Sync from SUSE:SLFO:Main rubygem-rack revision ccfc4e3290076298e476eb76058ae688

.gitattributes

@@ -0,0 +1,23 @@
+## Default LFS
+*.7z filter=lfs diff=lfs merge=lfs -text
+*.bsp filter=lfs diff=lfs merge=lfs -text
+*.bz2 filter=lfs diff=lfs merge=lfs -text
+*.gem filter=lfs diff=lfs merge=lfs -text
+*.gz filter=lfs diff=lfs merge=lfs -text
+*.jar filter=lfs diff=lfs merge=lfs -text
+*.lz filter=lfs diff=lfs merge=lfs -text
+*.lzma filter=lfs diff=lfs merge=lfs -text
+*.obscpio filter=lfs diff=lfs merge=lfs -text
+*.oxt filter=lfs diff=lfs merge=lfs -text
+*.pdf filter=lfs diff=lfs merge=lfs -text
+*.png filter=lfs diff=lfs merge=lfs -text
+*.rpm filter=lfs diff=lfs merge=lfs -text
+*.tbz filter=lfs diff=lfs merge=lfs -text
+*.tbz2 filter=lfs diff=lfs merge=lfs -text
+*.tgz filter=lfs diff=lfs merge=lfs -text
+*.ttf filter=lfs diff=lfs merge=lfs -text
+*.txz filter=lfs diff=lfs merge=lfs -text
+*.whl filter=lfs diff=lfs merge=lfs -text
+*.xz filter=lfs diff=lfs merge=lfs -text
+*.zip filter=lfs diff=lfs merge=lfs -text
+*.zst filter=lfs diff=lfs merge=lfs -text

gem2rpm.yml

@@ -0,0 +1,86 @@
+# ---
+# ## used by gem2rpm
+# :summary: this is a custom summary
+# ## used by gem2rpm
+# :description: |-
+#   this is a custom description
+#
+#   it can be multiline
+# ## used by gem2rpm
+# :license: MIT or Ruby
+# ## used by gem2rpm and gem_packages
+# :version_suffix: -x_y
+# ## used by gem2rpm and gem_packages
+# :disable_docs: true
+# ## used by gem2rpm
+# :disable_automatic_rdoc_dep: true
+# ## used by gem2rpm
+# :preamble: |-
+#   BuildRequires: foobar
+#   Requires: foobar
+# ## used by gem2rpm
+# :patches:
+#   foo.patch: -p1
+#   bar.patch: 
+# ## used by gem2rpm
+# :sources:
+# - foo.desktop
+# - bar.desktop
+# :gem_install_args: '....'
+# ## used by gem2rpm
+# :pre_install: |-
+#   %if 0%{?use_system_libev}
+#   export USE_VENDORED_LIBEV="no"
+#   %endif
+# ## used by gem2rpm
+# :post_install: |-
+#   # delete custom files here or do other fancy stuff
+#   install -D -m 0644 %{S:1} %{buildroot}%{_bindir}/gem2rpm-opensuse
+# ## used by gem2rpm
+# :testsuite_command: |-
+#   (pushd %{buildroot}%{gem_base}/gems/%{mod_full_name} && rake test)
+# ## used by gem2rpm
+# :filelist: |-
+#   /usr/bin/gem2rpm-opensuse
+# ## used by gem2rpm
+# :scripts:
+#   :post: |-
+#     /bin/echo foo
+# ## used by gem_packages
+# :main:
+#   :preamble: |-
+#     Requires: util-linux
+#     Recommends: pwgen
+#   :filelist: |-
+#     /usr/bin/gem2rpm-opensuse
+# ## used by gem_packages
+# :custom:
+#   apache:
+#     :preamble: |-
+#       Requires: .....
+#     :filelist: |-
+#       /etc/apache2/conf.d/passenger.conf
+#     :summary: Custom summary is optional
+#     :description: |-
+#       Custom description is optional
+#
+#       bar
+#     :post: |-
+#       /bin/echo foo
+#
+---
+:summary: A modular Ruby webserver interface
+
+:sources:
+  - rubygem-rack-rpmlintrc
+
+:preamble: |-
+  BuildRequires:  fdupes
+
+  %if 0%{?suse_version} && 0%{?suse_version} < 1330
+  %define rb_build_versions ruby23 ruby24 ruby25
+  %define rb_build_ruby_abi ruby:2.3.0 ruby:2.4.0 ruby:2.5.0
+  %endif
+
+:post_install: |-
+  %fdupes %{buildroot}%{_libdir}/ruby/gems/*/gems/%{mod_name}-%{version}/

rubygem-rack-rpmlintrc

@@ -0,0 +1,2 @@
+addFilter('wrong-script-interpreter.*rackup')
+addFilter('script-without-shebang')

rubygem-rack.changes

@@ -0,0 +1,568 @@
+-------------------------------------------------------------------
+Mon Nov  4 17:17:57 UTC 2024 - Dan Čermák <dan.cermak@posteo.net>
+
+- New upstream release 3.1.8, see bundled CHANGELOG.md
+
+-------------------------------------------------------------------
+Fri Jun 21 10:27:01 UTC 2024 - Dan Čermák <dan.cermak@posteo.net>
+
+- New upstream release 3.1.3, see bundled CHANGELOG.md
+
+-------------------------------------------------------------------
+Tue Feb 27 13:35:02 UTC 2024 - pgajdos@suse.com
+
+- version update to 3.0.9.1
+  * Fixed ReDoS in Accept header parsing [CVE-2024-26146][bsc#1220248]
+  * Fixed ReDoS in Content Type header parsing [CVE-2024-25126][bsc#1220239]
+  * Reject Range headers which are too large [CVE-2024-26141][bsc#1220242]
+  * Fix content-length calcuation in Rack:Response#write #2150
+
+-------------------------------------------------------------------
+Tue Nov 14 15:25:36 UTC 2023 - Dan Čermák <dan.cermak@posteo.net>
+
+- 3.0.8:
+
+## What's Changed
+* Backport "Fix some unused variable verbose warnings" by @skipkayhil in https://github.com/rack/rack/pull/2084
+
+## New Contributors
+* @skipkayhil made their first contribution in https://github.com/rack/rack/pull/2084
+
+**Full Changelog**: https://github.com/rack/rack/compare/v3.0.7...v3.0.8
+
+
+
+-------------------------------------------------------------------
+Mon Mar 20 11:53:21 UTC 2023 - pgajdos@suse.com
+
+- version update to 3.0.7
+  [3.0.7] - 2023-03-16
+    Make query parameters without = have nil values. (#2059, @jeremyevans)
+  [3.0.6.1] - 2023-03-13
+    [CVE-2023-27539] Avoid ReDoS in header parsing [bsc#1209503]
+  [3.0.6] - 2023-03-13
+    Add QueryParser#missing_value for handling missing values + tests. (#2052, @ioquatix)
+  [3.0.5] - 2023-03-13
+    Split form/query parsing into two steps. (#2038, @matthewd)
+
+-------------------------------------------------------------------
+Thu Mar  9 12:25:49 UTC 2023 - pgajdos@suse.com
+
+- version update to 3.0.4.2
+  * rack.input is now optional, and if missing, will raise an error. 
+    Use this to fail on multipart parsing a request without an input body.
+    (#2018, @ioquatix)
+  * Introduce module Rack::BadRequest which is included in multipart and
+    query parser errors. (#2019, @ioquatix)
+  * MIME type for JavaScript files (.js) changed from application/javascript
+    to text/javascript (1bd0f15)
+  * fixes CVE-2023-27530 [bsc#1209095]
+
+-------------------------------------------------------------------
+Fri Jan 20 13:25:39 UTC 2023 - Hendrik Vogelsang <hvogel@suse.com>
+
+updated to version 3.0.4.1
+
+[CVE-2022-44571] Fix ReDoS vulnerability in multipart parser
+[CVE-2022-44570] Fix ReDoS in Rack::Utils.get_byte_ranges
+[CVE-2022-44572] Forbid control characters in attributes (also ReDoS)
+
+For more detailed information see the installed CHANGELOG.md
+
+-------------------------------------------------------------------
+Wed Dec  7 11:31:08 UTC 2022 - Stephan Kulow <coolo@suse.com>
+
+updated to version 3.0.2
+ see installed CHANGELOG.md
+
+  ## [3.0.2] -2022-12-05
+  
+  ### Fixed
+  
+  - `Utils.build_nested_query` URL-encodes nested field names including the square brackets.
+  - Allow `Rack::Response` to pass through streaming bodies. ([#1993](https://github.com/rack/rack/pull/1993), [@ioquatix])
+  
+  ## [3.0.1] - 2022-11-18
+  
+  ### Fixed
+  
+  - `MethodOverride` does not look for an override if a request does not include form/parseable data.
+  - `Rack::Lint::Wrapper` correctly handles `respond_to?` with `to_ary`, `each`, `call` and `to_path`, forwarding to the body. ([#1981](https://github.com/rack/rack/pull/1981), [@ioquatix])
+  
+
+-------------------------------------------------------------------
+Mon Oct 10 13:15:23 UTC 2022 - Stephan Kulow <coolo@suse.com>
+
+updated to version 3.0.0
+ see installed CHANGELOG.md
+
+  ## [3.0.0] - 2022-09-06
+  
+  - No changes
+  
+  ## [3.0.0.rc1] - 2022-09-04
+  
+  ### SPEC Changes
+  
+  - Stream argument must implement `<<` https://github.com/rack/rack/pull/1959
+  - `close` may be called on `rack.input` https://github.com/rack/rack/pull/1956
+  - `rack.response_finished` may be used for executing code after the response has been finished https://github.com/rack/rack/pull/1952
+  
+  ## [3.0.0.beta1] - 2022-08-08
+  
+  ### Security
+  
+  - Do not use semicolon as GET parameter separator. ([#1733](https://github.com/rack/rack/pull/1733), [@jeremyevans])
+  
+  ### SPEC Changes
+  
+  - Response array must now be non-frozen.
+  - Response `status` must now be an integer greater than or equal to 100.
+  - Response `headers` must now be an unfrozen hash.
+  - Response header keys can no longer include uppercase characters.
+  - Response header values can be an `Array` to handle multiple values (and no longer supports `\n` encoded headers).
+  - Response body can now respond to `#call` (streaming body) instead of `#each` (enumerable body), for the equivalent of response hijacking in previous versions.
+  - Middleware must no longer call `#each` on the body, but they can call `#to_ary` on the body if it responds to `#to_ary`.
+  - `rack.input` is no longer required to be rewindable.
+  - `rack.multithread`/`rack.multiprocess`/`rack.run_once`/`rack.version` are no longer required environment keys.
+  - `SERVER_PROTOCOL` is now a required environment key, matching the HTTP protocol used in the request.
+  - `rack.hijack?` (partial hijack) and `rack.hijack` (full hijack) are now independently optional.
+  - `rack.hijack_io` has been removed completely.
+  - `rack.response_finished` is an optional environment key which contains an array of callable objects that must accept `#call(env, status, headers, error)` and are invoked after the response is finished (either successfully or unsucessfully).
+  - It is okay to call `#close` on `rack.input` to indicate that you no longer need or care about the input.
+  - The stream argument supplied to the streaming body and hijack must support `#<<` for writing output.
+  
+  ### Removed
+  
+  - Remove `rack.multithread`/`rack.multiprocess`/`rack.run_once`. These variables generally come too late to be useful. ([#1720](https://github.com/rack/rack/pull/1720), [@ioquatix], [@jeremyevans]))
+  - Remove deprecated Rack::Request::SCHEME_WHITELIST. ([@jeremyevans])
+  - Remove internal cookie deletion using pattern matching, there are very few practical cases where it would be useful and browsers handle it correctly without us doing anything special. ([#1844](https://github.com/rack/rack/pull/1844), [@ioquatix])
+  - Remove `rack.version` as it comes too late to be useful. ([#1938](https://github.com/rack/rack/pull/1938), [@ioquatix])
+  - Extract `rackup` command, `Rack::Server`, `Rack::Handler` and related code into a separate gem. ([#1937](https://github.com/rack/rack/pull/1937), [@ioquatix])
+  
+  ### Added
+  
+  - `Rack::Headers` added to support lower-case header keys. ([@jeremyevans])
+  - `Rack::Utils#set_cookie_header` now supports `escape_key: false` to avoid key escaping.  ([@jeremyevans])
+  - `Rack::RewindableInput` supports size. ([@ahorek](https://github.com/ahorek))
+  - `Rack::RewindableInput::Middleware` added for making `rack.input` rewindable. ([@jeremyevans])
+  - The RFC 7239 Forwarded header is now supported and considered by default when looking for information on forwarding, falling back to the X-Forwarded-* headers. `Rack::Request.forwarded_priority` accessor has been added for configuring the priority of which header to check.  ([#1423](https://github.com/rack/rack/issues/1423), [@jeremyevans])
+  - Allow response headers to contain array of values. ([#1598](https://github.com/rack/rack/issues/1598), [@ioquatix])
+  - Support callable body for explicit streaming support and clarify streaming response body behaviour. ([#1745](https://github.com/rack/rack/pull/1745), [@ioquatix], [#1748](https://github.com/rack/rack/pull/1748), [@wjordan])
+  - Allow `Rack::Builder#run` to take a block instead of an argument. ([#1942](https://github.com/rack/rack/pull/1942), [@ioquatix])
+  - Add `rack.response_finished` to `Rack::Lint`. ([#1802](https://github.com/rack/rack/pull/1802), [@BlakeWilliams], [#1952](https://github.com/rack/rack/pull/1952), [@ioquatix])
+  - The stream argument must implement `#<<`. ([#1959](https://github.com/rack/rack/pull/1959), [@ioquatix])
+  
+  ### Changed
+  
+  - BREAKING CHANGE: Require `status` to be an Integer. ([#1662](https://github.com/rack/rack/pull/1662), [@olleolleolle](https://github.com/olleolleolle))
+  - BREAKING CHANGE: Query parsing now treats parameters without `=` as having the empty string value instead of nil value, to conform to the URL spec. ([#1696](https://github.com/rack/rack/issues/1696), [@jeremyevans])
+  - Relax validations around `Rack::Request#host` and `Rack::Request#hostname`. ([#1606](https://github.com/rack/rack/issues/1606), [@pvande](https://github.com/pvande))
+  - Removed antiquated handlers: FCGI, LSWS, SCGI, Thin. ([#1658](https://github.com/rack/rack/pull/1658), [@ioquatix])
+  - Removed options from `Rack::Builder.parse_file` and `Rack::Builder.load_file`. ([#1663](https://github.com/rack/rack/pull/1663), [@ioquatix])
+  - `Rack::HTTP_VERSION` has been removed and the `HTTP_VERSION` env setting is no longer set in the CGI and Webrick handlers. ([#970](https://github.com/rack/rack/issues/970), [@jeremyevans])
+  - `Rack::Request#[]` and `#[]=` now warn even in non-verbose mode. ([#1277](https://github.com/rack/rack/issues/1277), [@jeremyevans])
+  - Decrease default allowed parameter recursion level from 100 to 32. ([#1640](https://github.com/rack/rack/issues/1640), [@jeremyevans])
+  - Attempting to parse a multipart response with an empty body now raises Rack::Multipart::EmptyContentError. ([#1603](https://github.com/rack/rack/issues/1603), [@jeremyevans])
+  - `Rack::Utils.secure_compare` uses OpenSSL's faster implementation if available. ([#1711](https://github.com/rack/rack/pull/1711), [@bdewater](https://github.com/bdewater))
+  - `Rack::Request#POST` now caches an empty hash if input content type is not parseable. ([#749](https://github.com/rack/rack/pull/749), [@jeremyevans])
+  - BREAKING CHANGE: Updated `trusted_proxy?` to match full 127.0.0.0/8 network. ([#1781](https://github.com/rack/rack/pull/1781), [@snbloch](https://github.com/snbloch))
+  - Explicitly deprecate `Rack::File` which was an alias for `Rack::Files`. ([#1811](https://github.com/rack/rack/pull/1720), [@ioquatix]).
