http-cookie 1.0.0.pre12 → 1.0.4

data/lib/http/cookie_jar/mozilla_store.rb

@@ -10,7 +10,7 @@ class HTTP::CookieJar
   # stored persistently in the SQLite3 database.
   class MozillaStore < AbstractStore
     # :stopdoc:
-    SCHEMA_VERSION = 5
+    SCHEMA_VERSION = 7
 
     def default_options
       {
@@ -22,14 +22,11 @@ class HTTP::CookieJar
 
     ALL_COLUMNS = %w[
       baseDomain
-      appId inBrowserElement
+      originAttributes
       name value
       host path
       expiry creationTime lastAccessed
       isSecure isHttpOnly
-    ]
-    UK_COLUMNS = %w[
-      name host path
       appId inBrowserElement
     ]
 
@@ -68,6 +65,9 @@ class HTTP::CookieJar
     end
     # :startdoc:
 
+    # :call-seq:
+    #   new(**options)
+    #
     # Generates a Mozilla cookie store.  If the file does not exist,
     # it is created.  If it does and its schema is old, it is
     # automatically upgraded with a new schema keeping the existing
@@ -92,6 +92,11 @@ class HTTP::CookieJar
     def initialize(options = nil)
       super
 
+      @origin_attributes = encode_www_form({}.tap { |params|
+        params['appId'] = @app_id if @app_id.nonzero?
+        params['inBrowserElement'] = 1 if @in_browser_element
+      })
+
       @filename = options[:filename] or raise ArgumentError, ':filename option is missing'
 
       @sjar = HTTP::CookieJar::HashStore.new
@@ -109,6 +114,7 @@ class HTTP::CookieJar
       @gc_index = 0
     end
 
+    # Raises TypeError.  Cloning is inhibited in this store class.
     def initialize_copy(other)
       raise TypeError, 'can\'t clone %s' % self.class
     end
@@ -138,13 +144,13 @@ class HTTP::CookieJar
 
     protected
 
-    def schema_version=(version)
+    def schema_version= version
       @db.execute("PRAGMA user_version = %d" % version)
       @schema_version = version
     end
 
-    def create_table
-      self.schema_version = SCHEMA_VERSION
+    def create_table_v5
+      self.schema_version = 5
       @db.execute("DROP TABLE IF EXISTS moz_cookies")
       @db.execute(<<-'SQL')
                    CREATE TABLE moz_cookies (
@@ -172,6 +178,62 @@ class HTTP::CookieJar
       SQL
     end
 
