http-cookie 1.0.2 → 1.0.3
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/.travis.yml +11 -7
- data/CHANGELOG.md +6 -0
- data/http-cookie.gemspec +2 -2
- data/lib/http/cookie/scanner.rb +12 -11
- data/lib/http/cookie/version.rb +1 -1
- data/test/test_http_cookie.rb +13 -2
- metadata +21 -21
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA1:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: d1a93009a55673a4827d9f8d85c19b5c08f4b19c
|
|
4
|
+
data.tar.gz: a7f4a3bb7a58ded55e6edac658cb20e0ad5d0821
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: d46e2e2d42e8a5e7947ccb2b0eb187b930e1e1dcb5912b75ffd78aca7532af0b9144d0210b7ca46ec3c4d591cfd8c742b64e393c60fda814d7ce75ae2aaada26
|
|
7
|
+
data.tar.gz: 5debdf55ddc8886db1e4e117e13829f6f93e2f08364126c0c693ed4dfde469374c49a35bef3f5b18455ab5379bf1289b386f30ebbae25603b4c5725beb2c231e
|
data/.travis.yml
CHANGED
|
@@ -1,17 +1,21 @@
|
|
|
1
|
+
sudo: false
|
|
1
2
|
language: ruby
|
|
3
|
+
cache: bundler
|
|
2
4
|
rvm:
|
|
3
5
|
- 1.8.7
|
|
4
6
|
- ree
|
|
5
7
|
- 1.9.3
|
|
6
8
|
- 2.0.0
|
|
9
|
+
- 2.1
|
|
10
|
+
- 2.2
|
|
11
|
+
- 2.3.0
|
|
7
12
|
- ruby-head
|
|
8
|
-
- jruby-
|
|
9
|
-
- jruby-
|
|
10
|
-
-
|
|
11
|
-
- rbx-18mode
|
|
12
|
-
- rbx-19mode
|
|
13
|
+
- jruby-1.7
|
|
14
|
+
- jruby-9
|
|
15
|
+
- rbx-2
|
|
13
16
|
matrix:
|
|
14
17
|
allow_failures:
|
|
15
18
|
- rvm: ruby-head
|
|
16
|
-
- rvm: rbx-
|
|
17
|
-
|
|
19
|
+
- rvm: rbx-2
|
|
20
|
+
before_install:
|
|
21
|
+
- gem update bundler
|
data/CHANGELOG.md
CHANGED
|
@@ -1,3 +1,9 @@
|
|
|
1
|
+
## 1.0.3 (2016-09-30)
|
|
2
|
+
|
|
3
|
+
- Treat comma as normal character in HTTP::Cookie.cookie_value_to_hash
|
|
4
|
+
instead of key-value pair separator. This should fix the problem
|
|
5
|
+
described in CVE-2016-7401.
|
|
6
|
+
|
|
1
7
|
## 1.0.2 (2013-09-10)
|
|
2
8
|
|
|
3
9
|
- Fix HTTP::Cookie.parse so that it does not raise ArgumentError
|
data/http-cookie.gemspec
CHANGED
|
@@ -27,8 +27,8 @@ Gem::Specification.new do |gem|
|
|
|
27
27
|
gem.add_runtime_dependency("domain_name", ["~> 0.5"])
|
|
28
28
|
gem.add_development_dependency("sqlite3", ["~> 1.3.3"]) unless defined?(JRUBY_VERSION)
|
|
29
29
|
gem.add_development_dependency("bundler", [">= 1.2.0"])
|
|
30
|
-
gem.add_development_dependency("test-unit", [">= 2.4.3"])
|
|
31
|
-
gem.add_development_dependency("rake", [">= 0.9.2.2"])
|
|
30
|
+
gem.add_development_dependency("test-unit", [">= 2.4.3", *("< 3" if RUBY_VERSION < "1.9")])
|
|
31
|
+
gem.add_development_dependency("rake", [">= 0.9.2.2", *("< 11" if RUBY_VERSION < "1.9")])
|
|
32
32
|
gem.add_development_dependency("rdoc", ["> 2.4.2"])
|
|
33
33
|
gem.add_development_dependency("simplecov", [">= 0"])
|
|
34
34
|
end
|
data/lib/http/cookie/scanner.rb
CHANGED
|
@@ -50,7 +50,7 @@ class HTTP::Cookie::Scanner < StringScanner
|
|
|
50
50
|
}
|
|
51
51
|
end
|
|
52
52
|
|
|
53
|
-
def scan_value
|
|
53
|
+
def scan_value(comma_as_separator = false)
|
|
54
54
|
''.tap { |s|
|
|
55
55
|
case
|
|
56
56
|
when scan(/[^,;"]+/)
