[2.1.4] - 2020-06-15¶ ↑

• [CVE-2020-8184] When parsing cookies, only decode the value

[2.1.3] - 2020-05-12¶ ↑

• [CVE-2020-8161] Use Dir.entries instead of Dir to prevent user-specified glob metacharacters -

  [2.1.2] - 2020-01-27¶ ↑

• Fix multipart parser for some files to prevent denial of service (@aiomaster)

• Fix Rack::Builder#use with keyword arguments (@kamipo)

• Skip deflating in Rack::Deflater if Content-Length is 0 (@jeremyevans)

• Remove SessionHash#transform_keys, no longer needed (@pavel)

• Add to_hash to wrap Hash and Session classes (@oleh-demyanyuk)

• Handle case where session id key is requested but missing (@jeremyevans)

[2.1.1] - 2020-01-12¶ ↑

• Remove Rack::Chunked from Rack::Server default middleware. (#1475, @ioquatix)

[2.1.0] - 2020-01-10¶ ↑

Added¶ ↑

• Add support for SameSite=None cookie value. (@hennikul)

• Add trailer headers. (@eileencodes)

• Add MIME Types for video streaming. (@styd)

• Add MIME Type for WASM. (@buildrtech)

• Add Early Hints(103) to status codes. (@egtra)

• Add Too Early(425) to status codes. (@y-yagi)

• Add Bandwidth Limit Exceeded(509) to status codes. (@CJKinni)

• Add method for custom ip_filter. (@svcastaneda)

• Add boot-time profiling capabilities to rackup. (@tenderlove)

• Add multi mapping support for X-Accel-Mappings header. (@yoshuki)

• Add sync: false option to Rack::Deflater. (Eric Wong)

• Add Builder#freeze_app to freeze application and all middleware instances. (@jeremyevans)

• Add API to extract cookies from Rack::MockResponse. (@petercline)

Changed¶ ↑

• Don't propagate nil values from middleware. (@ioquatix)

• Lazily initialize the response body and only buffer it if required. (@ioquatix)

• Fix deflater zlib buffer errors on empty body part. (@felixbuenemann)

• Set X-Accel-Redirect to percent-encoded path. (@diskkid)

• Remove unnecessary buffer growing when parsing multipart. (@tainoe)

• Expand the root path in Rack::Static upon initialization. (@rosenfeld)

• Make ShowExceptions work with binary data. (@axyjo)

• Use buffer string when parsing multipart requests. (@janko-m)

• Support optional UTF-8 Byte Order Mark (BOM) in config.ru. (@mikegee)

• Handle X-Forwarded-For with optional port. (@dpritchett)

• Use Time#httpdate format for Expires, as proposed by RFC 7231. (@nanaya)

• Make Utils.status_code raise an error when the status symbol is invalid instead of 500. (@adambutler)

• Rename Request::SCHEME_WHITELIST to Request::ALLOWED_SCHEMES.

• Make Multipart::Parser.get_filename accept files with + in their name. (@lucaskanashiro)

• Add Falcon to the default handler fallbacks. (@ioquatix)

• Update codebase to avoid string mutations in preparation for frozen_string_literals. (@pat)

• Change MockRequest#env_for to rely on the input optionally responding to #size instead of #length. (@janko)

• Rename Rack::File -> Rack::Files and add deprecation notice. (@postmodern).

• Prefer Base64 “strict encoding” for Base64 cookies. (@ioquatix)

Removed¶ ↑

• Remove to_ary from Response (@tenderlove)

• Deprecate Rack::Session::Memcache in favor of Rack::Session::Dalli from dalli gem (@fatkodima)

Fixed¶ ↑

• Eliminate warnings for Ruby 2.7. (@osamtimizer])

Documentation¶ ↑

• Update broken example in Session::Abstract::ID documentation. (tonytonyjan)

• Add Padrino to the list of frameworks implmenting Rack. (@wikimatze)

• Remove Mongrel from the suggested server options in the help output. (@tricknotes)

• Replace HISTORY.md and NEWS.md with CHANGELOG.md. (@twitnithegirl)

• CHANGELOG updates. (@drenmi, @p8)