[SEC][ANN] Rack 1.5.0, a modular Ruby webserver interface

[SEC][ANN] Rack 1.5.0, a modular Ruby webserver interface

[jftucker]

Hello,

Today we are proud to announce the release of Rack 1.5.0.

= Rack, a modular Ruby webserver interface 

Rack provides a minimal, modular and adaptable interface for developing web applications in Ruby.  By wrapping HTTP requests and responses in the simplest way possible, it unifies and distills the API for web servers, web frameworks, and software in between (the so-called middleware) into a single method call.
The exact details of this are described in the Rack specification, which all Rack applications should conform to. 

== Changes

Please note that this release includes a few potentially breaking changes.
Of particular note are:

 * SessionHash is no longer a Hash sublcass
 * Rack::File cache_control parameter is removed in place of headers options

Additonally, SPEC has been updated in several areas and is now at 1,2.

A new SPEC section was introduced that provides two server-optional IO hijacking
APIs. Further information on these APIs will be made available by the community
in good time. In the mean time, some information can be found in the original
pull request: https://github.com/rack/rack/pull/481

* January 21st, 2013: Thirty third public release 1.5.0
  * Introduced hijack SPEC, for before-response and after-response hijacking
  * SessionHash is no longer a Hash subclass
  * Rack::File cache_control parameter is removed, in place of headers options
  * Rack::Auth::AbstractRequest#scheme now yields strings, not symbols
  * Rack::Utils cookie functions now format expires in RFC 2822 format
  * Rack::File now has a default mime type
  * rackup -b 'run Rack::File.new(".")', option provides command line configs
  * Rack::Deflater will no longer double encode bodies
  * Rack::Mime#match? provides convenience for Accept header matching
  * Rack::Utils#q_values provides splitting for Accept headers
  * Rack::Utils#best_q_match provides a helper for Accept headers
  * Rack::Handler.pick provides convenience for finding available servers
  * Puma added to the list of default servers (preferred over Webrick)
  * Various middleware now correctly close body when replacing it
  * Rack::Request#params is no longer persistent with only GET params
  * Rack::Request#update_param and #delete_param provide persistent operations
  * Rack::Request#trusted_proxy? now returns true for local unix sockets
  * Rack::Response no longer forces Content-Types
  * Rack::Sendfile provides local mapping configuration options
  * Rack::Utils#rfc2109 provides old netscape style time output
  * Updated HTTP status codes
  * Ruby 1.8.6 likely no longer passes tests, and is no longer fully supported

== Where can I get it? 

You can download Rack at 
        http://chneukirchen.org/releases/rack-1.5.0.tar.gz   (upload pending at time of writing)
                  http://rubyforge.org/projects/rack

Alternatively, you can checkout from the development repository with:
    git clone git://github.com/rack/rack.git
cd rack && git checkout rack-1.5   # for this release

Happy hacking and have a nice day,

James Tucker
on behalf of the Rack Core Team.

9f506c84a6edbeb8c98f381e8edce15e7ae08324  rack-1.5.0.tar.gz
71b6627efbc8795bd3077eff9850fcb508d57ea3  rack-1.5.0.gem

Re: [SEC][ANN] Rack 1.5.0, a modular Ruby webserver interface

[raggi]

[-- Attachment #1: Type: text/plain, Size: 3528 bytes --]

My sincerest apologies, this was not a SEC release.

