http-cookie 1.0.5 → 1.0.6

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 5230b0bd44e032652855e7b9e60e3d994ca56adbd57550c7520930d4dbf734a4
-  data.tar.gz: 65240197f49ac57bac8c6f3d1104cfe4f8fff77e1ac992c05c72d74efbba8300
+  metadata.gz: fd2affae74acb780842ead781a250bf2fe174fd034417391224ded71767cc08a
+  data.tar.gz: 77f5ed5bdf3b14002399d237e3d86eb655f2d27da1c3aafd5725338565c24b08
 SHA512:
-  metadata.gz: 7fc5bb2e287d60d060c54eb9fb9ccb6d55c55e84ec35525deff8c088c873d6ac26db86f7f1cf3c03a7cbf05e397b6cd0e3a1e1171c2dcff8848e0345a34b0905
-  data.tar.gz: 1c85e07a65fac1d5440126bea27dbc01160edc9a791f56e021cd3142070eada54bf1ec3cda31c9d9273f23c3a84c8786c308bcdd27e03f7266c203dde4abdd6f
+  metadata.gz: 5121ba37a869a8aa52c2efbc2ac3909715883d49203374c8997a3ceeceb84b15e674c77b5ccb0ad5a8cfcea593bfc8c707a96ff4b3ee7a5634302195e8a50ee5
+  data.tar.gz: 8cb0b6b1ed0b5e9f952031b677a3d8e28d2d14c4a4036e335bfe3ce433743408ce6d1aaa8a23545777328a31cf1e095fc85dde84ddbc056e2ef4fc1e6d2e83be

data/.github/CODEOWNERS

@@ -0,0 +1 @@
+* @knu

data/.github/workflows/ci.yml

@@ -15,7 +15,7 @@ jobs:
       matrix:
         os: [ubuntu]
         # We still kind of support Ruby 1.8.7
-        ruby: [2.7, "3.0", 3.1, head, jruby]
+        ruby: ["2.7", "3.0", "3.1", "3.2", "3.3", "head", "jruby"]
 
     name: >-
       ${{matrix.os}}:ruby-${{matrix.ruby}}
@@ -24,7 +24,7 @@ jobs:
 
     steps:
       - name: Check out
-        uses: actions/checkout@v2
+        uses: actions/checkout@v4
 
       - name: Set up ruby and bundle
         uses: ruby/setup-ruby@v1

data/README.md

@@ -1,3 +1,5 @@
+[![Gem Version](https://badge.fury.io/rb/http-cookie.svg)](https://badge.fury.io/rb/http-cookie)
+
 # HTTP::Cookie
 
 HTTP::Cookie is a ruby library to handle HTTP cookies in a way both
@@ -20,7 +22,8 @@ The following is an incomplete list of its features:
 * It takes eTLD (effective TLD, also known as "Public Suffix") into
   account just as major browsers do, to reject cookies with an eTLD
   domain like "org", "co.jp", or "appspot.com".  This feature is
-  brought to you by the domain_name gem.
+  brought to you by the
+  [domain_name](https://github.com/knu/ruby-domain_name) gem.
 
 * The number of cookies and the size are properly capped so that a
   cookie store does not get flooded.
@@ -207,7 +210,7 @@ equivalent using HTTP::Cookie:
     guarantee that it will remain available in the future.
 
 
-HTTP::Cookie/CookieJar raise runtime errors to help migration, so
+HTTP::Cookie/CookieJar raises runtime errors to help migration, so
 after replacing the class names, try running your test code once to
 find out how to fix your code base.
 

data/lib/http/cookie/scanner.rb

@@ -1,3 +1,4 @@
+# frozen_string_literal: true
 require 'http/cookie'
 require 'strscan'
 require 'time'
@@ -23,7 +24,7 @@ class HTTP::Cookie::Scanner < StringScanner
   class << self
     def quote(s)
       return s unless s.match(RE_BAD_CHAR)
-      '"' << s.gsub(/([\\"])/, "\\\\\\1") << '"'
+      (+'"') << s.gsub(/([\\"])/, "\\\\\\1") << '"'
     end
   end
 
