* Closes CVE-2013-0262
* Closes CVE-2013-0263
* Add Rack::Auth.add_scheme to enable folks to fix anything that breaks * Add common auth schemes, MS ones, AWS ones, etc are missing, as unlikely * Checked Rails - they don't use our authorization code * Checked Warden - uses rails * Checked Omniauth - uses rails * Checked doorkeeper - users rails * Checked rack-authentication - does it's own thing * Checked warden-oauth - doesn't do headers * Checked devise - uses rails * Checked oauth2-rack - header creation only * Checked rack-oauth2-server - does it's own thing * Probably missed a bunch, but that'll have to do
Malicious clients may send excessively long lines to trigger out-of-memory errors in a Rack web server.
Special thanks to Paul Rogers & Eric Wong Conflicts: test/spec_multipart.rb
Fix parsing miltiple ranges in HTTP_RANGE header according to w3 rfc2616 (according to last example in sec14.35.1 http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.35.1 ) (according to BNF rules in http://www.w3.org/Protocols/rfc2616/rfc2616-sec2.html#sec2.1 )
* Closes #405
* Closes #360 Conflicts: test/spec_request.rb
* StringIO is a better choice than a struct here.
* Previously 204, 205 and 304 bodies were not closed correctly.
* This item is frequently missed, including in core. * This is not a change in semantic requirement, and does not update the SPEC version.