cgi 0.3.3 → 0.3.4

Sign up to get free protection for your applications and to get access to all the features.

Potentially problematic release.


This version of cgi might be problematic. Click here for more details.

Files changed (5) hide show
  1. checksums.yaml +4 -4
  2. data/lib/cgi/cookie.rb +36 -8
  3. data/lib/cgi/core.rb +28 -17
  4. data/lib/cgi.rb +1 -1
  5. metadata +2 -2
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 63cb59228083880bf0b411ca1b8d883fcb8ef938d84468a4c09aa08fe97f7176
4
- data.tar.gz: bbb690ec4a13a52d974157db9fa817e7c7ab53a80c0dc4870718bf7468588c63
3
+ metadata.gz: c729ba6567e82959f2b4e23b717b7a8aa9847d48a863f7c9dc1e8a24f9fba9e3
4
+ data.tar.gz: f8eb5772591c3cb006a0bb7a8b400fa991cbe85bb139d14fe320e2225e32f4e0
5
5
  SHA512:
6
- metadata.gz: 500bc48a86828e9ed8f870826f4ffcaf2a7256c1e63f5d08b8609b667beab3ba5712cb6f0cfc8aec1c5dac9b244486a16cb953cde7ac8e8f6a59675be138bf07
7
- data.tar.gz: 71477e7c13e827d38e8be80304e2b9e4f3abd5c770a20173b1931bfa4e9fb7a31caa95a2119d61ba1fa18cfbbfa9987482cfd5e1d2b6ad2c53eafd80fedd219b
6
+ metadata.gz: 19d8d04c3b83b7580e136d95481a18ff2cd58ed2db8231c1685af3b28aa1e7e2a1c440ebedb6e51f10d85279769d70c479e749cbb631402d838c3a58348c34f2
7
+ data.tar.gz: f51658936fd8a598f0036d2ec0b2b1d6554d27073aaace7581c303dbc0b43c775b205741b41dab2aeaf573cc9f3d61917687ad7b9a5f972a3f73c4aaf7b0cbe5
data/lib/cgi/cookie.rb CHANGED
@@ -40,6 +40,10 @@ class CGI
40
40
  class Cookie < Array
41
41
  @@accept_charset="UTF-8" unless defined?(@@accept_charset)
42
42
 
43
+ TOKEN_RE = %r"\A[[!-~]&&[^()<>@,;:\\\"/?=\[\]{}]]+\z"
44
+ PATH_VALUE_RE = %r"\A[[ -~]&&[^;]]*\z"
45
+ DOMAIN_VALUE_RE = %r"\A(?<label>[A-Za-z][-A-Za-z0-9]*[A-Za-z0-9])(?:\.\g<label>)*\z"
46
+
43
47
  # Create a new CGI::Cookie object.
44
48
  #
45
49
  # :call-seq:
@@ -72,8 +76,8 @@ class CGI
72
76
  @domain = nil
73
77
  @expires = nil
74
78
  if name.kind_of?(String)
75
- @name = name
76
- @path = (%r|\A(.*/)| =~ ENV["SCRIPT_NAME"] ? $1 : "")
79
+ self.name = name
80
+ self.path = (%r|\A(.*/)| =~ ENV["SCRIPT_NAME"] ? $1 : "")
77
81
  @secure = false
78
82
  @httponly = false
79
83
  return super(value)
@@ -84,11 +88,11 @@ class CGI
84
88
  raise ArgumentError, "`name' required"
85
89
  end
86
90
 
87
- @name = options["name"]
91
+ self.name = options["name"]
88
92
  value = Array(options["value"])
89
93
  # simple support for IE
90
- @path = options["path"] || (%r|\A(.*/)| =~ ENV["SCRIPT_NAME"] ? $1 : "")
91
- @domain = options["domain"]
94
+ self.path = options["path"] || (%r|\A(.*/)| =~ ENV["SCRIPT_NAME"] ? $1 : "")
95
+ self.domain = options["domain"]
92
96
  @expires = options["expires"]
93
97
  @secure = options["secure"] == true
94
98
  @httponly = options["httponly"] == true
@@ -97,11 +101,35 @@ class CGI
97
101
  end
98
102
 
99
103
  # Name of this cookie, as a +String+
100
- attr_accessor :name
104
+ attr_reader :name
105
+ # Set name of this cookie
106
+ def name=(str)
107
+ if str and !TOKEN_RE.match?(str)
108
+ raise ArgumentError, "invalid name: #{str.dump}"
109
+ end
110
+ @name = str
111
+ end
112
+
101
113
  # Path for which this cookie applies, as a +String+
102
- attr_accessor :path
114
+ attr_reader :path
115
+ # Set path for which this cookie applies
116
+ def path=(str)
117
+ if str and !PATH_VALUE_RE.match?(str)
118
+ raise ArgumentError, "invalid path: #{str.dump}"
119
+ end
120
+ @path = str
121
+ end
122
+
103
123
  # Domain for which this cookie applies, as a +String+
104
- attr_accessor :domain
124
+ attr_reader :domain
125
+ # Set domain for which this cookie applies
126
+ def domain=(str)
127
+ if str and ((str = str.b).bytesize > 255 or !DOMAIN_VALUE_RE.match?(str))
128
+ raise ArgumentError, "invalid domain: #{str.dump}"
129
+ end
130
+ @domain = str
131
+ end
132
+
105
133
  # Time at which this cookie expires, as a +Time+
106
134
  attr_accessor :expires
107
135
  # True if this cookie is secure; false otherwise
data/lib/cgi/core.rb CHANGED
@@ -188,17 +188,28 @@ class CGI
188
188
  # Using #header with the HTML5 tag maker will create a <header> element.
189
189
  alias :header :http_header
190
190
 