On Monday, January 21, 2013 11:46:10 PM UTC-8, raggi wrote:
>
> Hello, 
>
> Today we are proud to announce the release of Rack 1.5.0. 
>
> = Rack, a modular Ruby webserver interface 
>
> Rack provides a minimal, modular and adaptable interface for developing 
> web applications in Ruby.  By wrapping HTTP requests and responses in the 
> simplest way possible, it unifies and distills the API for web servers, web 
> frameworks, and software in between (the so-called middleware) into a 
> single method call. 
> The exact details of this are described in the Rack specification, which 
> all Rack applications should conform to. 
>
> == Changes 
>
> Please note that this release includes a few potentially breaking changes. 
> Of particular note are: 
>
>  * SessionHash is no longer a Hash sublcass 
>  * Rack::File cache_control parameter is removed in place of headers 
> options 
>
> Additonally, SPEC has been updated in several areas and is now at 1,2. 
>
> A new SPEC section was introduced that provides two server-optional IO 
> hijacking 
> APIs. Further information on these APIs will be made available by the 
> community 
> in good time. In the mean time, some information can be found in the 
> original 
> pull request: https://github.com/rack/rack/pull/481 
>
> * January 21st, 2013: Thirty third public release 1.5.0 
>   * Introduced hijack SPEC, for before-response and after-response 
> hijacking 
>   * SessionHash is no longer a Hash subclass 
>   * Rack::File cache_control parameter is removed, in place of headers 
> options 
>   * Rack::Auth::AbstractRequest#scheme now yields strings, not symbols 
>   * Rack::Utils cookie functions now format expires in RFC 2822 format 
>   * Rack::File now has a default mime type 
>   * rackup -b 'run Rack::File.new(".")', option provides command line 
> configs 
>   * Rack::Deflater will no longer double encode bodies 
>   * Rack::Mime#match? provides convenience for Accept header matching 
>   * Rack::Utils#q_values provides splitting for Accept headers 
>   * Rack::Utils#best_q_match provides a helper for Accept headers 
>   * Rack::Handler.pick provides convenience for finding available servers 
>   * Puma added to the list of default servers (preferred over Webrick) 
>   * Various middleware now correctly close body when replacing it 
>   * Rack::Request#params is no longer persistent with only GET params 
>   * Rack::Request#update_param and #delete_param provide persistent 
> operations 
>   * Rack::Request#trusted_proxy? now returns true for local unix sockets 
>   * Rack::Response no longer forces Content-Types 
>   * Rack::Sendfile provides local mapping configuration options 
>   * Rack::Utils#rfc2109 provides old netscape style time output 
>   * Updated HTTP status codes 
>   * Ruby 1.8.6 likely no longer passes tests, and is no longer fully 
> supported 
>
> == Where can I get it? 
>
> You can download Rack at 
>         http://chneukirchen.org/releases/rack-1.5.0.tar.gz   (upload 
> pending at time of writing) 
>                   http://rubyforge.org/projects/rack 
>
> Alternatively, you can checkout from the development repository with: 
>     git clone git://github.com/rack/rack.git 
> cd rack && git checkout rack-1.5   # for this release 
>
> Happy hacking and have a nice day, 
>
> James Tucker 
> on behalf of the Rack Core Team. 
>
> 9f506c84a6edbeb8c98f381e8edce15e7ae08324  rack-1.5.0.tar.gz 
> 71b6627efbc8795bd3077eff9850fcb508d57ea3  rack-1.5.0.gem 
>

[-- Attachment #2: Type: text/html, Size: 4246 bytes --]

Re: [SEC][ANN] Rack 1.5.0, a modular Ruby webserver interface

[Eric Wong]

jftucker@gmail.com wrote:
> Additonally, SPEC has been updated in several areas and is now at 1,2.

SPEC still says this:

  <tt>rack.version</tt>:: The Array [1,1], representing this version of Rack.

I take it 1,2-compliant servers should set [1,2] there instead?

> A new SPEC section was introduced that provides two server-optional IO hijacking
> APIs. Further information on these APIs will be made available by the community
> in good time. In the mean time, some information can be found in the original
> pull request: https://github.com/rack/rack/pull/481

Cool.  Should be easy for unicorn, and some configurations of Rainbows!/zbatery.

Re: [SEC][ANN] Rack 1.5.0, a modular Ruby webserver interface

[Hongli Lai]

[-- Attachment #1: Type: text/plain, Size: 176 bytes --]

We've also implemented the socket hijacking API in the upcoming Phusion 
Passenger 
4: https://github.com/FooBarWidget/passenger/commit/c5b5b2e76034f7c7010c46aefc08967240eda122

[-- Attachment #2: Type: text/html, Size: 179 bytes --]

Re: [SEC][ANN] Rack 1.5.0, a modular Ruby webserver interface

[Eric Wong]

(culling Cc:)

Eric Wong <normalperson@yhbt.net> wrote:
> jftucker@gmail.com wrote:
> > Additonally, SPEC has been updated in several areas and is now at 1,2.
> 
> SPEC still says this:
> 
>   <tt>rack.version</tt>:: The Array [1,1], representing this version of Rack.
> 
> I take it 1,2-compliant servers should set [1,2] there instead?
> 
> > A new SPEC section was introduced that provides two server-optional IO hijacking
> > APIs. Further information on these APIs will be made available by the community
> > in good time. In the mean time, some information can be found in the original
> > pull request: https://github.com/rack/rack/pull/481

So once a connection is hijacked, there's no un-hijacking, correct?
The server needs to completely ignore the normal Rack response
(I also just posted a Rack::Lint patch here to that effect)

> Cool.  Should be easy for unicorn, and some configurations of
> Rainbows!/zbatery.

I'm setting env["rack.version"] to [1,2] in my unicorn hijack branch.
Would greatly appreciate ACK/NACK on whether this is the way to go.

Original patch to implement hijack:
http://mid.gmane.org/20130122114943.GA8455@dcvr.yhbt.net

Followup to ignore responses for hijacked requests:
http://mid.gmane.org/20130122235728.GA8717@dcvr.yhbt.net

Re: [SEC][ANN] Rack 1.5.0, a modular Ruby webserver interface

[Hongli Lai]

[-- Attachment #1: Type: text/plain, Size: 126 bytes --]

We've written an article on how the hijacking API 
works: http://blog.phusion.nl/2013/01/23/the-new-rack-socket-hijacking-api/

[-- Attachment #2: Type: text/html, Size: 130 bytes --]

Re: [SEC][ANN] Rack 1.5.0, a modular Ruby webserver interface

[James Tucker]

On Jan 22, 2013, at 4:27 PM, Eric Wong <normalperson@yhbt.net> wrote:

> (culling Cc:)
> 
> Eric Wong <normalperson@yhbt.net> wrote:
>> jftucker@gmail.com wrote:
>>> Additonally, SPEC has been updated in several areas and is now at 1,2.
>> 
>> SPEC still says this:
>> 
>>  <tt>rack.version</tt>:: The Array [1,1], representing this version of Rack.
>> 
>> I take it 1,2-compliant servers should set [1,2] there instead?
>> 
>>> A new SPEC section was introduced that provides two server-optional IO hijacking
>>> APIs. Further information on these APIs will be made available by the community
>>> in good time. In the mean time, some information can be found in the original
>>> pull request: https://github.com/rack/rack/pull/481
> 
> So once a connection is hijacked, there's no un-hijacking, correct?
> The server needs to completely ignore the normal Rack response
> (I also just posted a Rack::Lint patch here to that effect)

Correct. I don't see a way around this without making the specification excessively complex. That's why I strongly recommend people set Connection:close.

> 
>> Cool.  Should be easy for unicorn, and some configurations of
>> Rainbows!/zbatery.
> 
> I'm setting env["rack.version"] to [1,2] in my unicorn hijack branch.
> Would greatly appreciate ACK/NACK on whether this is the way to go.

Ack. I forgot to update lint - my bad. I'll fix this in .1.

> 
> Original patch to implement hijack:
> http://mid.gmane.org/20130122114943.GA8455@dcvr.yhbt.net

Only had a quick scan, but LGTM.

> 
> Followup to ignore responses for hijacked requests:
> http://mid.gmane.org/20130122235728.GA8717@dcvr.yhbt.net

--