Introduce Request::ALLOWED_SCHEMES and deprecate existing constant #1314
Conversation
|
The term whitelist/blacklist has nothing to do with racist. |
|
In my opinion, "allowed_schemes" is a bit clearer than "scheme_allowlist". |
lib/rack/request.rb
Outdated
| end | ||
| end | ||
|
|
||
| def self.scheme_allowlist |
There was a problem hiding this comment.
I think we don't need a class method for this. This constant was never made to be exposed as public. Just a public ALLOWED_SCHEMAS is fine.
|
I think these are called "schemes", not "schemas". https://www.iana.org/assignments/uri-schemes/uri-schemes.xhtml |
|
Good point @mikegee. @JuanitoFatas can you rename it? |
|
Updated and trailing spaces in Changelog got trimmed by my editor. |
lib/rack/request.rb
Outdated
| if Object.respond_to?(:deprecate_constant) | ||
| deprecate_constant :SCHEME_WHITELIST | ||
| else | ||
| warn("SCHEME_WHITELIST is deprecated and will be removed in a future version of Rack. Please use ALLOWED_SCHEMES instead.") |
There was a problem hiding this comment.
I just realized that this will always warn even if SCHEME_WHITELIST is not used by the app. Is that desired?
There was a problem hiding this comment.
I did some experiments:
class Namespace
ALLOWED_SCHEMES = %w(http https)
SCHEME_WHITELIST = ALLOWED_SCHEMES
if $VERBOSE
if Object.respond_to?(:deprecate_constant)
deprecate_constant :SCHEME_WHITELIST
else
warn("SCHEME_WHITELIST is deprecated. Please use ALLOWED_SCHEMES instead.")
end
end
end
puts "Reference ALLOWED_SCHEMES"
Namespace::ALLOWED_SCHEMES
puts "Reference SCHEME_WHITELIST"
Namespace::SCHEME_WHITELIST=>
$ ruby -w namespace.rb
Reference ALLOWED_SCHEMES
Reference SCHEME_WHITELIST
1.rb:19: warning: constant Namespace::SCHEME_WHITELIST is deprecated
Only when we actually reference SCHEME_WHITELIST and $VERBOSE is on will emit warnings, loading the file will not emit warnings.
There was a problem hiding this comment.
But is not that because deprecate_constant is defined? If you don't have it it happens as soon that like 27 is executed
There was a problem hiding this comment.
Ah I understand now. Yes, for Ruby < 2.3.0, if they turn on warning (-w, --verbose, RUBYOPT=-w), then a warning will show as soon as L27 executed. What do you suggest?
There was a problem hiding this comment.
I'd say, let's remove the else branch for now. There is a chance that rack master will not support Ruby 2.2
lib/rack/request.rb
Outdated
| SCHEME_WHITELIST = %w(https http).freeze | ||
| ALLOWED_SCHEMES = %w(https http).freeze | ||
| SCHEME_WHITELIST = ALLOWED_SCHEMES | ||
| if $VERBOSE |
There was a problem hiding this comment.
Do we need to check $VERBOSE here? That sounds like it should be deprecate_constant's problem.
CHANGELOG.md
Outdated
| @@ -7,6 +7,7 @@ All notable changes to this project will be documented in this file. For info on | |||
|
|
|||
| ### Changed | |||
| - `Rack::Utils.status_code` now raises an error when the status symbol is invalid instead of `500`. | |||
| - `Rack::Request::SCHEME_WHITELIST` now deprecated, please use `Rack::Request::ALLOWED_SCHEMES` instead | |||
There was a problem hiding this comment.
I think this would be clearer phrased as "has been renamed to"; the deprecation behaviour seems the less interesting part. (I'll also note we aren't helping anyone who's changing/overriding the constant, which feels at least as likely as someone using the constant to get ["http", "https"]. But that's probably fine.)
JuanitoFatas
changed the title
|
Thanks everyone for comment and reviews 🙇 |
Problem
Update the constant to use clearer terminology.
Description:
Deprecates the constant, provide a new class method
Request.scheme_allowlistfor anyone who still needs it.Original motivation, other community efforts examples: