cgi 0.2.1 → 0.2.2

Sign up to get free protection for your applications and to get access to all the features.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: f183a3260e82566353d9db4cb76de8d723bacf7d4daa78395f952855a5959c37
4
- data.tar.gz: 5a765bf05577575a44ae31338a8cd7cdec8f195aeb443a3cad900a4668bbdd78
3
+ metadata.gz: ace24be8534275d31cbc0f26323f6240fe2bad4e848a0bf299ab0c7b3ef4f23c
4
+ data.tar.gz: d2e454f42196b2bda9a5923014d4d067a3429d414c1c9445fed80fc4a7cc0773
5
5
  SHA512:
6
- metadata.gz: 797faf906f497d31c332bbc5af7fabee946027e07b4f887ecc808deb111316a627f489d65e76d05245515403079ce7731ada777dc656ba8b6c167dd31ec3ca15
7
- data.tar.gz: 229d5e80117e4e8162a5b4a1c4b0fb8b4cbbf8cf3282721de720161dac2ebf92ccb21dece53dba50ef78c05ce1d295e314c7967dbc0061a3981ce43a515757dc
6
+ metadata.gz: edaff93f2331fb886bdbd1dd5a03b1a53ae07af4d42136cf8852ab717aa4d458a96fe459ba07869072e0d580aa083ae8ac47fac5aea0cabc2a347afbf38ac4db
7
+ data.tar.gz: 0fa14edc91fe176241d0efc71bd4dfd834135f093507cb2b2410934f469bd19a4538664651a86aa9fc2ae035e7efd6a159cf1752beffef01d57327cab4d76500
@@ -389,7 +389,7 @@ cgiesc_unescape(int argc, VALUE *argv, VALUE self)
389
389
  void
390
390
  Init_escape(void)
391
391
  {
392
- #if HAVE_RB_EXT_RACTOR_SAFE
392
+ #ifdef HAVE_RB_EXT_RACTOR_SAFE
393
393
  rb_ext_ractor_safe(true);
394
394
  #endif
395
395
 
data/lib/cgi/cookie.rb CHANGED
@@ -40,6 +40,10 @@ class CGI
40
40
  class Cookie < Array
41
41
  @@accept_charset="UTF-8" unless defined?(@@accept_charset)
42
42
 
43
+ TOKEN_RE = %r"\A[[!-~]&&[^()<>@,;:\\\"/?=\[\]{}]]+\z"
44
+ PATH_VALUE_RE = %r"\A[[ -~]&&[^;]]*\z"
45
+ DOMAIN_VALUE_RE = %r"\A(?<label>(?!-)[-A-Za-z0-9]+(?<!-))(?:\.\g<label>)*\z"
46
+
43
47
  # Create a new CGI::Cookie object.
44
48
  #
45
49
  # :call-seq:
@@ -72,8 +76,8 @@ class CGI
72
76
  @domain = nil
73
77
  @expires = nil
74
78
  if name.kind_of?(String)
75
- @name = name
76
- @path = (%r|\A(.*/)| =~ ENV["SCRIPT_NAME"] ? $1 : "")
79
+ self.name = name
80
+ self.path = (%r|\A(.*/)| =~ ENV["SCRIPT_NAME"] ? $1 : "")
77
81
  @secure = false
78
82
  @httponly = false
79
83
  return super(value)
@@ -84,11 +88,11 @@ class CGI
84
88
  raise ArgumentError, "`name' required"
85
89
  end
86
90
 
87
- @name = options["name"]
91
+ self.name = options["name"]
88
92
  value = Array(options["value"])
89
93
  # simple support for IE
90
- @path = options["path"] || (%r|\A(.*/)| =~ ENV["SCRIPT_NAME"] ? $1 : "")
91
- @domain = options["domain"]
94
+ self.path = options["path"] || (%r|\A(.*/)| =~ ENV["SCRIPT_NAME"] ? $1 : "")
95
+ self.domain = options["domain"]
92
96
  @expires = options["expires"]
93
97
  @secure = options["secure"] == true
94
98
  @httponly = options["httponly"] == true
@@ -97,11 +101,35 @@ class CGI
97
101
  end
98
102
 
99
103
  # Name of this cookie, as a +String+
100
- attr_accessor :name
104
+ attr_reader :name
105
+ # Set name of this cookie
106
+ def name=(str)
107
+ if str and !TOKEN_RE.match?(str)
108
+ raise ArgumentError, "invalid name: #{str.dump}"
109
+ end
110
+ @name = str
111
+ end
112
+
101
113
  # Path for which this cookie applies, as a +String+
102
- attr_accessor :path
114
+ attr_reader :path
115
+ # Set path for which this cookie applies
116
+ def path=(str)
117
+ if str and !PATH_VALUE_RE.match?(str)
118
+ raise ArgumentError, "invalid path: #{str.dump}"
119
+ end
120
+ @path = str
121
+ end
122
+
103
123
  # Domain for which this cookie applies, as a +String+
104
- attr_accessor :domain
124
+ attr_reader :domain
125
+ # Set domain for which this cookie applies
126
+ def domain=(str)
127
+ if str and ((str = str.b).bytesize > 255 or !DOMAIN_VALUE_RE.match?(str))
128
+ raise ArgumentError, "invalid domain: #{str.dump}"
129
+ end
130
+ @domain = str
131
+ end
132
+
105
133
  # Time at which this cookie expires, as a +Time+
106
134
  attr_accessor :expires
107
135
  # True if this cookie is secure; false otherwise
data/lib/cgi/core.rb CHANGED
@@ -188,17 +188,28 @@ class CGI
188
188
  # Using #header with the HTML5 tag maker will create a <header> element.
189
189
  alias :header :http_header
190
190
 
191
+ def _no_crlf_check(str)
192
+ if str
193
+ str = str.to_s
194
+ raise "A HTTP status or header field must not include CR and LF" if str =~ /[\r\n]/
195
+ str
196
+ else
197
+ nil
198
+ end
199
+ end
200
+ private :_no_crlf_check
201
+
191
202
  def _header_for_string(content_type) #:nodoc:
192
203
  buf = ''.dup
193
204
  if nph?()
194
- buf << "#{$CGI_ENV['SERVER_PROTOCOL'] || 'HTTP/1.0'} 200 OK#{EOL}"
205
+ buf << "#{_no_crlf_check($CGI_ENV['SERVER_PROTOCOL']) || 'HTTP/1.0'} 200 OK#{EOL}"
195
206
  buf << "Date: #{CGI.rfc1123_date(Time.now)}#{EOL}"
196
- buf << "Server: #{$CGI_ENV['SERVER_SOFTWARE']}#{EOL}"
207
+ buf << "Server: #{_no_crlf_check($CGI_ENV['SERVER_SOFTWARE'])}#{EOL}"
197
208
  buf << "Connection: close#{EOL}"
198
209
  end
199
- buf << "Content-Type: #{content_type}#{EOL}"
210
+ buf << "Content-Type: #{_no_crlf_check(content_type)}#{EOL}"
200
211
  if @output_cookies
201
- @output_cookies.each {|cookie| buf << "Set-Cookie: #{cookie}#{EOL}" }
212
+ @output_cookies.each {|cookie| buf << "Set-Cookie: #{_no_crlf_check(cookie)}#{EOL}" }
202
213
  end
203
214
  return buf
204
215
  end # _header_for_string
@@ -213,9 +224,9 @@ class CGI
213
224
  ## NPH
214
225
  options.delete('nph') if defined?(MOD_RUBY)
215
226
  if options.delete('nph') || nph?()
216
- protocol = $CGI_ENV['SERVER_PROTOCOL'] || 'HTTP/1.0'
227
+ protocol = _no_crlf_check($CGI_ENV['SERVER_PROTOCOL']) || 'HTTP/1.0'
217
228
  status = options.delete('status')
218
- status = HTTP_STATUS[status] || status || '200 OK'
229
+ status = HTTP_STATUS[status] || _no_crlf_check(status) || '200 OK'
219
230
  buf << "#{protocol} #{status}#{EOL}"
220
231
  buf << "Date: #{CGI.rfc1123_date(Time.now)}#{EOL}"
221
232
  options['server'] ||= $CGI_ENV['SERVER_SOFTWARE'] || ''
@@ -223,38 +234,38 @@ class CGI
223
234
  end
224
235
  ## common headers
225
236
  status = options.delete('status')
226
- buf << "Status: #{HTTP_STATUS[status] || status}#{EOL}" if status
237
+ buf << "Status: #{HTTP_STATUS[status] || _no_crlf_check(status)}#{EOL}" if status
227
238
  server = options.delete('server')
228
- buf << "Server: #{server}#{EOL}" if server
239
+ buf << "Server: #{_no_crlf_check(server)}#{EOL}" if server
229
240
  connection = options.delete('connection')
230
- buf << "Connection: #{connection}#{EOL}" if connection
241
+ buf << "Connection: #{_no_crlf_check(connection)}#{EOL}" if connection
231
242
  type = options.delete('type')
232
- buf << "Content-Type: #{type}#{EOL}" #if type
243
+ buf << "Content-Type: #{_no_crlf_check(type)}#{EOL}" #if type
233
244
  length = options.delete('length')
234
- buf << "Content-Length: #{length}#{EOL}" if length
245
+ buf << "Content-Length: #{_no_crlf_check(length)}#{EOL}" if length
235
246
  language = options.delete('language')
236
- buf << "Content-Language: #{language}#{EOL}" if language
247
+ buf << "Content-Language: #{_no_crlf_check(language)}#{EOL}" if language
237
248
  expires = options.delete('expires')
238
249
  buf << "Expires: #{CGI.rfc1123_date(expires)}#{EOL}" if expires
239
250
  ## cookie
240
251
  if cookie = options.delete('cookie')
241
252
  case cookie
242
253
  when String, Cookie
243
- buf << "Set-Cookie: #{cookie}#{EOL}"
254
+ buf << "Set-Cookie: #{_no_crlf_check(cookie)}#{EOL}"
244
255
  when Array
245
256
  arr = cookie
246
- arr.each {|c| buf << "Set-Cookie: #{c}#{EOL}" }
257
+ arr.each {|c| buf << "Set-Cookie: #{_no_crlf_check(c)}#{EOL}" }
247
258
  when Hash
248
259
  hash = cookie
249
- hash.each_value {|c| buf << "Set-Cookie: #{c}#{EOL}" }
260
+ hash.each_value {|c| buf << "Set-Cookie: #{_no_crlf_check(c)}#{EOL}" }
250
261
  end
251
262
  end
252
263
  if @output_cookies
253
- @output_cookies.each {|c| buf << "Set-Cookie: #{c}#{EOL}" }
264
+ @output_cookies.each {|c| buf << "Set-Cookie: #{_no_crlf_check(c)}#{EOL}" }
254
265
  end
255
266
  ## other headers
256
267
  options.each do |key, value|
257
- buf << "#{key}: #{value}#{EOL}"
268
+ buf << "#{_no_crlf_check(key)}: #{_no_crlf_check(value)}#{EOL}"
258
269
  end
259
270
  return buf
260
271
  end # _header_for_hash
data/lib/cgi.rb CHANGED
@@ -288,7 +288,7 @@
288
288
  #
289
289
 