191
+ def _no_crlf_check(str)
192
+ if str
193
+ str = str.to_s
194
+ raise "A HTTP status or header field must not include CR and LF" if str =~ /[\r\n]/
195
+ str
196
+ else
197
+ nil
198
+ end
199
+ end
200
+ private :_no_crlf_check
201
+
191
202
  def _header_for_string(content_type) #:nodoc:
192
203
  buf = ''.dup
193
204
  if nph?()
194
- buf << "#{$CGI_ENV['SERVER_PROTOCOL'] || 'HTTP/1.0'} 200 OK#{EOL}"
205
+ buf << "#{_no_crlf_check($CGI_ENV['SERVER_PROTOCOL']) || 'HTTP/1.0'} 200 OK#{EOL}"
195
206
  buf << "Date: #{CGI.rfc1123_date(Time.now)}#{EOL}"
196
- buf << "Server: #{$CGI_ENV['SERVER_SOFTWARE']}#{EOL}"
207
+ buf << "Server: #{_no_crlf_check($CGI_ENV['SERVER_SOFTWARE'])}#{EOL}"
197
208
  buf << "Connection: close#{EOL}"
198
209
  end
199
- buf << "Content-Type: #{content_type}#{EOL}"
210
+ buf << "Content-Type: #{_no_crlf_check(content_type)}#{EOL}"
200
211
  if @output_cookies
201
- @output_cookies.each {|cookie| buf << "Set-Cookie: #{cookie}#{EOL}" }
212
+ @output_cookies.each {|cookie| buf << "Set-Cookie: #{_no_crlf_check(cookie)}#{EOL}" }
202
213
  end
203
214
  return buf
204
215
  end # _header_for_string
@@ -213,9 +224,9 @@ class CGI
213
224
  ## NPH
214
225
  options.delete('nph') if defined?(MOD_RUBY)
215
226
  if options.delete('nph') || nph?()
216
- protocol = $CGI_ENV['SERVER_PROTOCOL'] || 'HTTP/1.0'
227
+ protocol = _no_crlf_check($CGI_ENV['SERVER_PROTOCOL']) || 'HTTP/1.0'
217
228
  status = options.delete('status')
218
- status = HTTP_STATUS[status] || status || '200 OK'
229
+ status = HTTP_STATUS[status] || _no_crlf_check(status) || '200 OK'
219
230
  buf << "#{protocol} #{status}#{EOL}"
220
231
  buf << "Date: #{CGI.rfc1123_date(Time.now)}#{EOL}"
221
232
  options['server'] ||= $CGI_ENV['SERVER_SOFTWARE'] || ''
@@ -223,38 +234,38 @@ class CGI
223
234
  end
224
235
  ## common headers
225
236
  status = options.delete('status')
226
- buf << "Status: #{HTTP_STATUS[status] || status}#{EOL}" if status
237
+ buf << "Status: #{HTTP_STATUS[status] || _no_crlf_check(status)}#{EOL}" if status
227
238
  server = options.delete('server')
228
- buf << "Server: #{server}#{EOL}" if server
239
+ buf << "Server: #{_no_crlf_check(server)}#{EOL}" if server
229
240
  connection = options.delete('connection')
230
- buf << "Connection: #{connection}#{EOL}" if connection
241
+ buf << "Connection: #{_no_crlf_check(connection)}#{EOL}" if connection
231
242
  type = options.delete('type')
232
- buf << "Content-Type: #{type}#{EOL}" #if type
243
+ buf << "Content-Type: #{_no_crlf_check(type)}#{EOL}" #if type
233
244
  length = options.delete('length')
234
- buf << "Content-Length: #{length}#{EOL}" if length
245
+ buf << "Content-Length: #{_no_crlf_check(length)}#{EOL}" if length
235
246
  language = options.delete('language')
236
- buf << "Content-Language: #{language}#{EOL}" if language
247
+ buf << "Content-Language: #{_no_crlf_check(language)}#{EOL}" if language
237
248
  expires = options.delete('expires')
238
249
  buf << "Expires: #{CGI.rfc1123_date(expires)}#{EOL}" if expires
239
250
  ## cookie
240
251
  if cookie = options.delete('cookie')
241
252
  case cookie
242
253
  when String, Cookie
243
- buf << "Set-Cookie: #{cookie}#{EOL}"
254
+ buf << "Set-Cookie: #{_no_crlf_check(cookie)}#{EOL}"
244
255
  when Array
245
256
  arr = cookie
246
- arr.each {|c| buf << "Set-Cookie: #{c}#{EOL}" }
257
+ arr.each {|c| buf << "Set-Cookie: #{_no_crlf_check(c)}#{EOL}" }
247
258
  when Hash
248
259
  hash = cookie
249
- hash.each_value {|c| buf << "Set-Cookie: #{c}#{EOL}" }
260
+ hash.each_value {|c| buf << "Set-Cookie: #{_no_crlf_check(c)}#{EOL}" }
250
261
  end
251
262
  end
252
263
  if @output_cookies
253
- @output_cookies.each {|c| buf << "Set-Cookie: #{c}#{EOL}" }
264
+ @output_cookies.each {|c| buf << "Set-Cookie: #{_no_crlf_check(c)}#{EOL}" }
254
265
  end
255
266
  ## other headers
256
267
  options.each do |key, value|
257
- buf << "#{key}: #{value}#{EOL}"
268
+ buf << "#{_no_crlf_check(key)}: #{_no_crlf_check(value)}#{EOL}"
258
269
  end
259
270
  return buf
260
271
  end # _header_for_hash
data/lib/cgi.rb CHANGED
@@ -288,7 +288,7 @@
288
288
  #
289
289
 
290
290
  class CGI
291
- VERSION = "0.3.3"
291
+ VERSION = "0.3.4"
292
292
  end
293
293
 
294
294
  require 'cgi/core'
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: cgi
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.3.3
4
+ version: 0.3.4
5
5
  platform: ruby
6
6
  authors:
7
7
  - Yukihiro Matsumoto
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2022-09-22 00:00:00.000000000 Z
11
+ date: 2022-11-22 00:00:00.000000000 Z
12
12
  dependencies: []
13
13
  description: Support for the Common Gateway Interface protocol.
14
14
  email: