From 48d780285894ecc3f0919e83b92a9c3f235d2632 Mon Sep 17 00:00:00 2001
From: nagachika <nagachika@b2dd03c8-39d4-4d8f-98ff-823fe69b080e>
Date: Fri, 8 Sep 2017 14:27:38 +0000
Subject: merge revision(s) 59693,59695: [Backport #13852]

	A HTTP Header value must not contain CR or LF.
	to_str -> to_s

	* lib/net/http/header.rb (set_field): `val` can not have `to_str`.


git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_2_4@59783 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
---
 lib/net/http/header.rb           | 32 ++++++++++++++++++++++++++++++--
 test/net/http/test_httpheader.rb | 11 +++++++++++
 version.h                        |  2 +-
 3 files changed, 42 insertions(+), 3 deletions(-)

diff --git a/lib/net/http/header.rb b/lib/net/http/header.rb
index 63a163afbd..4777ebf82a 100644
--- a/lib/net/http/header.rb
+++ b/lib/net/http/header.rb
@@ -42,7 +42,7 @@ module Net::HTTPHeader
       @header.delete key.downcase
       return val
     end
-    @header[key.downcase] = [val]
+    set_field(key, val)
   end
 
   # [Ruby 1.8.3]
@@ -62,12 +62,40 @@ module Net::HTTPHeader
   #
   def add_field(key, val)
     if @header.key?(key.downcase)
-      @header[key.downcase].push val
+      append_field_value(@header[key.downcase], val)
     else
+      set_field(key, val)
+    end
+  end
+
+  private def set_field(key, val)
+    case val
+    when Enumerable
+      ary = []
+      append_field_value(ary, val)
+      @header[key.downcase] = ary
+    else
+      val = val.to_s
+      if /[\r\n]/.match?(val)
+        raise ArgumentError, 'header field value cannnot include CR/LF'
+      end
       @header[key.downcase] = [val]
     end
   end
 
+  private def append_field_value(ary, val)
+    case val
+    when Enumerable
+      val.each{|x| append_field_value(ary, x)}
+    else
+      val = val.to_s
+      if /[\r\n]/.match?(val)
+        raise ArgumentError, 'header field value cannnot include CR/LF'
+      end
+      ary.push val
+    end
+  end
+
   # [Ruby 1.8.3]
   # Returns an array of header field strings corresponding to the
   # case-insensitive +key+.  This method allows you to get duplicated
diff --git a/test/net/http/test_httpheader.rb b/test/net/http/test_httpheader.rb
index 99c47cac93..0a2c57dcb8 100644
--- a/test/net/http/test_httpheader.rb
+++ b/test/net/http/test_httpheader.rb
@@ -40,6 +40,13 @@ class HTTPHeaderTest < Test::Unit::TestCase
     @c['aaA'] = 'aaa'
     @c['AAa'] = 'aaa'
     assert_equal 2, @c.length
+
+    @c['aaa'] = ['aaa', ['bbb', [3]]]
+    assert_equal 2, @c.length
+    assert_equal ['aaa', 'bbb', '3'], @c.get_fields('aaa')
+
+    assert_raise(ArgumentError){ @c['foo'] = "a\nb" }
+    assert_raise(ArgumentError){ @c['foo'] = ["a\nb"] }
   end
 
   def test_AREF
@@ -65,6 +72,10 @@ class HTTPHeaderTest < Test::Unit::TestCase
     @c.add_field 'My-Header', 'd, d'
     assert_equal 'a, b, c, d, d', @c['My-Header']
     assert_equal ['a', 'b', 'c', 'd, d'], @c.get_fields('My-Header')
+    assert_raise(ArgumentError){ @c.add_field 'My-Header', "d\nd" }
+    @c.add_field 'My-Header', ['e', ['f', 7]]
+    assert_equal 'a, b, c, d, d, e, f, 7', @c['My-Header']
+    assert_equal ['a', 'b', 'c', 'd, d', 'e', 'f', '7'], @c.get_fields('My-Header')
   end
 
   def test_get_fields
diff --git a/version.h b/version.h
index 00799969bf..e9fe8e67f5 100644
--- a/version.h
+++ b/version.h
@@ -1,6 +1,6 @@
 #define RUBY_VERSION "2.4.2"
 #define RUBY_RELEASE_DATE "2017-09-08"
-#define RUBY_PATCHLEVEL 182
+#define RUBY_PATCHLEVEL 183
 
 #define RUBY_RELEASE_YEAR 2017
 #define RUBY_RELEASE_MONTH 9
-- 
cgit v1.2.3