290
290
  class CGI
291
- VERSION = "0.2.1"
291
+ VERSION = "0.2.2"
292
292
  end
293
293
 
294
294
  require 'cgi/core'
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: cgi
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.2.1
4
+ version: 0.2.2
5
5
  platform: ruby
6
6
  authors:
7
7
  - Yukihiro Matsumoto
8
- autorequire:
8
+ autorequire:
9
9
  bindir: exe
10
10
  cert_chain: []
11
- date: 2021-11-24 00:00:00.000000000 Z
11
+ date: 2022-11-22 00:00:00.000000000 Z
12
12
  dependencies: []
13
13
  description: Support for the Common Gateway Interface protocol.
14
14
  email:
@@ -43,7 +43,7 @@ licenses:
43
43
  metadata:
44
44
  homepage_uri: https://github.com/ruby/cgi
45
45
  source_code_uri: https://github.com/ruby/cgi
46
- post_install_message:
46
+ post_install_message:
47
47
  rdoc_options: []
48
48
  require_paths:
49
49
  - lib
@@ -58,8 +58,8 @@ required_rubygems_version: !ruby/object:Gem::Requirement
58
58
  - !ruby/object:Gem::Version
59
59
  version: '0'
60
60
  requirements: []
61
- rubygems_version: 3.3.0.dev
62
- signing_key:
61
+ rubygems_version: 3.4.0.dev
62
+ signing_key:
63
63
  specification_version: 4
64
64
  summary: Support for the Common Gateway Interface protocol.
65
65
  test_files: []