webrick: fix non-ascii escape bugs

* lib/webrick/htmlutils.rb (WEBrick::HTMLUtils#escape): replace HTML
  meta chars even in non-ascii string.  [Bug #8425] [ruby-core:55052]
* lib/webrick/httputils.rb (WEBrick::HTTPUtils#{_escape,_unescape}):
  fix %-escape encodings.  [Bug #8425] [ruby-core:55052]

git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@40848 b2dd03c8-39d4-4d8f-98ff-823fe69b080e

2 files changed, 15 insertions, 4 deletions

diff --git a/lib/webrick/htmlutils.rb b/lib/webrick/htmlutils.rb
index ed901f1ce2..4cb3d0d7f6 100644
--- a/lib/webrick/htmlutils.rb
+++ b/lib/webrick/htmlutils.rb
@@ -15,12 +15,13 @@ module WEBrick
     # Escapes &, ", > and < in +string+
 
     def escape(string)
-      str = string ? string.dup : ""
+      return "" unless string
+      str = string.b
       str.gsub!(/&/n, '&amp;')
       str.gsub!(/\"/n, '&quot;')
       str.gsub!(/>/n, '&gt;')
       str.gsub!(/</n, '&lt;')
-      str
+      str.force_encoding(string.encoding)
     end
     module_function :escape
 
diff --git a/lib/webrick/httputils.rb b/lib/webrick/httputils.rb
index a0ca3a48c7..a5f0632b86 100644
--- a/lib/webrick/httputils.rb
+++ b/lib/webrick/httputils.rb
@@ -437,8 +437,18 @@ module WEBrick
 
     def _make_regex(str) /([#{Regexp.escape(str)}])/n end
     def _make_regex!(str) /([^#{Regexp.escape(str)}])/n end
-    def _escape(str, regex) str.gsub(regex){ "%%%02X" % $1.ord } end
-    def _unescape(str, regex) str.gsub(regex){ $1.hex.chr } end
+    def _escape(str, regex)
+      str = str.b
+      str.gsub!(regex) {"%%%02X" % $1.ord}
+      # %-escaped string should contain US-ASCII only
+      str.force_encoding(Encoding::US_ASCII)
+    end
+    def _unescape(str, regex)
+      str = str.b
+      str.gsub!(regex) {$1.hex.chr}
+      # encoding of %-unescaped string is unknown
+      str
+    end
 
     UNESCAPED = _make_regex(control+space+delims+unwise+nonascii)
     UNESCAPED_FORM = _make_regex(reserved+control+delims+unwise+nonascii)