+  - Moved `Rack::Session` into [separate gem](https://github.com/rack/rack-session). ([#1805](https://github.com/rack/rack/pull/1805), [@ioquatix])
+  - `rackup -D` option to daemonizes no longer changes the working directory to the root. ([#1813](https://github.com/rack/rack/pull/1813), [@jeremyevans])
+  - The `x-forwarded-proto` header is now considered before the `x-forwarded-scheme` header for determining the forwarded protocol. `Rack::Request.x_forwarded_proto_priority` accessor has been added for configuring the priority of which header to check.  ([#1809](https://github.com/rack/rack/issues/1809), [@jeremyevans])
+  - `Rack::Request.forwarded_authority` (and methods that call it, such as `host`) now returns the last authority in the forwarded header, instead of the first, as earlier forwarded authorities can be forged by clients. This restores the Rack 2.1 behavior. ([#1829](https://github.com/rack/rack/issues/1809), [@jeremyevans])
+  - Use lower case cookie attributes when creating cookies, and fold cookie attributes to lower case when reading cookies (specifically impacting `secure` and `httponly` attributes). ([#1849](https://github.com/rack/rack/pull/1849), [@ioquatix])
+  - The response array must now be mutable (non-frozen) so middleware can modify it without allocating a new Array,therefore reducing object allocations. ([#1887](https://github.com/rack/rack/pull/1887), [#1927](https://github.com/rack/rack/pull/1927), [@amatsuda], [@ioquatix])
+  - `rack.hijack?` (partial hijack) and `rack.hijack` (full hijack) are now independently optional. `rack.hijack_io` is no longer required/specified. ([#1939](https://github.com/rack/rack/pull/1939), [@ioquatix])
+  - Allow calling close on `rack.input`. ([#1956](https://github.com/rack/rack/pull/1956), [@ioquatix])
+  
+  ### Fixed
+  
+  - Make Rack::MockResponse handle non-hash headers. ([#1629](https://github.com/rack/rack/issues/1629), [@jeremyevans])
+  - TempfileReaper now deletes temp files if application raises an exception. ([#1679](https://github.com/rack/rack/issues/1679), [@jeremyevans])
+  - Handle cookies with values that end in '=' ([#1645](https://github.com/rack/rack/pull/1645), [@lukaso](https://github.com/lukaso))
+  - Make `Rack::NullLogger` respond to `#fatal!` [@jeremyevans])
+  - Fix multipart filename generation for filenames that contain spaces. Encode spaces as "%20" instead of "+" which will be decoded properly by the multipart parser. ([#1736](https://github.com/rack/rack/pull/1645), [@muirdm](https://github.com/muirdm))
+  - `Rack::Request#scheme` returns `ws` or `wss` when one of the `X-Forwarded-Scheme` / `X-Forwarded-Proto` headers is set to `ws` or `wss`, respectively. ([#1730](https://github.com/rack/rack/issues/1730), [@erwanst](https://github.com/erwanst))
+  
+
+-------------------------------------------------------------------
+Fri Jul  8 08:41:33 UTC 2022 - Manuel Schnitzer <mschnitzer@suse.com>
+
+- updated to version 2.2.4
+
+  * Better support for lower case headers in `Rack::ETag` middleware. ([#1919](https://github.com/rack/rack/pull/1919), [@ioquatix](https://github.com/ioquatix))
+  * Use custom exception on params too deep error. ([#1838](https://github.com/rack/rack/pull/1838), [@simi](https://github.com/simi))
+
+-------------------------------------------------------------------
+Mon May 30 11:47:53 UTC 2022 - Hendrik Vogelsang <hvogel@suse.com>
+
+- updated to version 2.2.3.1
+  [CVE-2022-30123] Fix shell escaping issue in Common Logger
+  [CVE-2022-30122] Restrict parsing of broken MIME attachments
+
+-------------------------------------------------------------------
+Thu Jun 18 14:24:12 UTC 2020 - Eduardo Navarro <enavarro@suse.com>
+
+- updated to version 2.2.3
+ see installed CHANGELOG.md
+
+  ## [2.2.3] - 2020-06-15
+
+    [CVE-2020-8184] Only decode cookie values
+
+-------------------------------------------------------------------
+Tue Feb 18 15:21:41 UTC 2020 - Eduardo Navarro <enavarro@suse.com>
+
+- updated to version 2.2.2
+ see installed CHANGELOG.md
+
+  ## [2.2.2] - 2020-02-11
+
+  ### Fixed
+
+  - Fix incorrect Rack::Request#host value. ([#1591](https://github.com/rack/rack/pull/1591), [@ioquatix](https://github.com/ioquatix))
+  - Revert Rack::Handler::Thin implementation. ([#1583](https://github.com/rack/rack/pull/1583), [@jeremyevans](https://github.com/jeremyevans))
+  - Double assignment is still needed to prevent an "unused variable" warning. ([#1589](https://github.com/rack/rack/pull/1589), [@kamipo](https://github.com/kamipo))
+  - Fix to handle same_site option for session pool. ([#1587](https://github.com/rack/rack/pull/1587), [@kamipo](https://github.com/kamipo))
+
+-------------------------------------------------------------------
+Mon Feb 10 15:26:39 UTC 2020 - Stephan Kulow <coolo@suse.com>
+
+- updated to version 2.2.1
+ see installed CHANGELOG.md
+
+  # Changelog
+  
+  All notable changes to this project will be documented in this file. For info on how to format all future additions to this file please reference [Keep A Changelog](https://keepachangelog.com/en/1.0.0/).
+  
+  ## [2.2.1] - 2020-02-09
+  
+  ### Fixed
+  
+  - Rework `Rack::Request#ip` to handle empty `forwarded_for`. ([#1577](https://github.com/rack/rack/pull/1577), [@ioquatix](https://github.com/ioquatix))
+  
+  ## [2.2.0] - 2020-02-08
+  
+  ### SPEC Changes
+  
+  - `rack.session` request environment entry must respond to `to_hash` and return unfrozen Hash. ([@jeremyevans](https://github.com/jeremyevans))
+  - Request environment cannot be frozen. ([@jeremyevans](https://github.com/jeremyevans))
+  - CGI values in the request environment with non-ASCII characters must use ASCII-8BIT encoding. ([@jeremyevans](https://github.com/jeremyevans))
+  - Improve SPEC/lint relating to SERVER_NAME, SERVER_PORT and HTTP_HOST. ([#1561](https://github.com/rack/rack/pull/1561), [@ioquatix](https://github.com/ioquatix))
+  
+  ### Added
+  
+  - `rackup` supports multiple `-r` options and will require all arguments. ([@jeremyevans](https://github.com/jeremyevans))
+  - `Server` supports an array of paths to require for the `:require` option. ([@khotta](https://github.com/khotta))
+  - `Files` supports multipart range requests. ([@fatkodima](https://github.com/fatkodima))
+  - `Multipart::UploadedFile` supports an IO-like object instead of using the filesystem, using `:filename` and `:io` options. ([@jeremyevans](https://github.com/jeremyevans))
+  - `Multipart::UploadedFile` supports keyword arguments `:path`, `:content_type`, and `:binary` in addition to positional arguments. ([@jeremyevans](https://github.com/jeremyevans))
+  - `Static` supports a `:cascade` option for calling the app if there is no matching file. ([@jeremyevans](https://github.com/jeremyevans))
+  - `Session::Abstract::SessionHash#dig`. ([@jeremyevans](https://github.com/jeremyevans))
+  - `Response.[]` and `MockResponse.[]` for creating instances using status, headers, and body. ([@ioquatix](https://github.com/ioquatix))
+  - Convenient cache and content type methods for `Rack::Response`. ([#1555](https://github.com/rack/rack/pull/1555), [@ioquatix](https://github.com/ioquatix))
+  
+  ### Changed
+  
+  - `Request#params` no longer rescues EOFError. ([@jeremyevans](https://github.com/jeremyevans))
+  - `Directory` uses a streaming approach, significantly improving time to first byte for large directories. ([@jeremyevans](https://github.com/jeremyevans))
+  - `Directory` no longer includes a Parent directory link in the root directory index. ([@jeremyevans](https://github.com/jeremyevans))
+  - `QueryParser#parse_nested_query` uses original backtrace when reraising exception with new class. ([@jeremyevans](https://github.com/jeremyevans))
+  - `ConditionalGet` follows RFC 7232 precedence if both If-None-Match and If-Modified-Since headers are provided. ([@jeremyevans](https://github.com/jeremyevans))
+  - `.ru` files supports the `frozen-string-literal` magic comment. ([@eregon](https://github.com/eregon))
+  - Rely on autoload to load constants instead of requiring internal files, make sure to require 'rack' and not just 'rack/...'. ([@jeremyevans](https://github.com/jeremyevans))
+  - `Etag` will continue sending ETag even if the response should not be cached. ([@henm](https://github.com/henm))
+  - `Request#host_with_port` no longer includes a colon for a missing or empty port. ([@AlexWayfer](https://github.com/AlexWayfer))
+  - All handlers uses keywords arguments instead of an options hash argument. ([@ioquatix](https://github.com/ioquatix))
+  - `Files` handling of range requests no longer return a body that supports `to_path`, to ensure range requests are handled correctly. ([@jeremyevans](https://github.com/jeremyevans))
+  - `Multipart::Generator` only includes `Content-Length` for files with paths, and `Content-Disposition` `filename` if the `UploadedFile` instance has one. ([@jeremyevans](https://github.com/jeremyevans))
+  - `Request#ssl?` is true for the `wss` scheme (secure websockets). ([@jeremyevans](https://github.com/jeremyevans))
+  - `Rack::HeaderHash` is memoized by default. ([#1549](https://github.com/rack/rack/pull/1549), [@ioquatix](https://github.com/ioquatix))
+  - `Rack::Directory` allow directory traversal inside root directory. ([#1417](https://github.com/rack/rack/pull/1417), [@ThomasSevestre](https://github.com/ThomasSevestre))
+  - Sort encodings by server preference. ([#1184](https://github.com/rack/rack/pull/1184), [@ioquatix](https://github.com/ioquatix), [@wjordan](https://github.com/wjordan))
+  - Rework host/hostname/authority implementation in `Rack::Request`. `#host` and `#host_with_port` have been changed to correctly return IPv6 addresses formatted with square brackets, as defined by [RFC3986](https://tools.ietf.org/html/rfc3986#section-3.2.2). ([#1561](https://github.com/rack/rack/pull/1561), [@ioquatix](https://github.com/ioquatix))
+  - `Rack::Builder` parsing options on first `#\` line is deprecated. ([#1574](https://github.com/rack/rack/pull/1574), [@ioquatix](https://github.com/ioquatix))
+  
+  ### Removed
+  
+  - `Directory#path` as it was not used and always returned nil. ([@jeremyevans](https://github.com/jeremyevans))
+  - `BodyProxy#each` as it was only needed to work around a bug in Ruby <1.9.3. ([@jeremyevans](https://github.com/jeremyevans))
+  - `URLMap::INFINITY` and `URLMap::NEGATIVE_INFINITY`, in favor of `Float::INFINITY`. ([@ch1c0t](https://github.com/ch1c0t))
+  - Deprecation of `Rack::File`. It will be deprecated again in rack 2.2 or 3.0. ([@rafaelfranca](https://github.com/rafaelfranca))
+  - Support for Ruby 2.2 as it is well past EOL. ([@ioquatix](https://github.com/ioquatix))
+  - Remove `Rack::Files#response_body` as the implementation was broken. ([#1153](https://github.com/rack/rack/pull/1153), [@ioquatix](https://github.com/ioquatix))
+  - Remove `SERVER_ADDR` which was never part of the original SPEC. ([#1573](https://github.com/rack/rack/pull/1573), [@ioquatix](https://github.com/ioquatix))
+  
+  ### Fixed
+  
+  - `Directory` correctly handles root paths containing glob metacharacters. ([@jeremyevans](https://github.com/jeremyevans))
+  - `Cascade` uses a new response object for each call if initialized with no apps. ([@jeremyevans](https://github.com/jeremyevans))
+  - `BodyProxy` correctly delegates keyword arguments to the body object on Ruby 2.7+. ([@jeremyevans](https://github.com/jeremyevans))
+  - `BodyProxy#method` correctly handles methods delegated to the body object. ([@jeremyevans](https://github.com/jeremyevans))
+  - `Request#host` and `Request#host_with_port` handle IPv6 addresses correctly. ([@AlexWayfer](https://github.com/AlexWayfer))
+  - `Lint` checks when response hijacking that `rack.hijack` is called with a valid object. ([@jeremyevans](https://github.com/jeremyevans))
+  - `Response#write` correctly updates `Content-Length` if initialized with a body. ([@jeremyevans](https://github.com/jeremyevans))
+  - `CommonLogger` includes `SCRIPT_NAME` when logging. ([@Erol](https://github.com/Erol))
+  - `Utils.parse_nested_query` correctly handles empty queries, using an empty instance of the params class instead of a hash. ([@jeremyevans](https://github.com/jeremyevans))
+  - `Directory` correctly escapes paths in links. ([@yous](https://github.com/yous))
+  - `Request#delete_cookie` and related `Utils` methods handle `:domain` and `:path` options in same call. ([@jeremyevans](https://github.com/jeremyevans))
+  - `Request#delete_cookie` and related `Utils` methods do an exact match on `:domain` and `:path` options. ([@jeremyevans](https://github.com/jeremyevans))
+  - `Static` no longer adds headers when a gzipped file request has a 304 response. ([@chooh](https://github.com/chooh))
+  - `ContentLength` sets `Content-Length` response header even for bodies not responding to `to_ary`. ([@jeremyevans](https://github.com/jeremyevans))
+  - Thin handler supports options passed directly to `Thin::Controllers::Controller`. ([@jeremyevans](https://github.com/jeremyevans))
+  - WEBrick handler no longer ignores `:BindAddress` option. ([@jeremyevans](https://github.com/jeremyevans))
+  - `ShowExceptions` handles invalid POST data. ([@jeremyevans](https://github.com/jeremyevans))
+  - Basic authentication requires a password, even if the password is empty. ([@jeremyevans](https://github.com/jeremyevans))
+  - `Lint` checks response is array with 3 elements, per SPEC. ([@jeremyevans](https://github.com/jeremyevans))
+  - Support for using `:SSLEnable` option when using WEBrick handler. (Gregor Melhorn)
+  - Close response body after buffering it when buffering. ([@ioquatix](https://github.com/ioquatix))
+  - Only accept `;` as delimiter when parsing cookies. ([@mrageh](https://github.com/mrageh))
+  - `Utils::HeaderHash#clear` clears the name mapping as well. ([@raxoft](https://github.com/raxoft)) 
+  - Support for passing `nil` `Rack::Files.new`, which notably fixes Rails' current `ActiveStorage::FileServer` implementation. ([@ioquatix](https://github.com/ioquatix))
+  
+  ### Documentation
+  
+  - CHANGELOG updates. ([@aupajo](https://github.com/aupajo))
+  - Added [CONTRIBUTING](CONTRIBUTING.md). ([@dblock](https://github.com/dblock))
+
+-------------------------------------------------------------------
+Wed Jan 29 11:44:30 UTC 2020 - Daniel Donisa <daniel.donisa@suse.com>
+
+- updated to version 2.1.2 
+
+-------------------------------------------------------------------
+Mon Jan 27 11:28:34 UTC 2020 - Manuel Schnitzer <mschnitzer@suse.com>
+
+- updated to version 2.1.1
+
+  * Remove Rack::Chunked from Rack::Server default middleware. (#1475, @ioquatix)
+  * Restore support for code relying on SessionId#to_s. (@jeremyevans)
+
+- non upstream changes
+
+  * removed the modification of the permissions for test/cgi/test.gz
+    during package build since it won't get installed anymore.
