From add060094c498c835c3dfc50ace2ebd8b8bdfbcb Mon Sep 17 00:00:00 2001
From: usa <usa@b2dd03c8-39d4-4d8f-98ff-823fe69b080e>
Date: Sat, 9 Sep 2017 13:50:10 +0000
Subject: merge revision(s) 59693,59695: [Backport #13852]

	A HTTP Header value must not contain CR or LF.
	to_str -> to_s

	* lib/net/http/header.rb (set_field): `val` can not have `to_str`.


git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_2_3@59797 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
---
 lib/net/http/header.rb           | 32 ++++++++++++++++++++++++++++++--
 test/net/http/test_httpheader.rb | 11 +++++++++++
 version.h                        |  2 +-
 3 files changed, 42 insertions(+), 3 deletions(-)

diff --git a/lib/net/http/header.rb b/lib/net/http/header.rb
index 5d99e8f070..7eee15e361 100644
--- a/lib/net/http/header.rb
+++ b/lib/net/http/header.rb
@@ -38,7 +38,7 @@ module Net::HTTPHeader
       @header.delete key.downcase
       return val
     end
-    @header[key.downcase] = [val]
+    set_field(key, val)
   end
 
   # [Ruby 1.8.3]
@@ -58,12 +58,40 @@ module Net::HTTPHeader
   #
   def add_field(key, val)
     if @header.key?(key.downcase)
-      @header[key.downcase].push val
+      append_field_value(@header[key.downcase], val)
     else
+      set_field(key, val)
+    end
+  end
+
+  private def set_field(key, val)
+    case val
+    when Enumerable
+      ary = []
+      append_field_value(ary, val)
+      @header[key.downcase] = ary
+    else
+      val = val.to_s
+      if /[\r\n]/ =~ val
+        raise ArgumentError, 'header field value cannnot include CR/LF'
+      end
       @header[key.downcase] = [val]
     end
   end
 
+  private def append_field_value(ary, val)
+    case val
+    when Enumerable
+      val.each{|x| append_field_value(ary, x)}
+    else
+      val = val.to_s
+      if /[\r\n]/ =~ val
+        raise ArgumentError, 'header field value cannnot include CR/LF'
+      end
+      ary.push val
+    end
+  end
+
   # [Ruby 1.8.3]
   # Returns an array of header field strings corresponding to the
   # case-insensitive +key+.  This method allows you to get duplicated
diff --git a/test/net/http/test_httpheader.rb b/test/net/http/test_httpheader.rb
index 2f3a0f1157..983ed01d1d 100644
--- a/test/net/http/test_httpheader.rb
+++ b/test/net/http/test_httpheader.rb
@@ -40,6 +40,13 @@ class HTTPHeaderTest < Test::Unit::TestCase
     @c['aaA'] = 'aaa'
     @c['AAa'] = 'aaa'
     assert_equal 2, @c.length
+
+    @c['aaa'] = ['aaa', ['bbb', [3]]]
+    assert_equal 2, @c.length
+    assert_equal ['aaa', 'bbb', '3'], @c.get_fields('aaa')
+
+    assert_raise(ArgumentError){ @c['foo'] = "a\nb" }
+    assert_raise(ArgumentError){ @c['foo'] = ["a\nb"] }
   end
 
   def test_AREF
@@ -65,6 +72,10 @@ class HTTPHeaderTest < Test::Unit::TestCase
     @c.add_field 'My-Header', 'd, d'
     assert_equal 'a, b, c, d, d', @c['My-Header']
     assert_equal ['a', 'b', 'c', 'd, d'], @c.get_fields('My-Header')
+    assert_raise(ArgumentError){ @c.add_field 'My-Header', "d\nd" }
+    @c.add_field 'My-Header', ['e', ['f', 7]]
+    assert_equal 'a, b, c, d, d, e, f, 7', @c['My-Header']
+    assert_equal ['a', 'b', 'c', 'd, d', 'e', 'f', '7'], @c.get_fields('My-Header')
   end
 
   def test_get_fields
diff --git a/version.h b/version.h
index b174200ca5..c47039b75a 100644
--- a/version.h
+++ b/version.h
@@ -1,6 +1,6 @@
 #define RUBY_VERSION "2.3.5"
 #define RUBY_RELEASE_DATE "2017-09-09"
-#define RUBY_PATCHLEVEL 365
+#define RUBY_PATCHLEVEL 366
 
 #define RUBY_RELEASE_YEAR 2017
 #define RUBY_RELEASE_MONTH 9
-- 
cgit v1.2.3