removing Rack::Runtime from the default stack.

The runtime header is a potential target for timing attacks since it returns the amount of time spent on the server (eliminating network speed). Total time is also not accurate for streaming responses. The middleware can be added back via: ```ruby config.middleware.ues ::Rack::Runtime ```
2015-10-02 14:45:31 -07:00 · 2015-10-02 14:45:31 -07:00 · 37423e4ff8
commit 37423e4ff8
parent 55e6d2f0e3
7 changed files with 14 additions and 16 deletions
--- a/guides/source/api_app.md
+++ b/guides/source/api_app.md
@ -188,7 +188,6 @@ An API application comes with the following middlewares by default:
 - `ActiveSupport::Cache::Strategy::LocalCache::Middleware`
 - `ActionDispatch::RequestId`
 - `Rails::Rack::Logger`
- `Rack::Runtime`
 - `ActionDispatch::ShowExceptions`
 - `ActionDispatch::DebugExceptions`
 - `ActionDispatch::RemoteIp`
--- a/guides/source/command_line.md
+++ b/guides/source/command_line.md
@ -412,7 +412,7 @@ Ruby version              2.2.2 (x86_64-linux)
 RubyGems version          2.4.6
 Rack version              1.6
 JavaScript Runtime        Node.js (V8)
-Middleware                Rack::Sendfile, ActionDispatch::Static, Rack::Lock, #<ActiveSupport::Cache::Strategy::LocalCache::Middleware:0x007ffd131a7c88>, Rack::Runtime, Rack::MethodOverride, ActionDispatch::RequestId, Rails::Rack::Logger, ActionDispatch::ShowExceptions, ActionDispatch::DebugExceptions, ActionDispatch::RemoteIp, ActionDispatch::Reloader, ActionDispatch::Callbacks, ActiveRecord::Migration::CheckPending, ActiveRecord::ConnectionAdapters::ConnectionManagement, ActiveRecord::QueryCache, ActionDispatch::Cookies, ActionDispatch::Session::CookieStore, ActionDispatch::Flash, Rack::Head, Rack::ConditionalGet, Rack::ETag
+Middleware                Rack::Sendfile, ActionDispatch::Static, Rack::Lock, #<ActiveSupport::Cache::Strategy::LocalCache::Middleware:0x007ffd131a7c88>, Rack::MethodOverride, ActionDispatch::RequestId, Rails::Rack::Logger, ActionDispatch::ShowExceptions, ActionDispatch::DebugExceptions, ActionDispatch::RemoteIp, ActionDispatch::Reloader, ActionDispatch::Callbacks, ActiveRecord::Migration::CheckPending, ActiveRecord::ConnectionAdapters::ConnectionManagement, ActiveRecord::QueryCache, ActionDispatch::Cookies, ActionDispatch::Session::CookieStore, ActionDispatch::Flash, Rack::Head, Rack::ConditionalGet, Rack::ETag
 Application root          /home/foobar/commandsapp
 Environment               development
 Database adapter          sqlite3
--- a/guides/source/rails_on_rack.md
+++ b/guides/source/rails_on_rack.md
@ -106,7 +106,6 @@ use Rack::Sendfile
 use ActionDispatch::Static
 use Rack::Lock
 use #<ActiveSupport::Cache::Strategy::LocalCache::Middleware:0x000000029a0838>
-use Rack::Runtime
 use Rack::MethodOverride
 use ActionDispatch::RequestId
 use Rails::Rack::Logger
--- a/railties/CHANGELOG.md
+++ b/railties/CHANGELOG.md
@ -1,3 +1,6 @@
+*   Removed Rack::Runtime from the default stack.  It can be added back via
+    `config.middleware.use ::Rack::Runtime`.
+
 *   Add fail fast to `bin/rails test`

    Adding `--fail-fast` or `-f` when running tests will interrupt the run on
--- a/railties/lib/rails/application/bootstrap.rb
+++ b/railties/lib/rails/application/bootstrap.rb
@ -63,7 +63,7 @@ module Bootstrap
          Rails.cache = ActiveSupport::Cache.lookup_store(config.cache_store)

          if Rails.cache.respond_to?(:middleware)
-            config.middleware.insert_before(::Rack::Runtime, Rails.cache.middleware)
+            config.middleware.insert_before(::ActionDispatch::RequestId, Rails.cache.middleware)
          end
        end
      end
--- a/railties/lib/rails/application/default_middleware_stack.rb
+++ b/railties/lib/rails/application/default_middleware_stack.rb
@ -47,7 +47,6 @@ def build_stack
            end
          end

-          middleware.use ::Rack::Runtime
          middleware.use ::Rack::MethodOverride unless config.api_only
          middleware.use ::ActionDispatch::RequestId

--- a/railties/test/application/middleware_test.rb
+++ b/railties/test/application/middleware_test.rb
@ -27,9 +27,8 @@ def app
        "Rack::Sendfile",
        "ActionDispatch::Static",
        "ActionDispatch::LoadInterlock",
-        "ActiveSupport::Cache::Strategy::LocalCache",
-        "Rack::Runtime",
        "Rack::MethodOverride",
+        "ActiveSupport::Cache::Strategy::LocalCache",
        "ActionDispatch::RequestId",
        "Rails::Rack::Logger", # must come after Rack::MethodOverride to properly log overridden methods
        "ActionDispatch::ShowExceptions",
@ -59,7 +58,6 @@ def app
        "ActionDispatch::Static",
        "ActionDispatch::LoadInterlock",
        "ActiveSupport::Cache::Strategy::LocalCache",
-        "Rack::Runtime",
        "ActionDispatch::RequestId",
        "Rails::Rack::Logger", # must come after Rack::MethodOverride to properly log overridden methods
        "ActionDispatch::ShowExceptions",
@ -168,19 +166,19 @@ def app
    end

    test "can delete a middleware from the stack even if insert_before is added after delete" do
-      add_to_config "config.middleware.delete Rack::Runtime"
-      add_to_config "config.middleware.insert_before(Rack::Runtime, Rack::Config)"
+      add_to_config "config.middleware.delete ActionDispatch::ShowExceptions"
+      add_to_config "config.middleware.insert_before(ActionDispatch::ShowExceptions, Rack::Config)"
      boot!
      assert middleware.include?("Rack::Config")
-      assert_not middleware.include?("Rack::Runtime")
+      assert_not middleware.include?("ActionDispatch::ShowExceptions")
    end

    test "can delete a middleware from the stack even if insert_after is added after delete" do
-      add_to_config "config.middleware.delete Rack::Runtime"
-      add_to_config "config.middleware.insert_after(Rack::Runtime, Rack::Config)"
+      add_to_config "config.middleware.delete ActionDispatch::ShowExceptions"
+      add_to_config "config.middleware.insert_after(ActionDispatch::ShowExceptions, Rack::Config)"
      boot!
      assert middleware.include?("Rack::Config")
-      assert_not middleware.include?("Rack::Runtime")
+      assert_not middleware.include?("ActionDispatch::ShowExceptions")
    end

    test "includes exceptions middlewares even if action_dispatch.show_exceptions is disabled" do
@ -218,12 +216,12 @@ def app
    test "Rails.cache does not respond to middleware" do
      add_to_config "config.cache_store = :memory_store"
      boot!
-      assert_equal "Rack::Runtime", middleware.fourth
+      assert_equal "Rack::MethodOverride", middleware.fourth
    end

    test "Rails.cache does respond to middleware" do
      boot!
-      assert_equal "Rack::Runtime", middleware.fifth
+      assert_equal "ActiveSupport::Cache::Strategy::LocalCache", middleware.fifth
    end

    test "insert middleware before" do