diff options
| -rw-r--r-- | ChangeLog | 6 | ||||
| -rw-r--r-- | NEWS | 8 | ||||
| -rw-r--r-- | lib/cgi/cookie.rb | 2 | ||||
| -rw-r--r-- | lib/webrick/cookie.rb | 2 | ||||
| -rw-r--r-- | test/cgi/test_cgi_cookie.rb | 7 | ||||
| -rw-r--r-- | test/webrick/test_cookie.rb | 9 |
6 files changed, 30 insertions, 4 deletions
@@ -1,3 +1,9 @@ +Tue Sep 27 12:07:17 2016 NARUSE, Yui <naruse@ruby-lang.org> + + * lib/cgi/cookie.rb (parse): don't allow , as a separator. [Bug #12791] + + * lib/webrick/cookie.rb (parse): ditto. + Mon Sep 26 21:37:21 2016 Akinori MUSHA <knu@iDaemons.org> * man/erb.1, man/irb.1, man/ri.1, man/ruby.1: Remove Ns before @@ -119,6 +119,10 @@ with all sufficient information, see the ChangeLog file or Redmine === Stdlib updates (outstanding ones only) +* CGI + + * Don't allow , as a separator [Bug #12791] + * CSV * Add a liberal_parsing option. [Feature #11839] @@ -139,6 +143,10 @@ with all sufficient information, see the ChangeLog file or Redmine * Add an into option. [Feature #11191] +* WEBrick + + * Don't allow , as a separator [Bug #12791] + === Compatibility issues (excluding feature bug fixes) * Array#sum and Enumerable#sum are implemented. [Feature #12217] diff --git a/lib/cgi/cookie.rb b/lib/cgi/cookie.rb index ffd88b8edb..4cc050b90d 100644 --- a/lib/cgi/cookie.rb +++ b/lib/cgi/cookie.rb @@ -162,7 +162,7 @@ class CGI cookies = Hash.new([]) return cookies unless raw_cookie - raw_cookie.split(/[;,]\s?/).each do |pairs| + raw_cookie.split(/;\s?/).each do |pairs| name, values = pairs.split('=',2) next unless name and values name = CGI.unescape(name) diff --git a/lib/webrick/cookie.rb b/lib/webrick/cookie.rb index 16f8d21827..24bf92ec00 100644 --- a/lib/webrick/cookie.rb +++ b/lib/webrick/cookie.rb @@ -113,7 +113,7 @@ module WEBrick ret = [] cookie = nil ver = 0 - str.split(/[;,]\s+/).each{|x| + str.split(/;\s+/).each{|x| key, val = x.split(/=/,2) val = val ? HTTPUtils::dequote(val) : "" case key diff --git a/test/cgi/test_cgi_cookie.rb b/test/cgi/test_cgi_cookie.rb index ae7b14a4dd..ca81e41133 100644 --- a/test/cgi/test_cgi_cookie.rb +++ b/test/cgi/test_cgi_cookie.rb @@ -88,9 +88,12 @@ class CGICookieTest < Test::Unit::TestCase assert_equal(name, cookie.name) assert_equal(value, cookie.value) end - ## ',' separator - cookie_str = 'name1=val1&val2, name2=val2&%26%3C%3E%22&%E3%82%86%E3%82%93%E3%82%86%E3%82%93,_session_id=12345' + ## don't allow ',' separator + cookie_str = 'name1=val1&val2, name2=val2' cookies = CGI::Cookie.parse(cookie_str) + list = [ + ['name1', ['val1', 'val2, name2=val2']], + ] list.each do |name, value| cookie = cookies[name] assert_equal(name, cookie.name) diff --git a/test/webrick/test_cookie.rb b/test/webrick/test_cookie.rb index ebbc5939dc..e46185f127 100644 --- a/test/webrick/test_cookie.rb +++ b/test/webrick/test_cookie.rb @@ -49,11 +49,20 @@ class TestWEBrickCookie < Test::Unit::TestCase data = "hoge=moge; __div__session=9865ecfd514be7f7" cookies = WEBrick::Cookie.parse(data) + assert_equal(2, cookies.size) assert_equal(0, cookies[0].version) assert_equal("hoge", cookies[0].name) assert_equal("moge", cookies[0].value) assert_equal("__div__session", cookies[1].name) assert_equal("9865ecfd514be7f7", cookies[1].value) + + # don't allow ,-separator + data = "hoge=moge, __div__session=9865ecfd514be7f7" + cookies = WEBrick::Cookie.parse(data) + assert_equal(1, cookies.size) + assert_equal(0, cookies[0].version) + assert_equal("hoge", cookies[0].name) + assert_equal("moge, __div__session=9865ecfd514be7f7", cookies[0].value) end def test_parse_no_whitespace |