|
|
@@ -59,7 +59,9 @@ class HTTP::Cookie::Scanner < StringScanner
|
|
|
59
59
|
# RFC 6265 2.2
|
|
60
60
|
# A cookie-value may be DQUOTE'd.
|
|
61
61
|
s << scan_dquoted
|
|
62
|
-
when check(
|
|
62
|
+
when check(/;/)
|
|
63
|
+
break
|
|
64
|
+
when comma_as_separator && check(RE_COOKIE_COMMA)
|
|
63
65
|
break
|
|
64
66
|
else
|
|
65
67
|
s << getch
|
|
@@ -68,12 +70,12 @@ class HTTP::Cookie::Scanner < StringScanner
|
|
|
68
70
|
}
|
|
69
71
|
end
|
|
70
72
|
|
|
71
|
-
def scan_name_value
|
|
73
|
+
def scan_name_value(comma_as_separator = false)
|
|
72
74
|
name = scan_name
|
|
73
75
|
if skip(/\=/)
|
|
74
|
-
value = scan_value
|
|
76
|
+
value = scan_value(comma_as_separator)
|
|
75
77
|
else
|
|
76
|
-
scan_value
|
|
78
|
+
scan_value(comma_as_separator)
|
|
77
79
|
value = nil
|
|
78
80
|
end
|
|
79
81
|
[name, value]
|
|
@@ -159,7 +161,7 @@ class HTTP::Cookie::Scanner < StringScanner
|
|
|
159
161
|
|
|
160
162
|
skip_wsp
|
|
161
163
|
|
|
162
|
-
name, value = scan_name_value
|
|
164
|
+
name, value = scan_name_value(true)
|
|
163
165
|
if value.nil?
|
|
164
166
|
@logger.warn("Cookie definition lacks a name-value pair.") if @logger
|
|
165
167
|
elsif name.empty?
|
|
@@ -176,7 +178,7 @@ class HTTP::Cookie::Scanner < StringScanner
|
|
|
176
178
|
break
|
|
177
179
|
when skip(/;/)
|
|
178
180
|
skip_wsp
|
|
179
|
-
aname, avalue = scan_name_value
|
|
181
|
+
aname, avalue = scan_name_value(true)
|
|
180
182
|
next if aname.empty? || value.nil?
|
|
181
183
|
aname.downcase!
|
|
182
184
|
case aname
|
|
@@ -218,13 +220,12 @@ class HTTP::Cookie::Scanner < StringScanner
|
|
|
218
220
|
until eos?
|
|
219
221
|
skip_wsp
|
|
220
222
|
|
|
221
|
-
|
|
223
|
+
# Do not treat comma in a Cookie header value as separator; see CVE-2016-7401
|
|
224
|
+
name, value = scan_name_value(false)
|
|
222
225
|
|
|
223
226
|
yield name, value if value
|
|
224
227
|
|
|
225
|
-
|
|
226
|
-
# values of a header.
|
|
227
|
-
skip(/[;,]/)
|
|
228
|
+
skip(/;/)
|
|
228
229
|
end
|
|
229
230
|
end
|
|
230
231
|
end
|
data/lib/http/cookie/version.rb
CHANGED
data/test/test_http_cookie.rb
CHANGED
|
@@ -441,17 +441,28 @@ class TestHTTPCookie < Test::Unit::TestCase
|
|
|
441
441
|
['Bar', 'value 2'],
|
|
442
442
|
['Baz', 'value3'],
|
|
443
443
|
['Bar', 'value"4'],
|
|
444
|
+
['Quux', 'x, value=5'],
|
|
444
445
|
]
|
|
445
446
|
|
|
446
447
|
cookie_value = HTTP::Cookie.cookie_value(pairs.map { |name, value|
|
|
447
448
|
HTTP::Cookie.new(:name => name, :value => value)
|
|
448
449
|
})
|
|
449
450
|
|
|
450
|
-
assert_equal 'Foo=value1; Bar="value 2"; Baz=value3; Bar="value\\"4"', cookie_value
|
|
451
|
+
assert_equal 'Foo=value1; Bar="value 2"; Baz=value3; Bar="value\\"4"; Quux="x, value=5"', cookie_value
|
|
451
452
|
|
|
452
453
|
hash = HTTP::Cookie.cookie_value_to_hash(cookie_value)
|
|
453
454
|
|
|
454
|
-
assert_equal
|
|
455
|
+
assert_equal pairs.map(&:first).uniq.size, hash.size
|
|
456
|
+
|
|
457
|
+
hash.each_pair { |name, value|
|
|
458
|
+
_, pvalue = pairs.assoc(name)
|
|
459
|
+
assert_equal pvalue, value
|
|
460
|
+
}
|
|
461
|
+
|
|
462
|
+
# Do not treat comma in a Cookie header value as separator; see CVE-2016-7401
|
|
463
|
+
hash = HTTP::Cookie.cookie_value_to_hash('Quux=x, value=5; Foo=value1; Bar="value 2"; Baz=value3; Bar="value\\"4"')
|
|
464
|
+
|
|
465
|
+
assert_equal pairs.map(&:first).uniq.size, hash.size
|
|
455
466
|
|
|
456
467
|
hash.each_pair { |name, value|
|
|
457
468
|
_, pvalue = pairs.assoc(name)
|
metadata
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: http-cookie
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 1.0.
|
|
4
|
+
version: 1.0.3
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Akinori MUSHA
|
|
@@ -11,104 +11,104 @@ authors:
|
|
|
11
11
|
autorequire:
|
|
12
12
|
bindir: bin
|
|
13
13
|
cert_chain: []
|
|
14
|
-
date:
|
|
14
|
+
date: 2016-09-30 00:00:00.000000000 Z
|
|
15
15
|
dependencies:
|
|
16
16
|
- !ruby/object:Gem::Dependency
|
|
17
17
|
name: domain_name
|
|
18
18
|
requirement: !ruby/object:Gem::Requirement
|
|
19
19
|
requirements:
|
|
20
|
-
- - ~>
|
|
20
|
+
- - "~>"
|
|
21
21
|
- !ruby/object:Gem::Version
|
|
22
22
|
version: '0.5'
|
|
23
23
|
type: :runtime
|
|
24
24
|
prerelease: false
|
|
25
25
|
version_requirements: !ruby/object:Gem::Requirement
|
|
26
26
|
requirements:
|
|
27
|
-
- - ~>
|
|
27
|
+
- - "~>"
|
|
28
28
|
- !ruby/object:Gem::Version
|
|
29
29
|
version: '0.5'
|
|
30
30
|
- !ruby/object:Gem::Dependency
|
|
31
31
|
name: sqlite3
|
|
32
32
|
requirement: !ruby/object:Gem::Requirement
|
|
33
33
|
requirements:
|
|
34
|
-
- - ~>
|
|
34
|
+
- - "~>"
|
|
35
35
|
- !ruby/object:Gem::Version
|
|
36
36
|
version: 1.3.3
|
|
37
37
|
type: :development
|
|
38
38
|
prerelease: false
|
|
39
39
|
version_requirements: !ruby/object:Gem::Requirement
|
|
40
40
|
requirements:
|
|
41
|
-
- - ~>
|
|
41
|
+
- - "~>"
|
|
42
42
|
- !ruby/object:Gem::Version
|
|
43
43
|
version: 1.3.3
|
|
44
44
|
- !ruby/object:Gem::Dependency
|
|
45
45
|
name: bundler
|
|
46
46
|
requirement: !ruby/object:Gem::Requirement
|
|
47
47
|
requirements:
|
|
48
|
-
- -
|
|
48
|
+
- - ">="
|
|
49
49
|
- !ruby/object:Gem::Version
|
|
50
50
|
version: 1.2.0
|
|
51
51
|
type: :development
|
|
52
52
|
prerelease: false
|
|
53
53
|
version_requirements: !ruby/object:Gem::Requirement
|
|
54
54
|
requirements:
|
|
55
|
-
- -
|
|
55
|
+
- - ">="
|
|
56
56
|
- !ruby/object:Gem::Version
|
|
57
57
|
version: 1.2.0
|
|
58
58
|
- !ruby/object:Gem::Dependency
|
|
59
59
|
name: test-unit
|
|
60
60
|
requirement: !ruby/object:Gem::Requirement
|
|
61
61
|
requirements:
|
|
62
|
-
- -
|
|
62
|
+
- - ">="
|
|
63
63
|
- !ruby/object:Gem::Version
|
|
64
64
|
version: 2.4.3
|
|
65
65
|
type: :development
|
|
66
66
|
prerelease: false
|
|
67
67
|
version_requirements: !ruby/object:Gem::Requirement
|
|
68
68
|
requirements:
|
|
69
|
-
- -
|
|
69
|
+
- - ">="
|
|
70
70
|
- !ruby/object:Gem::Version
|
|
71
71
|
version: 2.4.3
|
|
72
72
|
- !ruby/object:Gem::Dependency
|
|
73
73
|
name: rake
|
|
74
74
|
requirement: !ruby/object:Gem::Requirement
|
|
75
75
|
requirements:
|
|
76
|
-
- -
|
|
76
|
+
- - ">="
|
|
77
77
|
- !ruby/object:Gem::Version
|
|
78
78
|
version: 0.9.2.2
|
|
79
79
|
type: :development
|
|
80
80
|
prerelease: false
|
|
81
81
|
version_requirements: !ruby/object:Gem::Requirement
|
|
82
82
|
requirements:
|
|
83
|
-
- -
|
|
83
|
+
- - ">="
|
|
84
84
|
- !ruby/object:Gem::Version
|
|
85
85
|
version: 0.9.2.2
|
|
86
86
|
- !ruby/object:Gem::Dependency
|
|
87
87
|
name: rdoc
|
|
88
88
|
requirement: !ruby/object:Gem::Requirement
|
|
89
89
|
requirements:
|
|
90
|
-
- -
|
|
90
|
+
- - ">"
|
|
91
91
|
- !ruby/object:Gem::Version
|
|
92
92
|
version: 2.4.2
|
|
93
93
|
type: :development
|
|
94
94
|
prerelease: false
|
|
95
95
|
version_requirements: !ruby/object:Gem::Requirement
|
|
96
96
|
requirements:
|
|
97
|
-
- -
|
|
97
|
+
- - ">"
|
|
98
98
|
- !ruby/object:Gem::Version
|
|
99
99
|
version: 2.4.2
|
|
100
100
|
- !ruby/object:Gem::Dependency
|
|
101
101
|
name: simplecov
|
|
102
102
|
requirement: !ruby/object:Gem::Requirement
|
|
103
103
|
requirements:
|
|
104
|
-
- -
|
|
104
|
+
- - ">="
|
|
105
105
|
- !ruby/object:Gem::Version
|
|
106
106
|
version: '0'
|
|
107
107
|
type: :development
|
|
108
108
|
prerelease: false
|
|
109
109
|
version_requirements: !ruby/object:Gem::Requirement
|
|
110
110
|
requirements:
|
|
111
|
-
- -
|
|
111
|
+
- - ">="
|
|
112
112
|
- !ruby/object:Gem::Version
|
|
113
113
|
version: '0'
|
|
114
114
|
description: HTTP::Cookie is a Ruby library to handle HTTP Cookies based on RFC 6265. It
|
|
@@ -127,8 +127,8 @@ extra_rdoc_files:
|
|
|
127
127
|
- README.md
|
|
128
128
|
- LICENSE.txt
|
|
129
129
|
files:
|
|
130
|
-
- .gitignore
|
|
131
|
-
- .travis.yml
|
|
130
|
+
- ".gitignore"
|
|
131
|
+
- ".travis.yml"
|
|
132
132
|
- CHANGELOG.md
|
|
133
133
|
- Gemfile
|
|
134
134
|
- LICENSE.txt
|
|
@@ -162,17 +162,17 @@ require_paths:
|
|
|
162
162
|
- lib
|
|
163
163
|
required_ruby_version: !ruby/object:Gem::Requirement
|
|
164
164
|
requirements:
|
|
165
|
-
- -
|
|
165
|
+
- - ">="
|
|
166
166
|
- !ruby/object:Gem::Version
|
|
167
167
|
version: '0'
|
|
168
168
|
required_rubygems_version: !ruby/object:Gem::Requirement
|
|
169
169
|
requirements:
|
|
170
|
-
- -
|
|
170
|
+
- - ">="
|
|
171
171
|
- !ruby/object:Gem::Version
|
|
172
172
|
version: '0'
|
|
173
173
|
requirements: []
|
|
174
174
|
rubyforge_project:
|
|
175
|
-
rubygems_version: 2.
|
|
175
|
+
rubygems_version: 2.6.6
|
|
176
176
|
signing_key:
|
|
177
177
|
specification_version: 4
|
|
178
178
|
summary: A Ruby library to handle HTTP Cookies based on RFC 6265
|