling quoted-string values as if they were tokens. Naturally this causes some problems.
It looks like the issue stems from the fact that Rack::Request#cookies uses Rack::Utils.parse_query. What parse_query does makes sense for parameters, but I think it is incorrect for cookie values.
If I have a cookie like so:
POST /acme/shipping HTTP/1.1
Cookie: $Version="1";
Customer="WILE_E_COYOTE"; $Path="/acme";
Part_Number="Rocket_Launcher_0001"; $Path="/acme"
The ruby String value for key Customer should be "WILE_E_COYOTE" rather than ""WILE_E_COYOTE"".
You can imagine how this handling of quoted strings leads to interoperability problems with other application stacks.
Currently the rewindable input support enables the “posix filesystem semantics” for Ruby 1.9; unfortunately the tempfile class from Ruby 1.9 breaks this: unlinking the file closes the descriptor (which is probably wrong by itself). This breaks the rewindable input badly :/
Rack encodes all cookie values using URI escaping but this is not a requirement of the cookie spec and thus should be exposed as an option that can be overridden. This is especially true when sharing cookies with other environments such as legacy applications or JavaScript that do not make the same assumptions about the encoding of a cookie. One example is YUI's Cookie utility and its subcookie functionality which uses cookies in a format of "cookiename=subcookie1=foo&sub2=bar" which cannot be achieved with the current Rack::Response#set_cookie method.
Some discussion about cookie encoding: http://www.nczonline.net/blog/2009/05/05/http-cookies-explained/
This commit breaks Rack's compatibility with ruby 1.8.6:
$ rvm use 1.8.6
info: Using ruby 1.8.6 p399
$ irb
> Regexp.union(['foo', 'bar'])
TypeError: can't convert Array into String
from (irb):1:in `union'
from (irb):1
> exit
$ rvm use 1.8.7
info: Using ruby 1.8.7 p299
$ irb
> Regexp.union(['foo', 'bar'])
=> /foo|bar/
:(.
The whole commit is here:
http://github.com/josevalim/rack/commit/5be8ad86f287bfd50f900f0747deee70b5f881e8
Thanks raggi! :D
JRuby, Sinatra, Jetty, rack-jetty, rack 1.2.1
Using the above combination of products CONTENT_TYPE often will be empty, that is, it exists but is empty. Then an execption is thrown in Rack::Request#media_type because it tries to use a "downcase" method on a "nil" object.
I do not know if it is ok for CONTENT_TYPE to be empty, but if it is, a simple solution would be to change Rack::Request#media_type to something like:
def media_type
return nil if content_type.nil? || content_type.empty?
content_type.split(/\s*[;,]\s*/, 2).first.downcase
end
At the same time Rack::Request#media_type_params possibly should be changed to:
def media_type_params
return {} if content_type.nil? || content_type.empty?
content_type.split(/\s*[;,]\s*/)[1..-1].
collect { |s| s.split('=', 2) }.
inject({}) { |hash,(k,v)| hash[k.downcase] = v ; hash }
end
Best regards,
Claus
Hello guys, I've a problem with rack + nginx + passenger. My nginx vhost config is pretty simple:
server { listen 80; server_name _; root /src/foo-bar/public; passenger_enabled on; }
If in my config.ru I've:
require 'myapp' run MyApp
Every thing works super fine.
But If I have:
require 'myapp1' require 'myapp2' map "/" do run MyApp1 end map "/two" do run MyApp2 end
I get "Not Found"
If I change my server_name to server_name one.local
works
If I change my server_name to server_name one.local two.local
one.local works but two.local Not
If I change my server_name to server_name two.local one.local
two.local works but one.local Not
Any idea? Is a rack or nginx or passenger?
Thanks so much!
The regexp used in Rack::Utils.escape function should have a flag /u, not /n. If it has a flag /n and you pass it a utf8 string, it prints a message "warning: regexp match /.../n against to UTF-8 string" to stdout.
In browsing through the rails code I found that they use an html_escape routine that only escapes [&"><] whereas rack escapes apostrophe as well. See the ERB::Util module, circa Rails 3, and a recent optimization of escape_html in Rack::Utils.
I went looking for other references on html sanitization and found the Open Web Application Security Project (OWASP). They recommend escaping apostrophes and slash:
Escape the following characters with HTML entity encoding to prevent switching
into any execution context, such as script, style, or event handlers. Using
hex entities is recommended in the spec. In addition to the 5 characters
significant in XML (&, <, >, ", '), the forward slash is included as it helps
to end an HTML entity.
& --> &
< --> <
> --> >
" --> "
' --> ' ' is not recommended
/ --> / forward slash is included as it helps end an HTML entity
See bahuvrihi/rack@0e9c6cba769383d4f8f220c149aec7b27e69d201 for a patch implementing the OWASP recommendations. Note that I am not a web security guru and don't know if these recommendations are right or wrong.
I noticed that in CommonLogger
, it performs an implicit Array splat when receiving responses from the parent application:
status, header, body = @app.call(env)
This will not properly set headers
or body
if the parent application returns Rack::Response
or a Struct.new(:status, :headers, :body)
.
I kept getting this error in my fastcgi.crash.log
This error occurs in lib/rack/handler/fastcgi.rb at line 7
Looks like it's trying to alias a method before the method is created.
I believe line 7 needs moved to below the 'read' method definition.
This error occurred on a Bluehost server with the rack-1.0.0 gem.
A common security measure against fixation attacks is to change the session id after an user signs in. The easiest way to handle it from an authentication framework, like warden, is to set the session id to nil and expect it will be regenerated. However, this is not true in Rack. This commit fixes it:
http://github.com/josevalim/rack/commit/feb6e8950cdc744b4e625193883b9a9c817ad335
Rack::Response
does not support Array access, and thus cannot be used with code that expects traditional Array<status, headers, body>
response objects. If Rack::Response
inherited from Struct.new(:status, :headers, :body)
, it could gain arbitrary Array access. Rack::Response
would only then have to override the #[]
and #[]=
methods to support String
, Symbol
and Integer
keys.
Some clients and web servers support compressed TLS connections. Chrome 6 supports them. I was browsing PivotalTracker (in Chrome 6, they use nginx/0.6.35) and checked the TLS connection, and it turns out that the TLS connection is compressed with deflate.
If the TLS connection is already compressed, does additional HTTP response compression in Rack do anything to help?
ENV["RACK_ENV"] is not set by rackup on startup, meanwhile at least Passenger, Thin and Unicorn pass this to apps. Besides that Sinatra and Merb use it to set their environment.
You can see the discussion about that in the Unicorn list: http://www.mail-archive.com/[email protected]/msg00123.html
The patch to fix it here:
http://github.com/tundraghost/rack/commit/90e9dfedf454a1491d97ab1d145cd105fdb1c216
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.