diff options
Diffstat (limited to 'test/cgi/test_cgi_cookie.rb')
-rw-r--r-- | test/cgi/test_cgi_cookie.rb | 90 |
1 files changed, 90 insertions, 0 deletions
diff --git a/test/cgi/test_cgi_cookie.rb b/test/cgi/test_cgi_cookie.rb index 115a57e4a1..eadae45313 100644 --- a/test/cgi/test_cgi_cookie.rb +++ b/test/cgi/test_cgi_cookie.rb @@ -60,6 +60,27 @@ class CGICookieTest < Test::Unit::TestCase end + def test_cgi_cookie_new_with_domain + h = {'name'=>'name1', 'value'=>'value1'} + cookie = CGI::Cookie.new(h.merge('domain'=>'a.example.com')) + assert_equal('a.example.com', cookie.domain) + + cookie = CGI::Cookie.new(h.merge('domain'=>'.example.com')) + assert_equal('.example.com', cookie.domain) + + cookie = CGI::Cookie.new(h.merge('domain'=>'1.example.com')) + assert_equal('1.example.com', cookie.domain, 'enhanced by RFC 1123') + + assert_raise(ArgumentError) { + CGI::Cookie.new(h.merge('domain'=>'-a.example.com')) + } + + assert_raise(ArgumentError) { + CGI::Cookie.new(h.merge('domain'=>'a-.example.com')) + } + end + + def test_cgi_cookie_scriptname cookie = CGI::Cookie.new('name1', 'value1') assert_equal('', cookie.path) @@ -101,6 +122,11 @@ class CGICookieTest < Test::Unit::TestCase end end + def test_cgi_cookie_parse_not_decode_name + cookie_str = "%66oo=baz;foo=bar" + cookies = CGI::Cookie.parse(cookie_str) + assert_equal({"%66oo" => ["baz"], "foo" => ["bar"]}, cookies) + end def test_cgi_cookie_arrayinterface cookie = CGI::Cookie.new('name1', 'a', 'b', 'c') @@ -113,6 +139,70 @@ class CGICookieTest < Test::Unit::TestCase end + def test_cgi_cookie_domain_injection_into_name + name = "a=b; domain=example.com;" + path = "/" + domain = "example.jp" + assert_raise(ArgumentError) do + CGI::Cookie.new('name' => name, + 'value' => "value", + 'domain' => domain, + 'path' => path) + end + end + + + def test_cgi_cookie_newline_injection_into_name + name = "a=b;\r\nLocation: http://example.com#" + path = "/" + domain = "example.jp" + assert_raise(ArgumentError) do + CGI::Cookie.new('name' => name, + 'value' => "value", + 'domain' => domain, + 'path' => path) + end + end + + + def test_cgi_cookie_multibyte_injection_into_name + name = "a=b;\u3042" + path = "/" + domain = "example.jp" + assert_raise(ArgumentError) do + CGI::Cookie.new('name' => name, + 'value' => "value", + 'domain' => domain, + 'path' => path) + end + end + + + def test_cgi_cookie_injection_into_path + name = "name" + path = "/; samesite=none" + domain = "example.jp" + assert_raise(ArgumentError) do + CGI::Cookie.new('name' => name, + 'value' => "value", + 'domain' => domain, + 'path' => path) + end + end + + + def test_cgi_cookie_injection_into_domain + name = "name" + path = "/" + domain = "example.jp; samesite=none" + assert_raise(ArgumentError) do + CGI::Cookie.new('name' => name, + 'value' => "value", + 'domain' => domain, + 'path' => path) + end + end + instance_methods.each do |method| private method if method =~ /^test_(.*)/ && $1 != ENV['TEST'] |