+    def create_table_v6
+      self.schema_version = 6
+      @db.execute("DROP TABLE IF EXISTS moz_cookies")
+      @db.execute(<<-'SQL')
+                   CREATE TABLE moz_cookies (
+                     id INTEGER PRIMARY KEY,
+                     baseDomain TEXT,
+                     originAttributes TEXT NOT NULL DEFAULT '',
+                     name TEXT,
+                     value TEXT,
+                     host TEXT,
+                     path TEXT,
+                     expiry INTEGER,
+                     lastAccessed INTEGER,
+                     creationTime INTEGER,
+                     isSecure INTEGER,
+                     isHttpOnly INTEGER,
+                     CONSTRAINT moz_uniqueid UNIQUE (name, host, path, originAttributes)
+                   )
+      SQL
+      @db.execute(<<-'SQL')
+                   CREATE INDEX moz_basedomain
+                     ON moz_cookies (baseDomain,
+                                     originAttributes);
+      SQL
+    end
+
+    def create_table
+      self.schema_version = SCHEMA_VERSION
+      @db.execute("DROP TABLE IF EXISTS moz_cookies")
+      @db.execute(<<-'SQL')
+                   CREATE TABLE moz_cookies (
+                     id INTEGER PRIMARY KEY,
+                     baseDomain TEXT,
+                     originAttributes TEXT NOT NULL DEFAULT '',
+                     name TEXT,
+                     value TEXT,
+                     host TEXT,
+                     path TEXT,
+                     expiry INTEGER,
+                     lastAccessed INTEGER,
+                     creationTime INTEGER,
+                     isSecure INTEGER,
+                     isHttpOnly INTEGER,
+                     appId INTEGER DEFAULT 0,
+                     inBrowserElement INTEGER DEFAULT 0,
+                     CONSTRAINT moz_uniqueid UNIQUE (name, host, path, originAttributes)
+                   )
+      SQL
+      @db.execute(<<-'SQL')
+                   CREATE INDEX moz_basedomain
+                     ON moz_cookies (baseDomain,
+                                     originAttributes);
+      SQL
+    end
+
     def db_prepare(sql)
       st = @db.prepare(sql)
       yield st
@@ -222,7 +284,7 @@ class HTTP::CookieJar
         when 4
           @db.execute("ALTER TABLE moz_cookies RENAME TO moz_cookies_old")
           @db.execute("DROP INDEX moz_basedomain")
-          create_table
+          create_table_v5
           @db.execute(<<-'SQL')
                        INSERT INTO moz_cookies
                          (baseDomain, appId, inBrowserElement, name, value, host, path, expiry,
@@ -232,7 +294,42 @@ class HTTP::CookieJar
                            FROM moz_cookies_old
           SQL
           @db.execute("DROP TABLE moz_cookies_old")
+        when 5
+          @db.execute("ALTER TABLE moz_cookies RENAME TO moz_cookies_old")
+          @db.execute("DROP INDEX moz_basedomain")
+          create_table_v6
+          @db.create_function('CONVERT_TO_ORIGIN_ATTRIBUTES', 2) { |func, appId, inBrowserElement|
+            params = {}
+            params['appId'] = appId if appId.nonzero?
+            params['inBrowserElement'] = inBrowserElement if inBrowserElement.nonzero?
+            func.result = encode_www_form(params)
+          }
+          @db.execute(<<-'SQL')
+                       INSERT INTO moz_cookies
+                         (baseDomain, originAttributes, name, value, host, path, expiry,
+                          lastAccessed, creationTime, isSecure, isHttpOnly)
+                         SELECT baseDomain,
+                                CONVERT_TO_ORIGIN_ATTRIBUTES(appId, inBrowserElement),
+                                name, value, host, path, expiry, lastAccessed, creationTime,
+                                isSecure, isHttpOnly
+                           FROM moz_cookies_old
+          SQL
+          @db.execute("DROP TABLE moz_cookies_old")
+        when 6
+          @db.execute("ALTER TABLE moz_cookies ADD appId INTEGER DEFAULT 0")
+          @db.execute("ALTER TABLE moz_cookies ADD inBrowserElement INTEGER DEFAULT 0")
+          @db.create_function('SET_APP_ID', 1) { |func, originAttributes|
+            func.result = get_query_param(originAttributes, 'appId').to_i  # nil.to_i == 0
+          }
+          @db.create_function('SET_IN_BROWSER', 1) { |func, originAttributes|
+            func.result = get_query_param(originAttributes, 'inBrowserElement').to_i  # nil.to_i == 0
+          }
+          @db.execute(<<-'SQL')
+                       UPDATE moz_cookies SET appId = SET_APP_ID(originAttributes),
+                                              inBrowserElement = SET_IN_BROWSER(originAttributes)
+          SQL
           @logger.info("Upgraded database to schema version %d" % schema_version) if @logger
+          self.schema_version += 1
         else
           break
         end
@@ -255,16 +352,17 @@ class HTTP::CookieJar
     def db_add(cookie)
       @stmt[:add].execute({
           :baseDomain => cookie.domain_name.domain || cookie.domain,
-          :appId => @app_id,
-          :inBrowserElement => @in_browser_element ? 1 : 0,
+          :originAttributes => @origin_attributes,
           :name => cookie.name, :value => cookie.value,
           :host => cookie.dot_domain,
           :path => cookie.path,
           :expiry => cookie.expires_at.to_i,
-          :creationTime => cookie.created_at.to_i,
-          :lastAccessed => cookie.accessed_at.to_i,
+          :creationTime => serialize_usectime(cookie.created_at),
+          :lastAccessed => serialize_usectime(cookie.accessed_at),
           :isSecure => cookie.secure? ? 1 : 0,
           :isHttpOnly => cookie.httponly? ? 1 : 0,
+          :appId => @app_id,
+          :inBrowserElement => @in_browser_element ? 1 : 0,
         })
       cleanup if (@gc_index += 1) >= @gc_threshold
 
@@ -291,6 +389,36 @@ class HTTP::CookieJar
       self
     end
 
+    if RUBY_VERSION >= '1.9'
+      def encode_www_form(enum)
+        URI.encode_www_form(enum)
+      end
+
+      def get_query_param(str, key)
+        URI.decode_www_form(str).find { |k, v|
+          break v if k == key
+        }
+      end
+    else
+      require 'cgi'
+
+      def encode_www_form(enum)
+        enum.map { |k, v| "#{CGI.escape(k)}=#{CGI.escape(v)}" }.join('&')
+      end
+
+      def get_query_param(str, key)
+        CGI.parse(str)[key].first
+      end
+    end
+
+    def serialize_usectime(time)
+      time ? (time.to_f * 1e6).floor : 0
+    end
+
+    def deserialize_usectime(value)
+      Time.at(value ? value / 1e6 : 0)
+    end
+
     public
 
     def add(cookie)
@@ -329,11 +457,10 @@ class HTTP::CookieJar
               expiry >= :expiry
     SQL
 
-    def each(uri = nil, &block)
+    def each(uri = nil, &block) # :yield: cookie
       now = Time.now
       if uri
         thost = DomainName.new(uri.host)
-        tpath = uri.path
 
         @stmt[:cookies_for_domain].execute({
             :baseDomain => thost.domain || thost.hostname,
@@ -351,8 +478,8 @@ class HTTP::CookieJar
               attrs[:domain]      = row['host']
               attrs[:path]        = row['path']
               attrs[:expires_at]  = Time.at(row['expiry'])
-              attrs[:accessed_at] = Time.at(row['lastAccessed'] || 0)
-              attrs[:created_at]  = Time.at(row['creationTime'] || 0)
+              attrs[:accessed_at] = deserialize_usectime(row['lastAccessed'])
+              attrs[:created_at]  = deserialize_usectime(row['creationTime'])
               attrs[:secure]      = secure
               attrs[:httponly]    = row['isHttpOnly'] != 0
             })
@@ -360,7 +487,7 @@ class HTTP::CookieJar
           if cookie.valid_for_uri?(uri)
             cookie.accessed_at = now
             @stmt[:update_lastaccessed].execute({
-                'lastAccessed' => now.to_i,
+                'lastAccessed' => serialize_usectime(now),
                 'id' => row['id'],
               })
             yield cookie
@@ -379,8 +506,8 @@ class HTTP::CookieJar
               attrs[:domain]      = row['host']
               attrs[:path]        = row['path']
               attrs[:expires_at]  = Time.at(row['expiry'])
-              attrs[:accessed_at] = Time.at(row['lastAccessed'] || 0)
-              attrs[:created_at]  = Time.at(row['creationTime'] || 0)
+              attrs[:accessed_at] = deserialize_usectime(row['lastAccessed'])
+              attrs[:created_at]  = deserialize_usectime(row['creationTime'])
               attrs[:secure]      = row['isSecure'] != 0
               attrs[:httponly]    = row['isHttpOnly'] != 0
             })
@@ -398,19 +525,6 @@ class HTTP::CookieJar
       self
     end
 
-    SQL[:count] = <<-'SQL'
-      SELECT COUNT(id) FROM moz_cookies
-    SQL
-
-    def count
-      @stmt[:count].execute.first[0]
-    end
-    protected :count
-
-    def empty?
-      @sjar.empty? && count == 0
-    end
-
     SQL[:delete_expired] = <<-'SQL'
       DELETE FROM moz_cookies WHERE expiry < :expiry
     SQL

data/lib/http/cookie_jar/yaml_saver.rb

@@ -1,16 +1,27 @@
+# :markup: markdown
 require 'http/cookie_jar'
 require 'psych' if !defined?(YAML) && RUBY_VERSION == "1.9.2"
 require 'yaml'
 
-# YAMLSaver saves and loads cookies in the YAML format.
+# YAMLSaver saves and loads cookies in the YAML format.  It can load a
+# YAML file saved by Mechanize, but the saving format is not
+# compatible with older versions of Mechanize (< 2.7).
 class HTTP::CookieJar::YAMLSaver < HTTP::CookieJar::AbstractSaver
+  # :singleton-method: new
+  # :call-seq:
+  #   new(**options)
+  #
+  # There is no option keyword supported at the moment.
+
+  ##
+
   def save(io, jar)
     YAML.dump(@session ? jar.to_a : jar.reject(&:session?), io)
   end
 
   def load(io, jar)
     begin
-      data = YAML.load(io)
+      data = load_yaml(io)
     rescue ArgumentError => e
       case e.message
       when %r{\Aundefined class/module Mechanize::}
@@ -20,7 +31,7 @@ class HTTP::CookieJar::YAMLSaver < HTTP::CookieJar::AbstractSaver
           yaml = io.read
           # a gross hack
           yaml.gsub!(%r{^(    [^ ].*:) !ruby/object:Mechanize::Cookie$}, "\\1")
-          data = YAML.load(yaml)
+          data = load_yaml(yaml)
         rescue Errno::ESPIPE
           @logger.warn "could not rewind the stream for conversion" if @logger
         rescue ArgumentError
@@ -42,7 +53,11 @@ class HTTP::CookieJar::YAMLSaver < HTTP::CookieJar::AbstractSaver
               # YAML::Object of Syck
               cookie_hash = cookie_hash.ivars
             end
-            cookie = HTTP::Cookie.new(cookie_hash)
+            cookie = HTTP::Cookie.new({}.tap { |hash|
+                cookie_hash.each_pair { |key, value|
+                  hash[key.to_sym] = value
+                }
+              })
             jar.add(cookie)
           }
         }
@@ -58,4 +73,14 @@ class HTTP::CookieJar::YAMLSaver < HTTP::CookieJar::AbstractSaver
   def default_options
     {}
   end
+
+  if YAML.name == 'Psych' && Psych::VERSION >= '3.1'
+    def load_yaml(yaml)
+      YAML.safe_load(yaml, :permitted_classes => %w[Time HTTP::Cookie Mechanize::Cookie DomainName], :aliases => true)
+    end
+  else
+    def load_yaml(yaml)
+      YAML.load(yaml)
+    end
+  end
 end

data/test/helper.rb

@@ -3,6 +3,30 @@ require 'test-unit'
 require 'uri'
 require 'http/cookie'
 
+module Test
+  module Unit
+    module Assertions
+      def assert_warn(pattern, message = nil, &block)
+        class << (output = "")
+          alias write <<
+        end
+        stderr, $stderr = $stderr, output
+        yield
+        assert_match(pattern, output, message)
+      ensure
+        $stderr = stderr
+      end
+
+      def assert_warning(pattern, message = nil, &block)
+        verbose, $VERBOSE = $VERBOSE, true
+        assert_warn(pattern, message, &block)
+      ensure
+        $VERBOSE = verbose
+      end
+    end
+  end
+end
+
 module Enumerable
   def combine
     masks = inject([[], 1]){|(ar, m), e| [ar << m, m << 1 ] }[0]
@@ -23,3 +47,9 @@ end
 def test_file(filename)
   File.expand_path(filename, File.dirname(__FILE__))
 end
+
+def sleep_until(time)
+  if (s = time - Time.now) > 0
+    sleep s
+  end
+end

data/test/test_http_cookie.rb

@@ -2,13 +2,6 @@
 require File.expand_path('helper', File.dirname(__FILE__))
 
 class TestHTTPCookie < Test::Unit::TestCase
-  def silently
-    warn_level, $VERBOSE = $VERBOSE, false
-    yield
-  ensure
-    $VERBOSE = warn_level
-  end
-
   def setup
     httpdate = 'Sun, 27-Sep-2037 00:00:00 GMT'
 
@@ -46,12 +39,10 @@ class TestHTTPCookie < Test::Unit::TestCase
 
     dates.each do |date|
       cookie = "PREF=1; expires=#{date}"
-      silently do
-        assert_equal 1, HTTP::Cookie.parse(cookie, url) { |c|
-          assert c.expires, "Tried parsing: #{date}"
-          assert_send [c.expires, :<, yesterday]
-        }.size
-      end
+      assert_equal 1, HTTP::Cookie.parse(cookie, url) { |c|
+        assert c.expires, "Tried parsing: #{date}"
+        assert_send [c.expires, :<, yesterday]
+      }.size
     end
 
     [
@@ -135,6 +126,22 @@ class TestHTTPCookie < Test::Unit::TestCase
     assert_equal 0, HTTP::Cookie.parse(cookie, url).size
   end
 
+  def test_parse_bad_name
+    cookie = "a\001b=c"
+    url = URI.parse('http://www.example.com/')
+    assert_nothing_raised {
+      assert_equal 0, HTTP::Cookie.parse(cookie, url).size
+    }
+  end
+
+  def test_parse_bad_value
+    cookie = "a=b\001c"
+    url = URI.parse('http://www.example.com/')
+    assert_nothing_raised {
+      assert_equal 0, HTTP::Cookie.parse(cookie, url).size
+    }
+  end
+
   def test_parse_weird_cookie
     cookie = 'n/a, ASPSESSIONIDCSRRQDQR=FBLDGHPBNDJCPCGNCPAENELB; path=/'
     url = URI.parse('http://www.searchinnovation.com/')
@@ -177,14 +184,12 @@ class TestHTTPCookie < Test::Unit::TestCase
       "20/06/95 21:07",
     ]
 
-    silently do
-      dates.each do |date|
-        cookie = "PREF=1; expires=#{date}"
-        assert_equal 1, HTTP::Cookie.parse(cookie, url) { |c|
-          assert_equal(true, c.expires.nil?)
-        }.size
-      end
-    end
+    dates.each { |date|
+      cookie = "PREF=1; expires=#{date}"
+      assert_equal 1, HTTP::Cookie.parse(cookie, url) { |c|
+        assert_equal(true, c.expires.nil?)
+      }.size
+    }
   end
 
   def test_parse_domain_dot
@@ -436,17 +441,28 @@ class TestHTTPCookie < Test::Unit::TestCase
       ['Bar', 'value 2'],
       ['Baz', 'value3'],
       ['Bar', 'value"4'],
+      ['Quux', 'x, value=5'],
     ]
 
     cookie_value = HTTP::Cookie.cookie_value(pairs.map { |name, value|
         HTTP::Cookie.new(:name => name, :value => value)
       })
 
-    assert_equal 'Foo=value1; Bar="value 2"; Baz=value3; Bar="value\\"4"', cookie_value
+    assert_equal 'Foo=value1; Bar="value 2"; Baz=value3; Bar="value\\"4"; Quux="x, value=5"', cookie_value
 
     hash = HTTP::Cookie.cookie_value_to_hash(cookie_value)
 
-    assert_equal 3, hash.size
+    assert_equal pairs.map(&:first).uniq.size, hash.size
+
+    hash.each_pair { |name, value|
+      _, pvalue = pairs.assoc(name)
+      assert_equal pvalue, value
+    }
+
+    # Do not treat comma in a Cookie header value as separator; see CVE-2016-7401
+    hash = HTTP::Cookie.cookie_value_to_hash('Quux=x, value=5; Foo=value1; Bar="value 2"; Baz=value3; Bar="value\\"4"')
+
+    assert_equal pairs.map(&:first).uniq.size, hash.size
 
     hash.each_pair { |name, value|
       _, pvalue = pairs.assoc(name)
@@ -537,6 +553,30 @@ class TestHTTPCookie < Test::Unit::TestCase
       cookie.acceptable?
     }
 
+    # various keywords
+    [
+      ["Expires", /use downcased symbol/],
+    ].each { |key, pattern|
+      assert_warning(pattern, "warn of key: #{key.inspect}") {
+        cookie = HTTP::Cookie.new(:value => 'value', :name => 'key', key => expires.dup)
+        assert_equal 'key', cookie.name
+        assert_equal 'value', cookie.value
+        assert_equal expires, cookie.expires, "key: #{key.inspect}"
+      }
+    }
+    [
+      [:Expires,   /unknown attribute name/],
+      [:expires?,  /unknown attribute name/],
+      [[:expires], /invalid keyword/],
+    ].each { |key, pattern|
+      assert_warning(pattern, "warn of key: #{key.inspect}") {
+        cookie = HTTP::Cookie.new(:value => 'value', :name => 'key', key => expires.dup)
+        assert_equal 'key', cookie.name
+        assert_equal 'value', cookie.value
+        assert_equal nil, cookie.expires, "key: #{key.inspect}"
+      }
+    }
+
     cookie = HTTP::Cookie.new(:value => 'value', :name => 'key', :expires => expires.dup)
     assert_equal 'key', cookie.name
     assert_equal 'value', cookie.value
@@ -679,19 +719,32 @@ class TestHTTPCookie < Test::Unit::TestCase
 
   def test_max_age=
     cookie = HTTP::Cookie.new(cookie_values)
+    expires = cookie.expires
 
     assert_raises(ArgumentError) {
       cookie.max_age = "+1"
     }
+    # make sure #expires is not destroyed
+    assert_equal expires, cookie.expires
+
     assert_raises(ArgumentError) {
       cookie.max_age = "1.5"
     }
+    # make sure #expires is not destroyed
+    assert_equal expires, cookie.expires
+
     assert_raises(ArgumentError) {
       cookie.max_age = "1 day"
     }
+    # make sure #expires is not destroyed
+    assert_equal expires, cookie.expires
+
     assert_raises(TypeError) {
       cookie.max_age = [1]
     }
+    # make sure #expires is not destroyed
+    assert_equal expires, cookie.expires
+
     cookie.max_age = "12"
     assert_equal 12, cookie.max_age