http-cookie 1.0.0.pre12 → 1.0.4

checksums.yaml

@@ -1,7 +1,7 @@
 ---
-SHA1:
-  metadata.gz: 2a70ec83e62018ae7621d1eb7ba75f08eea1d696
-  data.tar.gz: 9ed2b81801d89bb7adf3f6d97b087421406f4acf
+SHA256:
+  metadata.gz: 6e3fc7cc6e374fa6bdd53c2a32cae8b8856615df4aad76fe496ab6375738652e
+  data.tar.gz: 0132bb41158fa3bf84a0adf2fcf7226115a1126efbc12c879f465a8c2114215b
 SHA512:
-  metadata.gz: f1ba260a8757b9076df6645368f761005cc665ef1c4ae357f102982132ed66253ae7cb49d163430bd3070225524c0cd4a988b2abbc4252e3e68e8376eea68542
-  data.tar.gz: bca8c545043e5b4975e32350dcf37f1519a183e3d207bb2692313863104884750ef656ed568106b69beab35e53b0536c36b677846255b1d477af95d022c74bfe
+  metadata.gz: 341c0b9947ed005f8c73030ad7b5380aa19d76cbfc2f3f09ac69207a9a5b33e62f0094f6b68b98ad839f110c565f7afc08a9ff504c82affe736a8bcb55908e05
+  data.tar.gz: c4346ce6bae86a394c72b38f079c3c272205df3b7453c630e1dc3fc1ae7dec7ee0f652c9b5f2b12151fb6b7b402a5fbc41b832c051cf17102bd1cd584f72b461

data/.travis.yml

@@ -1,17 +1,21 @@
+sudo: false
 language: ruby
+cache: bundler
 rvm:
   - 1.8.7
   - ree
-  - 1.9.2
   - 1.9.3
   - 2.0.0
+  - 2.1
+  - 2.2
+  - 2.3.0
   - ruby-head
-  - jruby-18mode
-  - jruby-19mode
-  - jruby-head
-  - rbx-18mode
-  - rbx-19mode
+  - jruby-1.7
+  - jruby-9
+  - rbx-2
 matrix:
   allow_failures:
-    - rvm: rbx-18mode
-    - rvm: rbx-19mode
+    - rvm: ruby-head
+    - rvm: rbx-2
+before_install:
+  - gem update bundler

data/CHANGELOG.md

@@ -0,0 +1,29 @@
+## Unreleased
+
+- Support Mozilla's cookie storage format up to version 7.
+
+- Fix the time representation with creationTime and lastAccessed in
+  MozillaStore. (#8)
+
+## 1.0.3 (2016-09-30)
+
+- Treat comma as normal character in HTTP::Cookie.cookie_value_to_hash
+  instead of key-value pair separator.  This should fix the problem
+  described in CVE-2016-7401.
+
+## 1.0.2 (2013-09-10)
+
+  - Fix HTTP::Cookie.parse so that it does not raise ArgumentError
+    when it finds a bad name or value that is parsable but considered
+    invalid.
+
+## 1.0.1 (2013-04-21)
+
+  - Minor error handling improvements and documentation updates.
+
+  - Argument error regarding specifying store/saver classes no longer
+    raises IndexError, but either ArgumentError or TypeError.
+
+## 1.0.0 (2013-04-17)
+
+  - Initial Release.

data/README.md

@@ -8,6 +8,34 @@ It was originally a part of the
 separated as an independent library in the hope of serving as a common
 component that is reusable from any HTTP related piece of software.
 
+The following is an incomplete list of its features:
+
+* Its behavior is highly compatible with that of today's major web
+  browsers.
+
+* It is based on and conforms to RFC 6265 (the latest standard for the
+  HTTP cookie mechanism) to a high extent, with real world conventions
+  deeply in mind.
+
+* It takes eTLD (effective TLD, also known as "Public Suffix") into
+  account just as major browsers do, to reject cookies with an eTLD
+  domain like "org", "co.jp", or "appspot.com".  This feature is
+  brought to you by the domain_name gem.
+
+* The number of cookies and the size are properly capped so that a
+  cookie store does not get flooded.
+
+* It supports the legacy Netscape cookies.txt format for
+  serialization, maximizing the interoperability with other
+  implementations.
+
+* It supports the cookies.sqlite format adopted by Mozilla Firefox for
+  backend store database which can be shared among multiple program
+  instances.
+
+* It is relatively easy to add a new serialization format or a backend
+  store because of its modular API.
+
 ## Installation
 
 Add this line to your application's `Gemfile`:

data/http-cookie.gemspec

@@ -13,9 +13,10 @@ Gem::Specification.new do |gem|
     'Mike Dalessio'   => 'mike.dalessio@gmail.com',
   }.instance_eval { [keys, values] }
 
-  gem.description   = %q{A Ruby library to handle HTTP Cookies}
-  gem.summary       = %q{A Ruby library to handle HTTP Cookies}
+  gem.description   = %q{HTTP::Cookie is a Ruby library to handle HTTP Cookies based on RFC 6265.  It has with security, standards compliance and compatibility in mind, to behave just the same as today's major web browsers.  It has builtin support for the legacy cookies.txt and the latest cookies.sqlite formats of Mozilla Firefox, and its modular API makes it easy to add support for a new backend store.}
+  gem.summary       = %q{A Ruby library to handle HTTP Cookies based on RFC 6265}
   gem.homepage      = "https://github.com/sparklemotion/http-cookie"
+  gem.license       = "MIT"
 
   gem.files         = `git ls-files`.split($/)
   gem.executables   = gem.files.grep(%r{^bin/}).map{ |f| File.basename(f) }
@@ -26,8 +27,9 @@ Gem::Specification.new do |gem|
   gem.add_runtime_dependency("domain_name", ["~> 0.5"])
   gem.add_development_dependency("sqlite3", ["~> 1.3.3"]) unless defined?(JRUBY_VERSION)
   gem.add_development_dependency("bundler", [">= 1.2.0"])
-  gem.add_development_dependency("test-unit", [">= 2.4.3"])
-  gem.add_development_dependency("rake", [">= 0.9.2.2"])
-  gem.add_development_dependency("rdoc", ["> 2.4.2"])
+  gem.add_development_dependency("test-unit", [">= 2.4.3", *("< 3" if RUBY_VERSION < "1.9")])
+  gem.add_development_dependency("rake", [">= 0.9.2.2", *("< 11" if RUBY_VERSION < "1.9")])
+  gem.add_development_dependency("rdoc", RUBY_VERSION > "1.9" ? "> 2.4.2" : "~> 2.4.2")
   gem.add_development_dependency("simplecov", [">= 0"])
+  gem.add_development_dependency("json", ["< 2"]) if RUBY_VERSION < "2.0"
 end

data/lib/http/cookie.rb

@@ -87,7 +87,7 @@ class HTTP::Cookie
   # The Expires attribute value as a Time object.
   #
   # The setter method accepts a Time object, a string representation
-  # of date/time, or `nil`.
+  # of date/time that Time.parse can understand, or `nil`.
   #
   # Setting this value resets #max_age to nil.  When #max_age is
   # non-nil, #expires returns `created_at + max_age`.
@@ -111,12 +111,11 @@ class HTTP::Cookie
   #     new(**attr_hash)
   #
   # Creates a cookie object.  For each key of `attr_hash`, the setter
-  # is called if defined.  Each key can be either a symbol or a
-  # string of downcased attribute names.
-  #
-  # This methods accepts any attribute name for which a setter method
-  # is defined.  Beware, however, any error (typically ArgumentError)
-  # a setter method raises will be passed through.
+  # is called if defined and any error (typically ArgumentError or
+  # TypeError) that is raised will be passed through.  Each key can be
+  # either a downcased symbol or a string that may be mixed case.
+  # Support for the latter may, however, be obsoleted in future when
+  # Ruby 2.0's keyword syntax is adopted.
   #
   # If `value` is omitted or it is nil, an expiration cookie is
   # created unless `max_age` or `expires` (`expires_at`) is given.
@@ -129,7 +128,7 @@ class HTTP::Cookie
   #     new("name" => "uid", "value" => "a12345", "Domain" => 'www.example.org')
   #
   def initialize(*args)
-    @origin = @domain = @path =
+    @name = @origin = @domain = @path =
       @expires = @max_age = nil
     @for_domain = @secure = @httponly = false
     @session = true
@@ -157,8 +156,8 @@ class HTTP::Cookie
     end
     for_domain = false
     domain = max_age = origin = nil
-    attr_hash.each_pair { |key, val|
-      case key.to_sym
+    attr_hash.each_pair { |okey, val|
+      case key ||= okey
       when :name
         self.name = val
       when :value
@@ -175,28 +174,26 @@ class HTTP::Cookie
         # Let max_age take precedence over expires
         max_age = val
       when :expires, :expires_at
-        self.expires = val
+        self.expires = val unless max_age
       when :httponly, :httponly?
         @httponly = val
       when :secure, :secure?
         @secure = val
-      when /[A-Z]/
-        warn "keyword should be downcased: #{key}" if $VERBOSE
-        key = key.downcase
-        redo
       when Symbol
         setter = :"#{key}="
         if respond_to?(setter)
           __send__(setter, val)
         else
-          warn "unknown keyword: #{key}" if $VERBOSE
+          warn "unknown attribute name: #{okey.inspect}" if $VERBOSE
+          next
         end
       when String
-        key = key.to_sym
+        warn "use downcased symbol for keyword: #{okey.inspect}" if $VERBOSE
+        key = key.downcase.to_sym
         redo
       else
-        key = key.to_s
-        redo
+        warn "invalid keyword ignored: #{okey.inspect}" if $VERBOSE
+        next
       end
     }
     if @name.nil?
@@ -284,14 +281,21 @@ class HTTP::Cookie
         Scanner.new(set_cookie, logger).scan_set_cookie { |name, value, attrs|
           break if name.nil? || name.empty?
 
-          cookie = new(name, value)
+          begin
+            cookie = new(name, value)
+          rescue => e
+            logger.warn("Invalid name or value: #{e}") if logger
+            next
+          end
           cookie.created_at = created_at if created_at
           attrs.each { |aname, avalue|
             begin
               case aname
               when 'domain'
                 cookie.for_domain = true
-                cookie.domain = avalue # This may negate @for_domain
+                # The following may negate @for_domain if the value is
+                # an eTLD or IP address, hence this order.
+                cookie.domain = avalue
               when 'path'
                 cookie.path = avalue
               when 'expires'
@@ -343,7 +347,7 @@ class HTTP::Cookie
   attr_reader :name
 
   # See #name.
-  def name=(name)
+  def name= name
     name = (String.try_convert(name) or
       raise TypeError, "#{name.class} is not a String")
     if name.empty?
@@ -360,7 +364,7 @@ class HTTP::Cookie
   attr_reader :value
 
   # See #value.
-  def value=(value)
+  def value= value
     if value.nil?
       self.expires = UNIX_EPOCH
       return @value = ''
@@ -379,7 +383,7 @@ class HTTP::Cookie
   attr_reader :domain
 
   # See #domain.
-  def domain=(domain)
+  def domain= domain
     case domain
     when nil
       @for_domain = false
@@ -437,7 +441,7 @@ class HTTP::Cookie
   attr_reader :path
 
   # See #path.
-  def path=(path)
+  def path= path
     path = (String.try_convert(path) or
       raise TypeError, "#{path.class} is not a String")
     @path = path.start_with?('/') ? path : '/'
@@ -446,10 +450,11 @@ class HTTP::Cookie
   attr_reader :origin
 
   # See #origin.
-  def origin=(origin)
+  def origin= origin
     return origin if origin == @origin
     @origin.nil? or
       raise ArgumentError, "origin cannot be changed once it is set"
+    # Delay setting @origin because #domain= or #path= may fail
     origin = URI(origin)
     if URI::HTTP === origin
       self.domain ||= origin.host
@@ -482,7 +487,7 @@ class HTTP::Cookie
   end
 
   # See #expires.
-  def expires=(t)
+  def expires= t
     case t
     when nil, Time
     else
@@ -499,8 +504,7 @@ class HTTP::Cookie
   attr_reader :max_age
 
   # See #max_age.
-  def max_age=(sec)
-    @expires = nil
+  def max_age= sec
     case sec
     when Integer, nil
     else
@@ -510,6 +514,7 @@ class HTTP::Cookie
         raise ArgumentError, "invalid Max-Age: #{sec.inspect}"
       sec = str.to_i
     end
+    @expires = nil
     if @session = sec.nil?
       @max_age = nil
     else
@@ -603,7 +608,7 @@ class HTTP::Cookie
       if @domain
         string << "; Domain=#{@domain}"
       else
-        raise "for_domain is specified but domain is known"
+        raise "for_domain is specified but domain is unknown"
       end
     end
     if @path
@@ -611,7 +616,7 @@ class HTTP::Cookie
         string << "; Path=#{@path}"
       end
     else
-      raise "path is known"
+      raise "path is unknown"
     end
     if @max_age
       string << "; Max-Age=#{@max_age}"
@@ -635,7 +640,7 @@ class HTTP::Cookie
 
   # Compares the cookie with another.  When there are many cookies with
   # the same name for a URL, the value of the smallest must be used.
-  def <=>(other)
+  def <=> other
     # RFC 6265 5.4
     # Precedence: 1. longer path  2. older creation
     (@name <=> other.name).nonzero? ||

data/lib/http/cookie/ruby_compat.rb

@@ -1,5 +1,5 @@
 class Array
-  def select!
+  def select! # :yield: x
     i = 0
     each_with_index { |x, j|
       yield x or next
@@ -10,6 +10,10 @@ class Array
     self[i..-1] = []
     self
   end unless method_defined?(:select!)
+
+  def sort_by!(&block) # :yield: x
+    replace(sort_by(&block))
+  end unless method_defined?(:sort_by!)
 end
 
 class Hash

data/lib/http/cookie/scanner.rb

@@ -50,7 +50,7 @@ class HTTP::Cookie::Scanner < StringScanner
     }
   end
 
-  def scan_value
+  def scan_value(comma_as_separator = false)
     ''.tap { |s|
       case
       when scan(/[^,;"]+/)
@@ -59,7 +59,9 @@ class HTTP::Cookie::Scanner < StringScanner
         # RFC 6265 2.2
         # A cookie-value may be DQUOTE'd.
         s << scan_dquoted
-      when check(/;|#{RE_COOKIE_COMMA}/o)
+      when check(/;/)
+        break
+      when comma_as_separator && check(RE_COOKIE_COMMA)
         break
       else
         s << getch
@@ -68,12 +70,12 @@ class HTTP::Cookie::Scanner < StringScanner
     }
   end
 
-  def scan_name_value
+  def scan_name_value(comma_as_separator = false)
     name = scan_name
     if skip(/\=/)
-      value = scan_value
+      value = scan_value(comma_as_separator)
     else
-      scan_value
+      scan_value(comma_as_separator)
       value = nil
     end
     [name, value]
@@ -152,13 +154,6 @@ class HTTP::Cookie::Scanner < StringScanner
   end
 
   def scan_set_cookie
-    unless block_given?
-      scan_set_cookie { |*values|
-        return values
-      }
-      return
-    end
-
     # RFC 6265 4.1.1 & 5.2
     until eos?
       start = pos
@@ -166,7 +161,7 @@ class HTTP::Cookie::Scanner < StringScanner
 
       skip_wsp
 
-      name, value = scan_name_value
+      name, value = scan_name_value(true)
       if value.nil?
         @logger.warn("Cookie definition lacks a name-value pair.") if @logger
       elsif name.empty?
@@ -183,7 +178,7 @@ class HTTP::Cookie::Scanner < StringScanner
         break
       when skip(/;/)
         skip_wsp
-        aname, avalue = scan_name_value
+        aname, avalue = scan_name_value(true)
         next if aname.empty? || value.nil?
         aname.downcase!
         case aname
@@ -221,24 +216,16 @@ class HTTP::Cookie::Scanner < StringScanner
   end
 
   def scan_cookie
-    unless block_given?
-      scan_cookie { |*values|
-        return values
-      }
-      return
-    end
-
     # RFC 6265 4.1.1 & 5.4
     until eos?
       skip_wsp
 
-      name, value = scan_name_value
+      # Do not treat comma in a Cookie header value as separator; see CVE-2016-7401
+      name, value = scan_name_value(false)
 
       yield name, value if value
 
-      # The comma is used as separator for concatenating multiple
-      # values of a header.
-      skip(/[;,]/)
+      skip(/;/)
     end
   end
 end