ruby-changes:44189
From: naruse <ko1@a...>
Date: Tue, 27 Sep 2016 12:17:57 +0900 (JST)
Subject: [ruby-changes:44189] naruse:r56262 (trunk): * lib/cgi/cookie.rb (parse): don't allow , as a separator. [Bug #12791]
naruse 2016-09-27 12:17:47 +0900 (Tue, 27 Sep 2016) New Revision: 56262 https://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=revision&revision=56262 Log: * lib/cgi/cookie.rb (parse): don't allow , as a separator. [Bug #12791] * lib/webrick/cookie.rb (parse): ditto. Modified files: trunk/ChangeLog trunk/NEWS trunk/lib/cgi/cookie.rb trunk/lib/webrick/cookie.rb trunk/test/cgi/test_cgi_cookie.rb trunk/test/webrick/test_cookie.rb Index: lib/cgi/cookie.rb =================================================================== --- lib/cgi/cookie.rb (revision 56261) +++ lib/cgi/cookie.rb (revision 56262) @@ -162,7 +162,7 @@ class CGI https://github.com/ruby/ruby/blob/trunk/lib/cgi/cookie.rb#L162 cookies = Hash.new([]) return cookies unless raw_cookie - raw_cookie.split(/[;,]\s?/).each do |pairs| + raw_cookie.split(/;\s?/).each do |pairs| name, values = pairs.split('=',2) next unless name and values name = CGI.unescape(name) Index: lib/webrick/cookie.rb =================================================================== --- lib/webrick/cookie.rb (revision 56261) +++ lib/webrick/cookie.rb (revision 56262) @@ -113,7 +113,7 @@ module WEBrick https://github.com/ruby/ruby/blob/trunk/lib/webrick/cookie.rb#L113 ret = [] cookie = nil ver = 0 - str.split(/[;,]\s+/).each{|x| + str.split(/;\s+/).each{|x| key, val = x.split(/=/,2) val = val ? HTTPUtils::dequote(val) : "" case key Index: ChangeLog =================================================================== --- ChangeLog (revision 56261) +++ ChangeLog (revision 56262) @@ -1,3 +1,9 @@ https://github.com/ruby/ruby/blob/trunk/ChangeLog#L1 +Tue Sep 27 12:07:17 2016 NARUSE, Yui <naruse@r...> + + * lib/cgi/cookie.rb (parse): don't allow , as a separator. [Bug #12791] + + * lib/webrick/cookie.rb (parse): ditto. + Mon Sep 26 21:37:21 2016 Akinori MUSHA <knu@i...> * man/erb.1, man/irb.1, man/ri.1, man/ruby.1: Remove Ns before Index: NEWS =================================================================== --- NEWS (revision 56261) +++ NEWS (revision 56262) @@ -119,6 +119,10 @@ with all sufficient information, see the https://github.com/ruby/ruby/blob/trunk/NEWS#L119 === Stdlib updates (outstanding ones only) +* CGI + + * Don't allow , as a separator [Bug #12791] + * CSV * Add a liberal_parsing option. [Feature #11839] @@ -139,6 +143,10 @@ with all sufficient information, see the https://github.com/ruby/ruby/blob/trunk/NEWS#L143 * Add an into option. [Feature #11191] +* WEBrick + + * Don't allow , as a separator [Bug #12791] + === Compatibility issues (excluding feature bug fixes) * Array#sum and Enumerable#sum are implemented. [Feature #12217] Index: test/webrick/test_cookie.rb =================================================================== --- test/webrick/test_cookie.rb (revision 56261) +++ test/webrick/test_cookie.rb (revision 56262) @@ -49,11 +49,20 @@ class TestWEBrickCookie < Test::Unit::Te https://github.com/ruby/ruby/blob/trunk/test/webrick/test_cookie.rb#L49 data = "hoge=moge; __div__session=9865ecfd514be7f7" cookies = WEBrick::Cookie.parse(data) + assert_equal(2, cookies.size) assert_equal(0, cookies[0].version) assert_equal("hoge", cookies[0].name) assert_equal("moge", cookies[0].value) assert_equal("__div__session", cookies[1].name) assert_equal("9865ecfd514be7f7", cookies[1].value) + + # don't allow ,-separator + data = "hoge=moge, __div__session=9865ecfd514be7f7" + cookies = WEBrick::Cookie.parse(data) + assert_equal(1, cookies.size) + assert_equal(0, cookies[0].version) + assert_equal("hoge", cookies[0].name) + assert_equal("moge, __div__session=9865ecfd514be7f7", cookies[0].value) end def test_parse_no_whitespace Index: test/cgi/test_cgi_cookie.rb =================================================================== --- test/cgi/test_cgi_cookie.rb (revision 56261) +++ test/cgi/test_cgi_cookie.rb (revision 56262) @@ -88,9 +88,12 @@ class CGICookieTest < Test::Unit::TestCa https://github.com/ruby/ruby/blob/trunk/test/cgi/test_cgi_cookie.rb#L88 assert_equal(name, cookie.name) assert_equal(value, cookie.value) end - ## ',' separator - cookie_str = 'name1=val1&val2, name2=val2&%26%3C%3E%22&%E3%82%86%E3%82%93%E3%82%86%E3%82%93,_session_id=12345' + ## don't allow ',' separator + cookie_str = 'name1=val1&val2, name2=val2' cookies = CGI::Cookie.parse(cookie_str) + list = [ + ['name1', ['val1', 'val2, name2=val2']], + ] list.each do |name, value| cookie = cookies[name] assert_equal(name, cookie.name) -- ML: ruby-changes@q... Info: http://www.atdot.net/~ko1/quickml/