New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Introduce Request::ALLOWED_SCHEMES and deprecate existing constant #1314
Introduce Request::ALLOWED_SCHEMES and deprecate existing constant #1314
Conversation
The term whitelist/blacklist has nothing to do with racist. |
In my opinion, "allowed_schemes" is a bit clearer than "scheme_allowlist". |
lib/rack/request.rb
Outdated
end | ||
end | ||
|
||
def self.scheme_allowlist |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think we don't need a class method for this. This constant was never made to be exposed as public. Just a public ALLOWED_SCHEMAS
is fine.
I think these are called "schemes", not "schemas". https://www.iana.org/assignments/uri-schemes/uri-schemes.xhtml |
Good point @mikegee. @JuanitoFatas can you rename it? |
Updated and trailing spaces in Changelog got trimmed by my editor. |
lib/rack/request.rb
Outdated
if Object.respond_to?(:deprecate_constant) | ||
deprecate_constant :SCHEME_WHITELIST | ||
else | ||
warn("SCHEME_WHITELIST is deprecated and will be removed in a future version of Rack. Please use ALLOWED_SCHEMES instead.") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I just realized that this will always warn even if SCHEME_WHITELIST
is not used by the app. Is that desired?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I did some experiments:
class Namespace
ALLOWED_SCHEMES = %w(http https)
SCHEME_WHITELIST = ALLOWED_SCHEMES
if $VERBOSE
if Object.respond_to?(:deprecate_constant)
deprecate_constant :SCHEME_WHITELIST
else
warn("SCHEME_WHITELIST is deprecated. Please use ALLOWED_SCHEMES instead.")
end
end
end
puts "Reference ALLOWED_SCHEMES"
Namespace::ALLOWED_SCHEMES
puts "Reference SCHEME_WHITELIST"
Namespace::SCHEME_WHITELIST
=>
$ ruby -w namespace.rb
Reference ALLOWED_SCHEMES
Reference SCHEME_WHITELIST
1.rb:19: warning: constant Namespace::SCHEME_WHITELIST is deprecated
Only when we actually reference SCHEME_WHITELIST
and $VERBOSE
is on will emit warnings, loading the file will not emit warnings.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
But is not that because deprecate_constant
is defined? If you don't have it it happens as soon that like 27 is executed
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ah I understand now. Yes, for Ruby < 2.3.0, if they turn on warning (-w
, --verbose
, RUBYOPT=-w
), then a warning will show as soon as L27 executed. What do you suggest?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'd say, let's remove the else branch for now. There is a chance that rack master will not support Ruby 2.2
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I really like the new name (thanks @mikegee)
lib/rack/request.rb
Outdated
SCHEME_WHITELIST = %w(https http).freeze | ||
ALLOWED_SCHEMES = %w(https http).freeze | ||
SCHEME_WHITELIST = ALLOWED_SCHEMES | ||
if $VERBOSE |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Do we need to check $VERBOSE
here? That sounds like it should be deprecate_constant
's problem.
CHANGELOG.md
Outdated
@@ -7,6 +7,7 @@ All notable changes to this project will be documented in this file. For info on | |||
|
|||
### Changed | |||
- `Rack::Utils.status_code` now raises an error when the status symbol is invalid instead of `500`. | |||
- `Rack::Request::SCHEME_WHITELIST` now deprecated, please use `Rack::Request::ALLOWED_SCHEMES` instead |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think this would be clearer phrased as "has been renamed to"; the deprecation behaviour seems the less interesting part. (I'll also note we aren't helping anyone who's changing/overriding the constant, which feels at least as likely as someone using the constant to get ["http", "https"]
. But that's probably fine.)
Thanks everyone for comment and reviews 🙇 |
Problem
Update the constant to use clearer terminology.
Description:
Deprecates the constant, provide a new class method
Request.scheme_allowlist
for anyone who still needs it.Original motivation, other community efforts examples: