removing Rack::Runtime from the default stack.

The runtime header is a potential target for timing attacks since it returns the amount of time spent on the server (eliminating network speed). Total time is also not accurate for streaming responses. The middleware can be added back via: ```ruby config.middleware.ues ::Rack::Runtime ```
author: Aaron Patterson <aaron.patterson@gmail.com> 2015-10-02 14:45:31 -0700
committer: Aaron Patterson <aaron.patterson@gmail.com> 2015-10-02 14:45:31 -0700
commit: 37423e4ff883ad5584bab983aceb4b2b759a1fd8 (patch)
tree: 93dc7b22fc418927258ab290e9a48cb649bc1a0f /railties
parent: 55e6d2f0e344a5396f6d6448146efeb949a1c222 (diff)
download: rails-37423e4ff883ad5584bab983aceb4b2b759a1fd8.tar.gz
rails-37423e4ff883ad5584bab983aceb4b2b759a1fd8.tar.bz2
rails-37423e4ff883ad5584bab983aceb4b2b759a1fd8.zip
4 files changed, 13 insertions, 13 deletions
diff --git a/railties/CHANGELOG.md b/railties/CHANGELOG.md
index 3e45a09dec..6822507630 100644
--- a/railties/CHANGELOG.md
+++ b/railties/CHANGELOG.md
@@ -1,3 +1,6 @@
+*   Removed Rack::Runtime from the default stack.  It can be added back via
+    `config.middleware.use ::Rack::Runtime`.
+
 *   Add fail fast to `bin/rails test`
 
     Adding `--fail-fast` or `-f` when running tests will interrupt the run on
diff --git a/railties/lib/rails/application/bootstrap.rb b/railties/lib/rails/application/bootstrap.rb
index 9baf8aa742..85c282783b 100644
--- a/railties/lib/rails/application/bootstrap.rb
+++ b/railties/lib/rails/application/bootstrap.rb
@@ -63,7 +63,7 @@ INFO
           Rails.cache = ActiveSupport::Cache.lookup_store(config.cache_store)
 
           if Rails.cache.respond_to?(:middleware)
-            config.middleware.insert_before(::Rack::Runtime, Rails.cache.middleware)
+            config.middleware.insert_before(::ActionDispatch::RequestId, Rails.cache.middleware)
           end
         end
       end
diff --git a/railties/lib/rails/application/default_middleware_stack.rb b/railties/lib/rails/application/default_middleware_stack.rb
index 21062f3a53..b2185ca818 100644
--- a/railties/lib/rails/application/default_middleware_stack.rb
+++ b/railties/lib/rails/application/default_middleware_stack.rb
@@ -47,7 +47,6 @@ module Rails
             end
           end
 
-          middleware.use ::Rack::Runtime
           middleware.use ::Rack::MethodOverride unless config.api_only
           middleware.use ::ActionDispatch::RequestId
 
diff --git a/railties/test/application/middleware_test.rb b/railties/test/application/middleware_test.rb
index 138c63266e..490f0ba822 100644
--- a/railties/test/application/middleware_test.rb
+++ b/railties/test/application/middleware_test.rb
@@ -27,9 +27,8 @@ module ApplicationTests
         "Rack::Sendfile",
         "ActionDispatch::Static",
         "ActionDispatch::LoadInterlock",
-        "ActiveSupport::Cache::Strategy::LocalCache",
-        "Rack::Runtime",
         "Rack::MethodOverride",
+        "ActiveSupport::Cache::Strategy::LocalCache",
         "ActionDispatch::RequestId",
         "Rails::Rack::Logger", # must come after Rack::MethodOverride to properly log overridden methods
         "ActionDispatch::ShowExceptions",
@@ -59,7 +58,6 @@ module ApplicationTests
         "ActionDispatch::Static",
         "ActionDispatch::LoadInterlock",
         "ActiveSupport::Cache::Strategy::LocalCache",
-        "Rack::Runtime",
         "ActionDispatch::RequestId",
         "Rails::Rack::Logger", # must come after Rack::MethodOverride to properly log overridden methods
         "ActionDispatch::ShowExceptions",
@@ -168,19 +166,19 @@ module ApplicationTests
     end
 
     test "can delete a middleware from the stack even if insert_before is added after delete" do
-      add_to_config "config.middleware.delete Rack::Runtime"
-      add_to_config "config.middleware.insert_before(Rack::Runtime, Rack::Config)"
+      add_to_config "config.middleware.delete ActionDispatch::ShowExceptions"
+      add_to_config "config.middleware.insert_before(ActionDispatch::ShowExceptions, Rack::Config)"
       boot!
       assert middleware.include?("Rack::Config")
-      assert_not middleware.include?("Rack::Runtime")
+      assert_not middleware.include?("ActionDispatch::ShowExceptions")
     end
 
     test "can delete a middleware from the stack even if insert_after is added after delete" do
-      add_to_config "config.middleware.delete Rack::Runtime"
-      add_to_config "config.middleware.insert_after(Rack::Runtime, Rack::Config)"
+      add_to_config "config.middleware.delete ActionDispatch::ShowExceptions"
+      add_to_config "config.middleware.insert_after(ActionDispatch::ShowExceptions, Rack::Config)"
       boot!
       assert middleware.include?("Rack::Config")
-      assert_not middleware.include?("Rack::Runtime")
+      assert_not middleware.include?("ActionDispatch::ShowExceptions")
     end
 
     test "includes exceptions middlewares even if action_dispatch.show_exceptions is disabled" do
@@ -218,12 +216,12 @@ module ApplicationTests
     test "Rails.cache does not respond to middleware" do
       add_to_config "config.cache_store = :memory_store"
       boot!
-      assert_equal "Rack::Runtime", middleware.fourth
+      assert_equal "Rack::MethodOverride", middleware.fourth
     end
 
     test "Rails.cache does respond to middleware" do
       boot!
-      assert_equal "Rack::Runtime", middleware.fifth
+      assert_equal "ActiveSupport::Cache::Strategy::LocalCache", middleware.fifth
     end
 
     test "insert middleware before" do
author	Aaron Patterson <aaron.patterson@gmail.com>	2015-10-02 14:45:31 -0700
committer	Aaron Patterson <aaron.patterson@gmail.com>	2015-10-02 14:45:31 -0700
commit	37423e4ff883ad5584bab983aceb4b2b759a1fd8 (patch)
tree	93dc7b22fc418927258ab290e9a48cb649bc1a0f /railties
parent	55e6d2f0e344a5396f6d6448146efeb949a1c222 (diff)
download	rails-37423e4ff883ad5584bab983aceb4b2b759a1fd8.tar.gz rails-37423e4ff883ad5584bab983aceb4b2b759a1fd8.tar.bz2 rails-37423e4ff883ad5584bab983aceb4b2b759a1fd8.zip