merge revision(s) 61359: [Backport #14208]

	raise error if value contains CR/LF in iniheader of initialize_http_header

	like r59693, initialize_http_header also should raise error. [Bug #14208]

git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_2_3@62939 b2dd03c8-39d4-4d8f-98ff-823fe69b080e

3 files changed, 24 insertions, 5 deletions

diff --git a/lib/net/http/header.rb b/lib/net/http/header.rb
index 50580658d0..fd81b44a74 100644
--- a/lib/net/http/header.rb
+++ b/lib/net/http/header.rb
@@ -15,7 +15,11 @@ module Net::HTTPHeader
     return unless initheader
     initheader.each do |key, value|
       warn "net/http: warning: duplicated HTTP header: #{key}" if key?(key) and $VERBOSE
-      @header[key.downcase] = [value.strip]
+      value = value.strip # raise error for invalid byte sequences
+      if value.count("\r\n") > 0
+        raise ArgumentError, 'header field value cannot include CR/LF'
+      end
+      @header[key.downcase] = [value]
     end
   end
 
@@ -71,9 +75,9 @@ module Net::HTTPHeader
       append_field_value(ary, val)
       @header[key.downcase] = ary
     else
-      val = val.to_s
-      if /[\r\n]/n =~ val.b
-        raise ArgumentError, 'header field value cannnot include CR/LF'
+      val = val.to_s # for compatibility use to_s instead of to_str
+      if val.b.count("\r\n") > 0
+          raise ArgumentError, 'header field value cannnot include CR/LF'
       end
       @header[key.downcase] = [val]
     end
diff --git a/test/net/http/test_httpheader.rb b/test/net/http/test_httpheader.rb
index 85fd3a3fec..9a05abb975 100644
--- a/test/net/http/test_httpheader.rb
+++ b/test/net/http/test_httpheader.rb
@@ -16,6 +16,21 @@ class HTTPHeaderTest < Test::Unit::TestCase
     @c = C.new
   end
 
+  def test_initialize
+    @c.initialize_http_header("foo"=>"abc")
+    assert_equal "abc", @c["foo"]
+    @c.initialize_http_header("foo"=>"abc", "bar"=>"xyz")
+    assert_equal "xyz", @c["bar"]
+    @c.initialize_http_header([["foo", "abc"]])
+    assert_equal "abc", @c["foo"]
+    @c.initialize_http_header([["foo", "abc"], ["bar","xyz"]])
+    assert_equal "xyz", @c["bar"]
+    assert_raise(NoMethodError){ @c.initialize_http_header("foo"=>[]) }
+    assert_raise(ArgumentError){ @c.initialize_http_header("foo"=>"a\nb") }
+    assert_raise(ArgumentError){ @c.initialize_http_header("foo"=>"a\rb") }
+    assert_raise(ArgumentError){ @c.initialize_http_header("foo"=>"a\xff") }
+  end
+
   def test_size
     assert_equal 0, @c.size
     @c['a'] = 'a'
diff --git a/version.h b/version.h
index 6af3748f99..0f5682ba3e 100644
--- a/version.h
+++ b/version.h
@@ -1,6 +1,6 @@
 #define RUBY_VERSION "2.3.7"
 #define RUBY_RELEASE_DATE "2018-03-28"
-#define RUBY_PATCHLEVEL 435
+#define RUBY_PATCHLEVEL 436
 
 #define RUBY_RELEASE_YEAR 2018
 #define RUBY_RELEASE_MONTH 3