summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authornaruse <naruse@b2dd03c8-39d4-4d8f-98ff-823fe69b080e>2016-09-27 03:17:47 +0000
committernaruse <naruse@b2dd03c8-39d4-4d8f-98ff-823fe69b080e>2016-09-27 03:17:47 +0000
commit5f33c6b0f5e7a0e5cb849e791adced2528df3227 (patch)
tree2db80de700359282ce0101a6948e361767c3dda5
parentf0137ba8cdd805249a55d371aa2309f5622b7f70 (diff)
* lib/cgi/cookie.rb (parse): don't allow , as a separator. [Bug #12791]
* lib/webrick/cookie.rb (parse): ditto. git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@56262 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
-rw-r--r--ChangeLog6
-rw-r--r--NEWS8
-rw-r--r--lib/cgi/cookie.rb2
-rw-r--r--lib/webrick/cookie.rb2
-rw-r--r--test/cgi/test_cgi_cookie.rb7
-rw-r--r--test/webrick/test_cookie.rb9
6 files changed, 30 insertions, 4 deletions
diff --git a/ChangeLog b/ChangeLog
index 008f7b7..88af16d 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,9 @@
+Tue Sep 27 12:07:17 2016 NARUSE, Yui <naruse@ruby-lang.org>
+
+ * lib/cgi/cookie.rb (parse): don't allow , as a separator. [Bug #12791]
+
+ * lib/webrick/cookie.rb (parse): ditto.
+
Mon Sep 26 21:37:21 2016 Akinori MUSHA <knu@iDaemons.org>
* man/erb.1, man/irb.1, man/ri.1, man/ruby.1: Remove Ns before
diff --git a/NEWS b/NEWS
index dd97df3..c8077e3 100644
--- a/NEWS
+++ b/NEWS
@@ -119,6 +119,10 @@ with all sufficient information, see the ChangeLog file or Redmine
=== Stdlib updates (outstanding ones only)
+* CGI
+
+ * Don't allow , as a separator [Bug #12791]
+
* CSV
* Add a liberal_parsing option. [Feature #11839]
@@ -139,6 +143,10 @@ with all sufficient information, see the ChangeLog file or Redmine
* Add an into option. [Feature #11191]
+* WEBrick
+
+ * Don't allow , as a separator [Bug #12791]
+
=== Compatibility issues (excluding feature bug fixes)
* Array#sum and Enumerable#sum are implemented. [Feature #12217]
diff --git a/lib/cgi/cookie.rb b/lib/cgi/cookie.rb
index ffd88b8..4cc050b 100644
--- a/lib/cgi/cookie.rb
+++ b/lib/cgi/cookie.rb
@@ -162,7 +162,7 @@ class CGI
cookies = Hash.new([])
return cookies unless raw_cookie
- raw_cookie.split(/[;,]\s?/).each do |pairs|
+ raw_cookie.split(/;\s?/).each do |pairs|
name, values = pairs.split('=',2)
next unless name and values
name = CGI.unescape(name)
diff --git a/lib/webrick/cookie.rb b/lib/webrick/cookie.rb
index 16f8d21..24bf92e 100644
--- a/lib/webrick/cookie.rb
+++ b/lib/webrick/cookie.rb
@@ -113,7 +113,7 @@ module WEBrick
ret = []
cookie = nil
ver = 0
- str.split(/[;,]\s+/).each{|x|
+ str.split(/;\s+/).each{|x|
key, val = x.split(/=/,2)
val = val ? HTTPUtils::dequote(val) : ""
case key
diff --git a/test/cgi/test_cgi_cookie.rb b/test/cgi/test_cgi_cookie.rb
index ae7b14a..ca81e41 100644
--- a/test/cgi/test_cgi_cookie.rb
+++ b/test/cgi/test_cgi_cookie.rb
@@ -88,9 +88,12 @@ class CGICookieTest < Test::Unit::TestCase
assert_equal(name, cookie.name)
assert_equal(value, cookie.value)
end
- ## ',' separator
- cookie_str = 'name1=val1&val2, name2=val2&%26%3C%3E%22&%E3%82%86%E3%82%93%E3%82%86%E3%82%93,_session_id=12345'
+ ## don't allow ',' separator
+ cookie_str = 'name1=val1&val2, name2=val2'
cookies = CGI::Cookie.parse(cookie_str)
+ list = [
+ ['name1', ['val1', 'val2, name2=val2']],
+ ]
list.each do |name, value|
cookie = cookies[name]
assert_equal(name, cookie.name)
diff --git a/test/webrick/test_cookie.rb b/test/webrick/test_cookie.rb
index ebbc593..e46185f 100644
--- a/test/webrick/test_cookie.rb
+++ b/test/webrick/test_cookie.rb
@@ -49,11 +49,20 @@ class TestWEBrickCookie < Test::Unit::TestCase
data = "hoge=moge; __div__session=9865ecfd514be7f7"
cookies = WEBrick::Cookie.parse(data)
+ assert_equal(2, cookies.size)
assert_equal(0, cookies[0].version)
assert_equal("hoge", cookies[0].name)
assert_equal("moge", cookies[0].value)
assert_equal("__div__session", cookies[1].name)
assert_equal("9865ecfd514be7f7", cookies[1].value)
+
+ # don't allow ,-separator
+ data = "hoge=moge, __div__session=9865ecfd514be7f7"
+ cookies = WEBrick::Cookie.parse(data)
+ assert_equal(1, cookies.size)
+ assert_equal(0, cookies[0].version)
+ assert_equal("hoge", cookies[0].name)
+ assert_equal("moge, __div__session=9865ecfd514be7f7", cookies[0].value)
end
def test_parse_no_whitespace