cgi 0.1.0.1 → 0.1.0.2

Sign up to get free protection for your applications and to get access to all the features.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: de6f4f6a0ff1e6b0e525b68b7bc03e700146bbd881648094674128ab59979e38
4
- data.tar.gz: 1c3c231e1e9c0374b4d80528c1cb8bc9414d8c65aaf53927edb85f9a184699d8
3
+ metadata.gz: 88d87c310da6bcfa8f2da7f97ff2fad32509e4ec853d44d8077b82e6402db9e8
4
+ data.tar.gz: cbe7e4b113e1243997974719ce4c8180eec4727f54e588144bcd4df5dd31efef
5
5
  SHA512:
6
- metadata.gz: 27096879d4596c9b333fd70fb36874984870cd133388e31271cbad902ed4ca3785f62ef94f056ba09e47027a8cc161c24aede0723f35323a5c008cb8cc236a25
7
- data.tar.gz: d5c33d0414644d31f51de5c5637c5625b5a3cb90405587fc30d1bbb5e1fc153483e6b3b5ce7054891ab0b81b076eaac98f0eda4dc47bb3feedfdf74ded6b091e
6
+ metadata.gz: 847bb3e61e6c1bb998ec2da58cee64a0ccc3ef1647cdd1a54a9bb7e73cd91555790a7d818c36fdd46abae33ddb78c1199e0890b150c4d40ccd00c68e3c577da3
7
+ data.tar.gz: d2aed253127848dfc91ab3610aed993b5f7d37591ee1a8460cf79b6e261c680c248f411ab3eaadc5e459ca9501ccdb0c4169db8860b554ad5e4431fb680d3d89
data/lib/cgi/cookie.rb CHANGED
@@ -40,6 +40,10 @@ class CGI
40
40
  class Cookie < Array
41
41
  @@accept_charset="UTF-8" unless defined?(@@accept_charset)
42
42
 
43
+ TOKEN_RE = %r"\A[[!-~]&&[^()<>@,;:\\\"/?=\[\]{}]]+\z"
44
+ PATH_VALUE_RE = %r"\A[[ -~]&&[^;]]*\z"
45
+ DOMAIN_VALUE_RE = %r"\A(?<label>(?!-)[-A-Za-z0-9]+(?<!-))(?:\.\g<label>)*\z"
46
+
43
47
  # Create a new CGI::Cookie object.
44
48
  #
45
49
  # :call-seq:
@@ -72,8 +76,8 @@ class CGI
72
76
  @domain = nil
73
77
  @expires = nil
74
78
  if name.kind_of?(String)
75
- @name = name
76
- @path = (%r|\A(.*/)| =~ ENV["SCRIPT_NAME"] ? $1 : "")
79
+ self.name = name
80
+ self.path = (%r|\A(.*/)| =~ ENV["SCRIPT_NAME"] ? $1 : "")
77
81
  @secure = false
78
82
  @httponly = false
79
83
  return super(value)
@@ -84,11 +88,11 @@ class CGI
84
88
  raise ArgumentError, "`name' required"
85
89
  end
86
90
 
87
- @name = options["name"]
91
+ self.name = options["name"]
88
92
  value = Array(options["value"])
89
93
  # simple support for IE
90
- @path = options["path"] || (%r|\A(.*/)| =~ ENV["SCRIPT_NAME"] ? $1 : "")
91
- @domain = options["domain"]
94
+ self.path = options["path"] || (%r|\A(.*/)| =~ ENV["SCRIPT_NAME"] ? $1 : "")
95
+ self.domain = options["domain"]
92
96
  @expires = options["expires"]
93
97
  @secure = options["secure"] == true
94
98
  @httponly = options["httponly"] == true
@@ -97,11 +101,35 @@ class CGI
97
101
  end
98
102
 
99
103
  # Name of this cookie, as a +String+
100
- attr_accessor :name
104
+ attr_reader :name
105
+ # Set name of this cookie
106
+ def name=(str)
107
+ if str and !TOKEN_RE.match?(str)
108
+ raise ArgumentError, "invalid name: #{str.dump}"
109
+ end
110
+ @name = str
111
+ end
112
+
101
113
  # Path for which this cookie applies, as a +String+
102
- attr_accessor :path
114
+ attr_reader :path
115
+ # Set path for which this cookie applies
116
+ def path=(str)
117
+ if str and !PATH_VALUE_RE.match?(str)
118
+ raise ArgumentError, "invalid path: #{str.dump}"
119
+ end
120
+ @path = str
121
+ end
122
+
103
123
  # Domain for which this cookie applies, as a +String+
104
- attr_accessor :domain
124
+ attr_reader :domain
125
+ # Set domain for which this cookie applies
126
+ def domain=(str)
127
+ if str and ((str = str.b).bytesize > 255 or !DOMAIN_VALUE_RE.match?(str))
128
+ raise ArgumentError, "invalid domain: #{str.dump}"
129
+ end
130
+ @domain = str
131
+ end
132
+
105
133
  # Time at which this cookie expires, as a +Time+
106
134
  attr_accessor :expires
107
135
  # True if this cookie is secure; false otherwise
data/lib/cgi/core.rb CHANGED
@@ -188,17 +188,28 @@ class CGI
188
188
  # Using #header with the HTML5 tag maker will create a <header> element.
189
189
  alias :header :http_header
190
190
 
191
+ def _no_crlf_check(str)
192
+ if str
193
+ str = str.to_s
194
+ raise "A HTTP status or header field must not include CR and LF" if str =~ /[\r\n]/
195
+ str
196
+ else
197
+ nil
198
+ end
199
+ end
200
+ private :_no_crlf_check
201
+
191
202
  def _header_for_string(content_type) #:nodoc:
192
203
  buf = ''.dup
193
204
  if nph?()
194
- buf << "#{$CGI_ENV['SERVER_PROTOCOL'] || 'HTTP/1.0'} 200 OK#{EOL}"
205
+ buf << "#{_no_crlf_check($CGI_ENV['SERVER_PROTOCOL']) || 'HTTP/1.0'} 200 OK#{EOL}"
195
206
  buf << "Date: #{CGI.rfc1123_date(Time.now)}#{EOL}"
196
- buf << "Server: #{$CGI_ENV['SERVER_SOFTWARE']}#{EOL}"
207
+ buf << "Server: #{_no_crlf_check($CGI_ENV['SERVER_SOFTWARE'])}#{EOL}"
197
208
  buf << "Connection: close#{EOL}"
198
209
  end
199
- buf << "Content-Type: #{content_type}#{EOL}"
210
+ buf << "Content-Type: #{_no_crlf_check(content_type)}#{EOL}"
200
211
  if @output_cookies
201
- @output_cookies.each {|cookie| buf << "Set-Cookie: #{cookie}#{EOL}" }
212
+ @output_cookies.each {|cookie| buf << "Set-Cookie: #{_no_crlf_check(cookie)}#{EOL}" }
202
213
  end
203
214
  return buf
204
215
  end # _header_for_string
@@ -213,9 +224,9 @@ class CGI
213
224
  ## NPH
214
225
  options.delete('nph') if defined?(MOD_RUBY)
215
226
  if options.delete('nph') || nph?()
216
- protocol = $CGI_ENV['SERVER_PROTOCOL'] || 'HTTP/1.0'
227
+ protocol = _no_crlf_check($CGI_ENV['SERVER_PROTOCOL']) || 'HTTP/1.0'
217
228
  status = options.delete('status')
218
- status = HTTP_STATUS[status] || status || '200 OK'
229
+ status = HTTP_STATUS[status] || _no_crlf_check(status) || '200 OK'
219
230
  buf << "#{protocol} #{status}#{EOL}"
220
231
  buf << "Date: #{CGI.rfc1123_date(Time.now)}#{EOL}"
221
232
  options['server'] ||= $CGI_ENV['SERVER_SOFTWARE'] || ''
@@ -223,38 +234,38 @@ class CGI
223
234
  end
224
235
  ## common headers
225
236
  status = options.delete('status')
226
- buf << "Status: #{HTTP_STATUS[status] || status}#{EOL}" if status
237
+ buf << "Status: #{HTTP_STATUS[status] || _no_crlf_check(status)}#{EOL}" if status
227
238
  server = options.delete('server')
228
- buf << "Server: #{server}#{EOL}" if server
239
+ buf << "Server: #{_no_crlf_check(server)}#{EOL}" if server
229
240
  connection = options.delete('connection')
230
- buf << "Connection: #{connection}#{EOL}" if connection
241
+ buf << "Connection: #{_no_crlf_check(connection)}#{EOL}" if connection
231
242
  type = options.delete('type')
232
- buf << "Content-Type: #{type}#{EOL}" #if type
243
+ buf << "Content-Type: #{_no_crlf_check(type)}#{EOL}" #if type
233
244
  length = options.delete('length')
234
- buf << "Content-Length: #{length}#{EOL}" if length
245
+ buf << "Content-Length: #{_no_crlf_check(length)}#{EOL}" if length
235
246
  language = options.delete('language')
236
- buf << "Content-Language: #{language}#{EOL}" if language
247
+ buf << "Content-Language: #{_no_crlf_check(language)}#{EOL}" if language
237
248
  expires = options.delete('expires')
238
249
  buf << "Expires: #{CGI.rfc1123_date(expires)}#{EOL}" if expires
239
250
  ## cookie
240
251
  if cookie = options.delete('cookie')
241
252
  case cookie
242
253
  when String, Cookie
243
- buf << "Set-Cookie: #{cookie}#{EOL}"
254
+ buf << "Set-Cookie: #{_no_crlf_check(cookie)}#{EOL}"
244
255
  when Array
245
256
  arr = cookie
246
- arr.each {|c| buf << "Set-Cookie: #{c}#{EOL}" }
257
+ arr.each {|c| buf << "Set-Cookie: #{_no_crlf_check(c)}#{EOL}" }
247
258
  when Hash
248
259
  hash = cookie
249
- hash.each_value {|c| buf << "Set-Cookie: #{c}#{EOL}" }
260
+ hash.each_value {|c| buf << "Set-Cookie: #{_no_crlf_check(c)}#{EOL}" }
250
261
  end
251
262
  end
252
263
  if @output_cookies
253
- @output_cookies.each {|c| buf << "Set-Cookie: #{c}#{EOL}" }
264
+ @output_cookies.each {|c| buf << "Set-Cookie: #{_no_crlf_check(c)}#{EOL}" }
254
265
  end
255
266
  ## other headers
256
267
  options.each do |key, value|
257
- buf << "#{key}: #{value}#{EOL}"
268
+ buf << "#{_no_crlf_check(key)}: #{_no_crlf_check(value)}#{EOL}"
258
269
  end
259
270
  return buf
260
271
  end # _header_for_hash
data/lib/cgi/version.rb CHANGED
@@ -1,3 +1,3 @@
1
1
  class CGI
2
- VERSION = "0.1.0.1"
2
+ VERSION = "0.1.0.2"
3
3
  end
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: cgi
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.1.0.1
4
+ version: 0.1.0.2
5
5
  platform: ruby
6
6
  authors:
7
7
  - Yukihiro Matsumoto
8
8
  autorequire:
9
9
  bindir: exe
10
10
  cert_chain: []
11
- date: 2022-11-21 00:00:00.000000000 Z
11
+ date: 2022-11-22 00:00:00.000000000 Z
12
12
  dependencies: []
13
13
  description: Support for the Common Gateway Interface protocol.
14
14
  email: