Option for wrap-file middleware to serve symlinks

@@ -1,3 +1,20 @@
+## 1.1.0 (2012-04-23)
+
+* Support for SSL client certificates in Jetty adapter
+* Jetty adapter dependency upgraded to 7.6.1
+* wrap-cookies support for Joda-Time objects in expires and max-age attributes
+* Added wrap-head middleware
+* wrap-file middleware has option to follow symlinks
+* Added form-encode and form-decode to ring.util.codec
+* Fixed url-encode and url-decode to handle "+" correctly
+* Added ring.util.io namespace
+* Deprecated ring.util.test namespace
+* Hiccup ring-devel dependency upgraded to 1.0.0
+* Added more functions to ring.util.response
+* Default number of Jetty adapter threads is now 50
+* Support for KeyStore instances in Jetty adapter
+* Jetty configurator option now always applied last
+
 ## 1.0.2 (2012-01-25)
 
 * Updated clj-stacktrace to 0.2.4 to fix swank-clojure issue

@@ -1,48 +1,5 @@
-# Ring
+## Ring has moved to: <https://github.com/ring-clojure/ring>
 
-Ring is a Clojure web applications library inspired by Python's WSGI
-and Ruby's Rack. By abstracting the details of HTTP into a simple,
-unified API, Ring allows web applications to be constructed of modular
-components that can be shared among a variety of applications, web
-servers, and web frameworks.
-
-The [SPEC][1] file at the root of this distribution for provides a
-complete description of the Ring interface.
-
-[1]: https://github.com/mmcgrana/ring/blob/master/SPEC
-
-## Libraries
-
-* ring-core - essential functions for handling parameters, cookies and more
-* ring-devel - functions for developing and debugging Ring applications
-* ring-servlet - construct Java servlets from Ring handlers
-* ring-jetty-adapter - a Ring adapter that uses the Jetty webserver
-
-## Installation
-
-To include one of the above libraries, for example `ring-core`, add
-the following to your `:dependencies`:
-
-    [ring/ring-core "1.0.2"]
-
-To include all of them:
-
-    [ring "1.0.2"]
-
-## Documentation
-
-* [Wiki](https://github.com/mmcgrana/ring/wiki)
-* [API docs](http://mmcgrana.github.com/ring)
-
-## Community
-
-* [Google group](http://groups.google.com/group/ring-clojure)
-
-## Thanks
-
-This project borrows heavily from Ruby's Rack and Python's WSGI;
-thanks to those communities for their work.
-
-## License
-
-Copyright (c) 2009-2012 Mark McGranaghan and released under an MIT license.
+Ring has been moved to dedicated GitHub organization. This repository
+will no longer be updated, so please update your bookmarks and
+GitHub watches.

@@ -1,14 +1,14 @@
-(defproject ring "1.1.0-beta3"
+(defproject ring "1.1.0"
   :description "A Clojure web applications library."
   :url "http://github.com/mmcgrana/ring"
   :dependencies
-    [[ring/ring-core "1.1.0-beta3"]
-     [ring/ring-devel "1.1.0-beta3"]
-     [ring/ring-jetty-adapter "1.1.0-beta3"]
-     [ring/ring-servlet "1.1.0-beta3"]]
+    [[ring/ring-core "1.1.0"]
+     [ring/ring-devel "1.1.0"]
+     [ring/ring-jetty-adapter "1.1.0"]
+     [ring/ring-servlet "1.1.0"]]
   :plugins
     [[lein-sub "0.2.0"]
-     [codox "0.6.0"]]
+     [codox "0.6.1"]]
   :sub
     ["ring-core"
      "ring-devel"

@@ -1,4 +1,4 @@
-(defproject ring/ring-core "1.1.0-beta3"
+(defproject ring/ring-core "1.1.0"
   :description "Ring core libraries."
   :url "http://github.com/mmcgrana/ring"
   :dependencies [[org.clojure/clojure "1.2.1"]

@@ -20,7 +20,7 @@
   to the ring.util.response/file-response function."
   [app ^String root-path & [opts]]
   (ensure-dir root-path)
-  (let [opts (merge {:root root-path, :index-files? true} opts)]
+  (let [opts (merge {:root root-path, :index-files? true, :allow-symlinks? false} opts)]
     (fn [req]
       (if-not (= :get (:request-method req))
         (app req)

@@ -39,6 +39,13 @@
   (.startsWith (.getCanonicalPath (File. root path))
                (.getCanonicalPath (File. root))))
 
+(defn- directory-transversal?
+  "Check if a path contains '..'."
+  [^String path]
+  (-> (str/split path #"/|\\")
+      (set)
+      (contains? "..")))
+
 (defn- find-index-file
   "Search the directory for an index file."
   [^File dir]
@@ -52,7 +59,9 @@
   explanation of options."
   [^String path opts]
   (if-let [^File file (if-let [^String root (:root opts)]
-                  (and (safe-path? root path) (File. root path))
+                        (if (or (safe-path? root path) 
+                                (and (:allow-symlinks? opts) (not (directory-transversal? path))))
+                          (File. root path))
                   (File. path))]
     (cond
       (.isDirectory file)
@@ -64,8 +73,9 @@
   "Returns a Ring response to serve a static file, or nil if an appropriate
   file does not exist.
   Options:
-    :root         - take the filepath relative to this root path
-    :index-files? - look for index.* files in directories, defaults to true"
+    :root            - take the filepath relative to this root path
+    :index-files?    - look for index.* files in directories, defaults to true
+    :allow-symlinks? - serve files through symbolic links, defaults to false"
   [filepath & [opts]]
   (if-let [file (get-file filepath opts)]
     (response file)))

@@ -0,0 +1 @@
+../

@@ -104,6 +104,25 @@
       (is (= (slurp (:body resp))
              "Hello World\n")))))
 
+(deftest test-file-response
+  (testing "response map"
+    (let [resp (file-response "foo.html" {:root "test/ring/assets"})]
+      (is (= (resp :status) 200))
+      (is (= (resp :headers) {}))
+      (is (= (slurp (resp :body)) "foo"))))
+
+  (testing "file path cannot contain '..' "
+    (is (nil? (file-response "../../../project.clj" {:root "test/ring/assets"})))
+    (is (nil? (file-response "../../../project.clj" {:root "test/ring/assets/bars" :allow-symlinks? true}))))
+
+  (testing "file response optionally follows symlinks"
+    (let [resp (file-response "backlink/foo.html" {:root "test/ring/assets/bars" :allow-symlinks? true})]
+      (is (= (resp :status) 200))
+      (is (= (resp :headers) {}))
+      (is (= (slurp (resp :body)) "foo")))
+    
+    (is (nil? (file-response "backlink/foo.html" {:root "test/ring/assets/bars"})))))
+
 (deftest test-set-cookie
   (is (= {:status 200 :headers {} :cookies {"Foo" {:value "Bar"}}}
          (set-cookie {:status 200 :headers {}}

@@ -1,7 +1,7 @@
-(defproject ring/ring-devel "1.1.0-beta3"
+(defproject ring/ring-devel "1.1.0"
   :description "Ring development and debugging libraries."
   :url "http://github.com/mmcgrana/ring"
-  :dependencies [[ring/ring-core "1.1.0-beta3"]
-                 [hiccup "1.0.0-RC1"]
+  :dependencies [[ring/ring-core "1.1.0"]
+                 [hiccup "1.0.0"]
                  [clj-stacktrace "0.2.4"]
                  [ns-tracker "0.1.1"]])

@@ -0,0 +1,36 @@
+/*
+Copyright (c) 2008, Yahoo! Inc. All rights reserved.
+Code licensed under the BSD License:
+http://developer.yahoo.net/yui/license.txt
+version: 2.6.0
+*/
+html{color:#000;background:#FFF;}body,div,dl,dt,dd,ul,ol,li,h1,h2,h3,h4,h5,h6,pre,code,form,fieldset,legend,input,textarea,p,blockquote,th,td{margin:0;padding:0;}table{border-collapse:collapse;border-spacing:0;}fieldset,img{border:0;}address,caption,cite,code,dfn,em,strong,th,var{font-style:normal;font-weight:normal;}li{list-style:none;}caption,th{text-align:left;}h1,h2,h3,h4,h5,h6{font-size:100%;font-weight:normal;}q:before,q:after{content:'';}abbr,acronym{border:0;font-variant:normal;}sup{vertical-align:text-top;}sub{vertical-align:text-bottom;}input,textarea,select{font-family:inherit;font-size:inherit;font-weight:inherit;}input,textarea,select{*font-size:100%;}legend{color:#000;}del,ins{text-decoration:none;}
+
+h3.info {
+ font-size: 1.6em; 
+ margin-left: 1em;
+ padding-top: .5em;
+ padding-bottom: .5em;
+}
+
+table.request {
+  font-size: 1.1em;
+  width: 800px;
+  margin-left: 1em;
+  margin-right: 1em;
+  background: lightgrey;
+}
+
+table.request tr {
+  line-height: 1.4em;
+}
+
+table.request td.key {
+  padding-left: .5em;
+  text-aligh: left;
+  width: 150px;
+}
+
+table.request td.val {
+  text-align: left;
+}

@@ -5,28 +5,32 @@
         hiccup.def
         ring.util.response)
   (:require [clojure.set :as set]
-            [clojure.pprint :as pprint]))
+            [clojure.pprint :as pprint]
+            [clojure.java.io :as io]))
 
 (declare css)
 
 (def ring-keys
   '(:server-port :server-name :remote-addr :uri :query-string :scheme
     :request-method :content-type :content-length :character-encoding
-    :headers :body))
+    :ssl-client-cert :headers :body))
 
-(defhtml req-pair
-  [key req]
-  [:tr [:td.key  (h (str key))]
-       [:td.val  (h (pr-str (key req)))]])
+(defn- style-resource [path]
+  (html [:style {:type "text/css"} (slurp (io/resource path))]))
+
+(defn- req-pair [key req]
+  (html
+    [:tr
+      [:td.key  (h (str key))]
+      [:td.val  (h (pr-str (key req)))]]))
 
 (defhtml template
   [req]
   (doctype :xhtml-transitional)
   [:html {:xmlns "http://www.w3.org/1999/xhtml"}
     [:head
-      [:meta {:http-equiv "Content-Type" :content "text/html"}]
-      [:title "Ring: Request Dump"]]
-      [:style {:type "text/css"} css]
+      [:title "Ring: Request Dump"]
+      (style-resource "ring/css/dump.css")]
     [:body
       [:div#content
         [:h3.info "Ring Request Values"]
@@ -36,11 +40,11 @@
               (req-pair key req))]]
         (if-let [user-keys (set/difference (set (keys req)) (set ring-keys))]
           (html
-             [:br]
-             [:table.request.user
-               [:tbody [:tr
-                 (for [key (sort user-keys)]
-                   (req-pair key req))]]]))]]])
+            [:br]
+            [:table.request.user
+              [:tbody [:tr
+                (for [key (sort user-keys)]
+                  (req-pair key req))]]]))]]])
 
 (defn handle-dump
   "Returns a response tuple corresponding to an HTML dump of the request
@@ -49,43 +53,4 @@
   (pprint/pprint req)
   (println)
   (-> (response (template req))
-    (status 200)
-    (content-type "text/html")))
-
-(def ^{:private true} css "
-/*
-Copyright (c) 2008, Yahoo! Inc. All rights reserved.
-Code licensed under the BSD License:
-http://developer.yahoo.net/yui/license.txt
-version: 2.6.0
-*/
-html{color:#000;background:#FFF;}body,div,dl,dt,dd,ul,ol,li,h1,h2,h3,h4,h5,h6,pre,code,form,fieldset,legend,input,textarea,p,blockquote,th,td{margin:0;padding:0;}table{border-collapse:collapse;border-spacing:0;}fieldset,img{border:0;}address,caption,cite,code,dfn,em,strong,th,var{font-style:normal;font-weight:normal;}li{list-style:none;}caption,th{text-align:left;}h1,h2,h3,h4,h5,h6{font-size:100%;font-weight:normal;}q:before,q:after{content:'';}abbr,acronym{border:0;font-variant:normal;}sup{vertical-align:text-top;}sub{vertical-align:text-bottom;}input,textarea,select{font-family:inherit;font-size:inherit;font-weight:inherit;}input,textarea,select{*font-size:100%;}legend{color:#000;}del,ins{text-decoration:none;}
-
-h3.info {
- font-size: 1.6em; 
- margin-left: 1em;
- padding-top: .5em;
- padding-bottom: .5em;
-}
-
-table.request {
-  font-size: 1.1em;
-  width: 800px;
-  margin-left: 1em;
-  margin-right: 1em;
-  background: lightgrey;
-}
-
-table.request tr {
-  line-height: 1.4em;
-}
-
-table.request td.key {
-  padding-left: .5em;
-  text-aligh: left;
-  width: 150px;
-}
-
-table.request td.val {
-  text-align: left;
-}")
+      (content-type "text/html")))

@@ -37,7 +37,7 @@
     (html5
       [:head
         [:title "Ring: Stacktrace"]
-        (style-resource "css/stacktrace.css")]
+        (style-resource "ring/css/stacktrace.css")]
       [:body
         [:div#exception
           [:h3.info (h (str ex))]
@@ -87,6 +87,3 @@
   (-> handler
       wrap-stacktrace-log
       wrap-stacktrace-web))
-
-(def ^{:private true} css "
-")

@@ -1,8 +1,8 @@
-(defproject ring/ring-jetty-adapter "1.1.0-beta3"
+(defproject ring/ring-jetty-adapter "1.1.0"
   :description "Ring Jetty adapter."
   :url "http://github.com/mmcgrana/ring"
-  :dependencies [[ring/ring-core "1.1.0-beta3"]
-                 [ring/ring-servlet "1.1.0-beta3"]
+  :dependencies [[ring/ring-core "1.1.0"]
+                 [ring/ring-servlet "1.1.0"]
                  [org.eclipse.jetty/jetty-server "7.6.1.v20120215"]]
   :profiles
   {:dev {:dependencies [[clj-http "0.3.2"]]}})

@@ -1,5 +1,5 @@
-(defproject ring/ring-servlet "1.1.0-beta3"
+(defproject ring/ring-servlet "1.1.0"
   :description "Ring servlet utilities."
   :url "http://github.com/mmcgrana/ring"
-  :dependencies [[ring/ring-core "1.1.0-beta3"]
+  :dependencies [[ring/ring-core "1.1.0"]
                  [javax.servlet/servlet-api "2.5"]])