diff options
Diffstat (limited to 'test/cgi/test_cgi_header.rb')
| -rw-r--r-- | test/cgi/test_cgi_header.rb | 31 |
1 files changed, 21 insertions, 10 deletions
diff --git a/test/cgi/test_cgi_header.rb b/test/cgi/test_cgi_header.rb index 9022301153..ec2f4deb72 100644 --- a/test/cgi/test_cgi_header.rb +++ b/test/cgi/test_cgi_header.rb @@ -1,23 +1,26 @@ +# frozen_string_literal: true require 'test/unit' require 'cgi' require 'time' +require_relative 'update_env' class CGIHeaderTest < Test::Unit::TestCase + include UpdateEnv def setup - @environ = { + @environ = {} + update_env( 'SERVER_PROTOCOL' => 'HTTP/1.1', 'REQUEST_METHOD' => 'GET', 'SERVER_SOFTWARE' => 'Apache 2.2.0', - } - ENV.update(@environ) + ) end def teardown - @environ.each do |key, val| ENV.delete(key) end + ENV.update(@environ) end @@ -55,7 +58,7 @@ class CGIHeaderTest < Test::Unit::TestCase 'expires' => Time.gm(2000, 1, 23, 12, 34, 56), 'location' => 'http://www.ruby-lang.org/', } - expected = "Status: 302 Found\r\n" + expected = "Status: 302 Found\r\n".dup expected << "Server: webrick\r\n" expected << "Connection: close\r\n" expected << "Content-Type: text/xhtml; charset=utf8\r\n" @@ -113,7 +116,7 @@ class CGIHeaderTest < Test::Unit::TestCase CGI::Cookie.new('name'=>'name2', 'value'=>'value2', 'secure'=>true), ] cgi.instance_variable_set('@output_cookies', cookies) - expected = "Content-Type: text/html; charset=utf8\r\n" + expected = "Content-Type: text/html; charset=utf8\r\n".dup expected << "Set-Cookie: name1=abc&123; path=\r\n" expected << "Set-Cookie: name2=value2; path=; secure\r\n" expected << "\r\n" @@ -144,11 +147,11 @@ class CGIHeaderTest < Test::Unit::TestCase date = /^Date: ([A-Z][a-z]{2}, \d{2} [A-Z][a-z]{2} \d{4} \d\d:\d\d:\d\d GMT)\r\n/ [actual1, actual2, actual3].each do |actual| assert_match(date, actual) - assert_includes(time_start..time_end, date =~ actual && Time.parse($1).to_i) + assert_include(time_start..time_end, date =~ actual && Time.parse($1).to_i) actual.sub!(date, "Date: DATE_IS_REMOVED\r\n") end ## assertion - expected = "HTTP/1.1 200 OK\r\n" + expected = "HTTP/1.1 200 OK\r\n".dup expected << "Date: DATE_IS_REMOVED\r\n" expected << "Server: Apache 2.2.0\r\n" expected << "Connection: close\r\n" @@ -160,10 +163,10 @@ class CGIHeaderTest < Test::Unit::TestCase expected.sub!(/^HTTP\/1.1 200 OK\r\n/, "HTTP/1.1 302 Found\r\n") expected.sub!(/\r\n\r\n/, "\r\nlocation: http://www.example.com/\r\n\r\n") assert_equal(expected, actual3) - expected = "Content-Type: text/html\r\n" + expected = "Content-Type: text/html\r\n".dup expected << "\r\n" assert_equal(expected, actual4) - expected = "Status: 302 Found\r\n" + expected = "Status: 302 Found\r\n".dup expected << "Content-Type: text/html\r\n" expected << "location: http://www.example.com/\r\n" expected << "\r\n" @@ -173,6 +176,14 @@ class CGIHeaderTest < Test::Unit::TestCase end + def test_cgi_http_header_crlf_injection + cgi = CGI.new + assert_raise(RuntimeError) { cgi.http_header("text/xhtml\r\nBOO") } + assert_raise(RuntimeError) { cgi.http_header("type" => "text/xhtml\r\nBOO") } + assert_raise(RuntimeError) { cgi.http_header("status" => "200 OK\r\nBOO") } + assert_raise(RuntimeError) { cgi.http_header("location" => "text/xhtml\r\nBOO") } + end + instance_methods.each do |method| private method if method =~ /^test_(.*)/ && $1 != ENV['TEST'] |