+
+-------------------------------------------------------------------
+Thu Dec 19 08:55:14 UTC 2019 - David Kang <dkang@suse.com>
+
+- updated to version 2.0.8
+  * CVE-2019-16782: Possible information leak / session hijack vulnerability
+
+-------------------------------------------------------------------
+Sat Apr  6 17:52:23 UTC 2019 - manuel <mschnitzer@suse.com>
+
+- updated to version 2.0.7
+
+  no changelog found
+
+-------------------------------------------------------------------
+Tue Nov  6 23:24:32 UTC 2018 - Marcus Rueckert <mrueckert@suse.de>
+
+- update to 2.0.6:
+  * CVE-2018-16471: cross-site scripting (XSS) flaw via the scheme
+    method on Rack::Request (bsc#1114828)
+
+-------------------------------------------------------------------
+Mon Apr 23 18:18:04 UTC 2018 - factory-auto@kulow.org
+
+- updated to version 2.0.5
+ see installed HISTORY.md
+
+-------------------------------------------------------------------
+Mon Apr 16 15:47:33 UTC 2018 - mschnitzer@suse.com
+
+- Only build against ruby versions 2.3.x, 2.4.x, and 2.5.x
+- Fix package build by removing the executable bit for 'test.gz' file in gem
+
+-------------------------------------------------------------------
+Thu Feb  8 06:21:32 UTC 2018 - coolo@suse.com
+
+- updated to version 2.0.4
+ see installed HISTORY.md
+
+-------------------------------------------------------------------
+Tue Oct 31 14:09:19 UTC 2017 - mrueckert@suse.de
+
+- only build for 2.3+ from now
+
+-------------------------------------------------------------------
+Wed Jun  7 16:24:31 UTC 2017 - mrueckert@suse.de
+
+- re-add the rb_build_versions and rb_default_ruby_abi as otherwise
+  building on older distros fails.
+- add ruby 2.4
+
+-------------------------------------------------------------------
+Thu Jun  1 18:55:47 UTC 2017 - opensuse_buildservice@ojkastl.de
+
+- removed manual definition of rb_build_versions and rb_default_ruby_abi from gem2rpm.yml; recreated spec
+
+-------------------------------------------------------------------
+Tue May 23 10:12:04 UTC 2017 - coolo@suse.com
+
+- updated to version 2.0.3
+ see installed HISTORY.md
+
+-------------------------------------------------------------------
+Wed Jul  6 01:17:36 UTC 2016 - mrueckert@suse.de
+
+- make build again by only building for 2.2 and newer
+
+-------------------------------------------------------------------
+Fri Jul  1 04:34:13 UTC 2016 - coolo@suse.com
+
+- updated to version 2.0.1
+ see installed HISTORY.md
+
+-------------------------------------------------------------------
+Fri Jun 19 04:32:19 UTC 2015 - coolo@suse.com
+
+- updated to version 1.6.4
+ see installed HISTORY.md
+
+  Fri Jun 19 07:14:50 2015  Matthew Draper <matthew@trebex.net>
+
+  	* Work around a Rails incompatibility in our private API
+
+-------------------------------------------------------------------
+Wed Jun 17 04:37:32 UTC 2015 - coolo@suse.com
+
+- updated to version 1.6.2
+ see installed HISTORY.md
+
+  Fri Jun 12 11:37:41 2015  Aaron Patterson <tenderlove@ruby-lang.org>
+
+  	* Prevent extremely deep parameters from being parsed. CVE-2015-3225
+
+-------------------------------------------------------------------
+Thu May  7 04:29:35 UTC 2015 - coolo@suse.com
+
+- updated to version 1.6.1
+  no changelog found
+
+-------------------------------------------------------------------
+Fri Feb  6 18:18:15 UTC 2015 - coolo@suse.com
+
+- updated to version 1.6.0
+
+-------------------------------------------------------------------
+Sat Nov  1 23:17:03 UTC 2014 - tboerger@suse.com
+
+- Fixed all rpmlintrc errors to prevent failing builds with
+  multiple ruby versions
+
+-------------------------------------------------------------------
+Mon Sep 29 20:13:50 UTC 2014 - mrueckert@suse.de
+
+- added rpmlintrc to ignore the rackup shebang line in a test case
+- updated to new packaging scheme and add gem2rpm.yml
+
+-------------------------------------------------------------------
+Tue May 28 05:28:04 UTC 2013 - coolo@suse.com
+
+- new template version
+
+-------------------------------------------------------------------
+Tue Feb 12 13:45:09 UTC 2013 - coolo@suse.com
+
+- updated to version 1.5.2
+ * February 7th, Thirty fifth public release 1.5.2
+   * Fix CVE-2013-0263, timing attack against Rack::Session::Cookie
+   * Fix CVE-2013-0262, symlink path traversal in Rack::File
+   * Add various methods to Session for enhanced Rails compatibility
+   * Request#trusted_proxy? now only matches whole stirngs
+   * Add JSON cookie coder, to be default in Rack 1.6+ due to security concerns
+   * URLMap host matching in environments that don't set the Host header fixed
+   * Fix a race condition that could result in overwritten pidfiles
+   * Various documentation additions
+
+-------------------------------------------------------------------
+Sun Feb  3 17:14:19 UTC 2013 - coolo@suse.com
+
+- updated to version 1.5.1
+
+-------------------------------------------------------------------
+Thu Jan 24 06:34:01 UTC 2013 - coolo@suse.com
+
+- update to version 1.5.0, remove suffix
+  * Introduced hijack SPEC, for before-response and after-response hijacking
+  * SessionHash is no longer a Hash subclass
+  * Rack::File cache_control parameter is removed, in place of headers options
+  * Rack::Auth::AbstractRequest#scheme now yields strings, not symbols
+  * Rack::Utils cookie functions now format expires in RFC 2822 format
+  * Rack::File now has a default mime type
+  * rackup -b 'run Rack::File.new(".")', option provides command line configs
+  * Rack::Deflater will no longer double encode bodies
+  * Rack::Mime#match? provides convenience for Accept header matching
+  * Rack::Utils#q_values provides splitting for Accept headers
+  * Rack::Utils#best_q_match provides a helper for Accept headers
+  * Rack::Handler.pick provides convenience for finding available servers
+  * Puma added to the list of default servers (preferred over Webrick)
+  * Various middleware now correctly close body when replacing it
+  * Rack::Request#params is no longer persistent with only GET params
+  * Rack::Request#update_param and #delete_param provide persistent operations
+  * Rack::Request#trusted_proxy? now returns true for local unix sockets
+  * Rack::Response no longer forces Content-Types
+  * Rack::Sendfile provides local mapping configuration options
+  * Rack::Utils#rfc2109 provides old netscape style time output
+  * Updated HTTP status codes
+  * Ruby 1.8.6 likely no longer passes tests, and is no longer fully supported
+
+-------------------------------------------------------------------
+Tue Jan  8 20:26:44 UTC 2013 - coolo@suse.com
+
+- updated to version 1.4.3
+  * Add warnings when users do not provide a session secret
+  * Fix parsing performance for unquoted filenames
+  * Updated URI backports
+  * Fix URI backport version matching, and silence constant warnings
+  * Correct parameter parsing with empty values
+  * Correct rackup '-I' flag, to allow multiple uses
+  * Correct rackup pidfile handling
+  * Report rackup line numbers correctly
+  * Fix request loops caused by non-stale nonces with time limits
+  * Fix reloader on Windows
+  * Prevent infinite recursions from Response#to_ary
+  * Various middleware better conforms to the body close specification
+  * Updated language for the body close specification
+  * Additional notes regarding ECMA escape compatibility issues
+  * Fix the parsing of multiple ranges in range headers
+  * Prevent errors from empty parameter keys
+  * Added PATCH verb to Rack::Request
+  * Various documentation updates
+  * Fix session merge semantics (fixes rack-test)
+  * Rack::Static :index can now handle multiple directories
+  * All tests now utilize Rack::Lint (special thanks to Lars Gierth)
+  * Rack::File cache_control parameter is now deprecated, and removed by 1.5
+  * Correct Rack::Directory script name escaping
+  * Rack::Static supports header rules for sophisticated configurations
+  * Multipart parsing now works without a Content-Length header
+  * New logos courtesy of Zachary Scott!
+  * Rack::BodyProxy now explicitly defines #each, useful for C extensions
+  * Cookies that are not URI escaped no longer cause exceptions
+  * Security: Prevent unbounded reads in large multipart boundaries
+
+-------------------------------------------------------------------
+Tue Jul 31 13:13:42 UTC 2012 - jreidinger@suse.com
+
+- use new gem2rpm to provide new provisions
+
+-------------------------------------------------------------------
+Mon Apr  2 12:41:39 UTC 2012 - saschpe@suse.de
+
+- Spec file cleanup:
+  * Prepare for Factory submission
+
+-------------------------------------------------------------------
+Fri Mar 30 13:10:03 UTC 2012 - adrian@suse.de
+
+- handle /usr/bin/rackup via update-alternatives
+
+-------------------------------------------------------------------
+Thu Jan 26 16:06:57 UTC 2012 - mrueckert@suse.de
+
+- initial package of the 1.4 branch
+

rubygem-rack.spec

@@ -0,0 +1,70 @@
+#
+# spec file for package rubygem-rack
+#
+# Copyright (c) 2024 SUSE LLC
+#
+# All modifications and additions to the file contributed by third parties
+# remain the property of their copyright owners, unless otherwise agreed
+# upon. The license for this file, and modifications and additions to the
+# file, is the same license as for the pristine package itself (unless the
+# license for the pristine package is not an Open Source License, in which
+# case the license is the MIT License). An "Open Source License" is a
+# license that conforms to the Open Source Definition (Version 1.9)
+# published by the Open Source Initiative.
+
+# Please submit bugfixes or comments via https://bugs.opensuse.org/
+#
+
+
+#
+# This file was generated with a gem2rpm.yml and not just plain gem2rpm.
+# All sections marked as MANUAL, license headers, summaries and descriptions
+# can be maintained in that file. Please consult this file before editing any
+# of those fields
+#
+
+Name:           rubygem-rack
+Version:        3.1.8
+Release:        0
+%define mod_name rack
+%define mod_full_name %{mod_name}-%{version}
+# MANUAL
+BuildRequires:  fdupes
+
+%if 0%{?suse_version} && 0%{?suse_version} < 1330
+%define rb_build_versions ruby23 ruby24 ruby25
+%define rb_build_ruby_abi ruby:2.3.0 ruby:2.4.0 ruby:2.5.0
+%endif
+# /MANUAL
+BuildRequires:  ruby-macros >= 5
+BuildRequires:  %{ruby >= 2.4.0}
+BuildRequires:  %{rubygem gem2rpm}
+URL:            https://github.com/rack/rack
+Source:         https://rubygems.org/gems/%{mod_full_name}.gem
+Source1:        rubygem-rack-rpmlintrc
+Source2:        gem2rpm.yml
+Summary:        A modular Ruby webserver interface
+License:        MIT
+
+%description
+Rack provides a minimal, modular and adaptable interface for developing
+web applications in Ruby. By wrapping HTTP requests and responses in
+the simplest way possible, it unifies and distills the API for web
+servers, web frameworks, and software in between (the so-called
+middleware) into a single method call.
+
+%prep
+
+%build
+
+%install
+%gem_install \
+  --doc-files="CHANGELOG.md MIT-LICENSE README.md" \
+  -f
+# MANUAL
+%fdupes %{buildroot}%{_libdir}/ruby/gems/*/gems/%{mod_name}-%{version}/
+# /MANUAL
+
+%gem_packages
+
+%changelog