@@ -32,7 +33,7 @@ class HTTP::Cookie::Scanner < StringScanner
   end
 
   def scan_dquoted
-    ''.tap { |s|
+    (+'').tap { |s|
       case
       when skip(/"/)
         break
@@ -51,7 +52,7 @@ class HTTP::Cookie::Scanner < StringScanner
   end
 
   def scan_value(comma_as_separator = false)
-    ''.tap { |s|
+    (+'').tap { |s|
       case
       when scan(/[^,;"]+/)
         s << matched

data/lib/http/cookie/uri_parser.rb

@@ -0,0 +1,36 @@
+module HTTP::Cookie::URIParser
+  module_function
+
+  # Regular Expression taken from RFC 3986 Appendix B
+  URIREGEX = %r{
+    \A
+    (?: (?<scheme> [^:/?\#]+ ) : )?
+    (?: // (?<authority> [^/?\#]* ) )?
+    (?<path> [^?\#]* )
+    (?: \? (?<query> [^\#]* ) )?
+    (?: \# (?<fragment> .* ) )?
+    \z
+  }x
+
+  # Escape RFC 3986 "reserved" characters minus valid characters for path
+  # More specifically, gen-delims minus "/" / "?" / "#"
+  def escape_path(path)
+    path.sub(/\A[^?#]+/) { |p| p.gsub(/[:\[\]@]+/) { |r| CGI.escape(r) } }
+  end
+
+  # Parse a URI string or object, relaxing the constraints on the path component
+  def parse(uri)
+    URI(uri)
+  rescue URI::InvalidURIError
+    str = String.try_convert(uri) or
+      raise ArgumentError, "bad argument (expected URI object or URI string)"
+
+    m = URIREGEX.match(str) or raise
+
+    path = m[:path]
+    str[m.begin(:path)...m.end(:path)] = escape_path(path)
+    uri = URI.parse(str)
+    uri.__send__(:set_path, path)
+    uri
+  end
+end

data/lib/http/cookie/version.rb

@@ -1,5 +1,5 @@
 module HTTP
   class Cookie
-    VERSION = "1.0.5"
+    VERSION = "1.0.6"
   end
 end

data/lib/http/cookie.rb

@@ -1,5 +1,7 @@
 # :markup: markdown
+# frozen_string_literal: true
 require 'http/cookie/version'
+require 'http/cookie/uri_parser'
 require 'time'
 require 'uri'
 require 'domain_name'
@@ -275,7 +277,7 @@ class HTTP::Cookie
         logger = options[:logger]
         created_at = options[:created_at]
       end
-      origin = URI(origin)
+      origin = HTTP::Cookie::URIParser.parse(origin)
 
       [].tap { |cookies|
         Scanner.new(set_cookie, logger).scan_set_cookie { |name, value, attrs|
@@ -424,7 +426,7 @@ class HTTP::Cookie
   # Returns the domain, with a dot prefixed only if the domain flag is
   # on.
   def dot_domain
-    @for_domain ? '.' << @domain : @domain
+    @for_domain ? (+'.') << @domain : @domain
   end
 
   # Returns the domain attribute value as a DomainName object.
@@ -455,7 +457,7 @@ class HTTP::Cookie
     @origin.nil? or
       raise ArgumentError, "origin cannot be changed once it is set"
     # Delay setting @origin because #domain= or #path= may fail
-    origin = URI(origin)
+    origin = HTTP::Cookie::URIParser.parse(origin)
     if URI::HTTP === origin
       self.domain ||= origin.host
       self.path   ||= (origin + './').path
@@ -548,7 +550,7 @@ class HTTP::Cookie
   # Tests if it is OK to accept this cookie if it is sent from a given
   # URI/URL, `uri`.
   def acceptable_from_uri?(uri)
-    uri = URI(uri)
+    uri = HTTP::Cookie::URIParser.parse(uri)
     return false unless URI::HTTP === uri && uri.host
     host = DomainName.new(uri.host)
 
@@ -585,7 +587,7 @@ class HTTP::Cookie
     if @domain.nil?
       raise "cannot tell if this cookie is valid because the domain is unknown"
     end
-    uri = URI(uri)
+    uri = HTTP::Cookie::URIParser.parse(uri)
     # RFC 6265 5.4
     return false if secure? && !(URI::HTTPS === uri)
     acceptable_from_uri?(uri) && HTTP::Cookie.path_match?(@path, uri.path)
@@ -594,7 +596,7 @@ class HTTP::Cookie
   # Returns a string for use in the Cookie header, i.e. `name=value`
   # or `name="value"`.
   def cookie_value
-    "#{@name}=#{Scanner.quote(@value)}"
+    +"#{@name}=#{Scanner.quote(@value)}"
   end
   alias to_s cookie_value
 

data/lib/http/cookie_jar/abstract_store.rb

@@ -18,7 +18,7 @@ class HTTP::CookieJar::AbstractStore
         require 'http/cookie_jar/%s_store' % symbol
         @@class_map.fetch(symbol)
       rescue LoadError, IndexError => e
-        raise IndexError, 'cookie store unavailable: %s, error: %s' % symbol.inspect, e.message
+        raise IndexError, 'cookie store unavailable: %s, error: %s' % [symbol.inspect, e.message]
       end
     end
 

data/lib/http/cookie_jar.rb

@@ -156,7 +156,7 @@ class HTTP::CookieJar
     block_given? or return enum_for(__method__, uri)
 
     if uri
-      uri = URI(uri)
+      uri = HTTP::Cookie::URIParser.parse(uri)
       return self unless URI::HTTP === uri && uri.host
     end
 

data/test/helper.rb

@@ -7,7 +7,7 @@ module Test
   module Unit
     module Assertions
       def assert_warn(pattern, message = nil, &block)
-        class << (output = "")
+        class << (output = +"")
           alias write <<
         end
         stderr, $stderr = $stderr, output
@@ -50,6 +50,6 @@ end
 
 def sleep_until(time)
   if (s = time - Time.now) > 0
-    sleep s
+    sleep s + 0.01
   end
 end

data/test/test_http_cookie.rb

@@ -1,4 +1,5 @@
 # -*- coding: utf-8 -*-
+# frozen_string_literal: false
 require File.expand_path('helper', File.dirname(__FILE__))
 require 'psych' if !defined?(YAML) && RUBY_VERSION == "1.9.2"
 require 'yaml'
@@ -302,7 +303,8 @@ class TestHTTPCookie < Test::Unit::TestCase
       "name=Aaron; Domain=localhost; Expires=Sun, 06 Nov 2011 00:29:51 GMT; Path=/, " \
       "name=Aaron; Domain=localhost; Expires=Sun, 06 Nov 2011 00:29:51 GMT; Path=/; HttpOnly, " \
       "expired=doh; Expires=Fri, 04 Nov 2011 00:29:51 GMT; Path=/, " \
-      "a_path=some_path; Expires=Sun, 06 Nov 2011 00:29:51 GMT; Path=/some_path, " \
+      "a_path1=some_path; Expires=Sun, 06 Nov 2011 00:29:51 GMT; Path=/some_path, " \
+      "a_path2=some_path; Expires=Sun, 06 Nov 2011 00:29:51 GMT; Path=/some_path[], " \
       "no_path1=no_path; Expires=Sun, 06 Nov 2011 00:29:52 GMT, no_expires=nope; Path=/, " \
       "no_path2=no_path; Expires=Sun, 06 Nov 2011 00:29:52 GMT; no_expires=nope; Path, " \
       "no_path3=no_path; Expires=Sun, 06 Nov 2011 00:29:52 GMT; no_expires=nope; Path=, " \
@@ -313,17 +315,22 @@ class TestHTTPCookie < Test::Unit::TestCase
       "no_domain3=no_domain; Expires=Sun, 06 Nov 2011 00:29:53 GMT; no_expires=nope; Domain="
 
     cookies = HTTP::Cookie.parse cookie_str, url
-    assert_equal 15, cookies.length
+    assert_equal 16, cookies.length
 
     name = cookies.find { |c| c.name == 'name' }
     assert_equal "Aaron",             name.value
     assert_equal "/",                 name.path
     assert_equal Time.at(1320539391), name.expires
 
-    a_path = cookies.find { |c| c.name == 'a_path' }
-    assert_equal "some_path",         a_path.value
-    assert_equal "/some_path",        a_path.path
-    assert_equal Time.at(1320539391), a_path.expires
+    a_path1 = cookies.find { |c| c.name == 'a_path1' }
+    assert_equal "some_path",         a_path1.value
+    assert_equal "/some_path",        a_path1.path
+    assert_equal Time.at(1320539391), a_path1.expires
+
+    a_path2 = cookies.find { |c| c.name == 'a_path2' }
+    assert_equal "some_path",         a_path2.value
+    assert_equal "/some_path[]",      a_path2.path
+    assert_equal Time.at(1320539391), a_path2.expires
 
     no_expires = cookies.find { |c| c.name == 'no_expires' }
     assert_equal "nope", no_expires.value
@@ -751,7 +758,7 @@ class TestHTTPCookie < Test::Unit::TestCase
     assert_equal 12, cookie.max_age
 
     cookie.max_age = -3
-    assert_equal -3, cookie.max_age
+    assert_equal(-3, cookie.max_age)
   end
 
   def test_session
@@ -941,6 +948,10 @@ class TestHTTPCookie < Test::Unit::TestCase
       cookie.origin = URI.parse('http://www.example.com/')
     }
 
+    cookie = HTTP::Cookie.new('a', 'b')
+    cookie.origin = HTTP::Cookie::URIParser.parse('http://example.com/path[]/')
+    assert_equal '/path[]/', cookie.path
+
     cookie = HTTP::Cookie.new('a', 'b', :domain => '.example.com')
     cookie.origin = URI.parse('http://example.org/')
     assert_equal false, cookie.acceptable?
@@ -1006,7 +1017,7 @@ class TestHTTPCookie < Test::Unit::TestCase
           'https://www.example.com/dir2/test.html',
         ]
       },
-      HTTP::Cookie.parse('a4=b; domain=example.com; path=/dir2/',
+      HTTP::Cookie.parse('a3=b; domain=example.com; path=/dir2/',
         URI('http://example.com/dir/file.html')).first => {
         true => [
           'https://example.com/dir2/test.html',
@@ -1022,7 +1033,19 @@ class TestHTTPCookie < Test::Unit::TestCase
           'file:///dir2/test.html',
         ]
       },
-      HTTP::Cookie.parse('a4=b; secure',
+      HTTP::Cookie.parse('a4=b; domain=example.com; path=/dir2[]/',
+        HTTP::Cookie::URIParser.parse('http://example.com/dir[]/file.html')).first => {
+        true => [
+          HTTP::Cookie::URIParser.parse('https://example.com/dir2[]/file.html'),
+          HTTP::Cookie::URIParser.parse('http://example.com/dir2[]/file.html'),
+        ],
+        false => [
+          HTTP::Cookie::URIParser.parse('https://example.com/dir[]/file.html'),
+          HTTP::Cookie::URIParser.parse('http://example.com/dir[]/file.html'),
+          'file:///dir2/test.html',
+        ]
+      },
+      HTTP::Cookie.parse('a5=b; secure',
         URI('https://example.com/dir/file.html')).first => {
         true => [
           'https://example.com/dir/test.html',
@@ -1034,7 +1057,7 @@ class TestHTTPCookie < Test::Unit::TestCase
           'file:///dir2/test.html',
         ]
       },
-      HTTP::Cookie.parse('a5=b',
+      HTTP::Cookie.parse('a6=b',
         URI('https://example.com/')).first => {
         true => [
           'https://example.com',
@@ -1043,7 +1066,7 @@ class TestHTTPCookie < Test::Unit::TestCase
           'file:///',
         ]
       },
-      HTTP::Cookie.parse('a6=b; path=/dir',
+      HTTP::Cookie.parse('a7=b; path=/dir',
         'http://example.com/dir/file.html').first => {
         true => [
           'http://example.com/dir',
@@ -1069,7 +1092,7 @@ class TestHTTPCookie < Test::Unit::TestCase
       hash.each { |expected, urls|
         urls.each { |url|
           assert_equal expected, cookie.valid_for_uri?(url), '%s: %s' % [cookie.name, url]
-          assert_equal expected, cookie.valid_for_uri?(URI(url)), "%s: URI(%s)" % [cookie.name, url]
+          assert_equal expected, cookie.valid_for_uri?(HTTP::Cookie::URIParser.parse(url)), "%s: URI(%s)" % [cookie.name, url]
         }
       }
     }

data/test/test_http_cookie_jar.rb

@@ -1,3 +1,4 @@
+# frozen_string_literal: false
 require File.expand_path('helper', File.dirname(__FILE__))
 require 'tmpdir'
 
@@ -9,6 +10,13 @@ module TestHTTPCookieJar
       }
     end
 
+    def test_nonexistent_store_in_config
+      expected = /cookie store unavailable: :nonexistent, error: (cannot load|no such file to load) .*nonexistent_store/
+      assert_raise_with_message(ArgumentError, expected) {
+        HTTP::CookieJar.new(store: :nonexistent)
+      }
+    end
+
     def test_erroneous_store
       Dir.mktmpdir { |dir|
         Dir.mkdir(File.join(dir, 'http'))
@@ -465,7 +473,7 @@ module TestHTTPCookieJar
     end
 
     def test_save_and_read_cookiestxt
-      url = URI 'http://rubyforge.org/foo/'
+      url = HTTP::Cookie::URIParser.parse('https://rubyforge.org/foo[]/')
 
       # Add one cookie with an expiration date in the future
       cookie = HTTP::Cookie.new(cookie_values)
@@ -474,7 +482,7 @@ module TestHTTPCookieJar
           :expires => nil))
       cookie2 = HTTP::Cookie.new(cookie_values(:name => 'Baz',
           :value => 'Foo#Baz',
-          :path => '/foo/',
+          :path => '/foo[]/',
           :for_domain => false))
       h_cookie = HTTP::Cookie.new(cookie_values(:name => 'Quux',
           :value => 'Foo#Quux',
@@ -523,7 +531,7 @@ module TestHTTPCookieJar
             assert_equal 'Foo#Baz', cookie.value
             assert_equal 'rubyforge.org', cookie.domain
             assert_equal false, cookie.for_domain
-            assert_equal '/foo/', cookie.path
+            assert_equal '/foo[]/', cookie.path
             assert_equal false, cookie.httponly?
           when 'Quux'
             assert_equal 'Foo#Quux', cookie.value
@@ -656,6 +664,34 @@ module TestHTTPCookieJar
       assert_equal(0, @jar.cookies(url).length)
     end
 
+    def test_non_rfc3986_compliant_paths
+      url = HTTP::Cookie::URIParser.parse('http://RubyForge.org/login[]')
+
+      values = cookie_values(:path => "/login[]", :expires => nil, :origin => url)
+
+      # Add one cookie with an expiration date in the future
+      cookie = HTTP::Cookie.new(values)
+      @jar.add(cookie)
+      assert_equal(1, @jar.cookies(url).length)
+
+      # Add a second cookie
+      @jar.add(HTTP::Cookie.new(values.merge( :name => 'Baz' )))
+      assert_equal(2, @jar.cookies(url).length)
+
+      # Make sure we don't get the cookie in a different path
+      assert_equal(0, @jar.cookies(HTTP::Cookie::URIParser.parse('http://RubyForge.org/hello[]')).length)
+      assert_equal(0, @jar.cookies(HTTP::Cookie::URIParser.parse('http://RubyForge.org/')).length)
+
+      # Expire the first cookie
+      @jar.add(HTTP::Cookie.new(values.merge( :expires => Time.now - (10 * 86400))))
+      assert_equal(1, @jar.cookies(url).length)
+
+      # Expire the second cookie
+      @jar.add(HTTP::Cookie.new(values.merge( :name => 'Baz',
+            :expires => Time.now - (10 * 86400))))
+      assert_equal(0, @jar.cookies(url).length)
+    end
+
     def test_ssl_cookies
       # thanks to michal "ocher" ochman for reporting the bug responsible for this test.
       values = cookie_values(:expires => nil)

metadata

@@ -1,17 +1,17 @@
 --- !ruby/object:Gem::Specification
 name: http-cookie
 version: !ruby/object:Gem::Version
-  version: 1.0.5
+  version: 1.0.6
 platform: ruby
 authors:
 - Akinori MUSHA
 - Aaron Patterson
 - Eric Hodel
 - Mike Dalessio
-autorequire:
+autorequire: 
 bindir: bin
 cert_chain: []
-date: 2022-05-25 00:00:00.000000000 Z
+date: 2024-06-01 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: domain_name
@@ -127,6 +127,7 @@ extra_rdoc_files:
 - README.md
 - LICENSE.txt
 files:
+- ".github/CODEOWNERS"
 - ".github/workflows/ci.yml"
 - ".gitignore"
 - CHANGELOG.md
@@ -139,6 +140,7 @@ files:
 - lib/http/cookie.rb
 - lib/http/cookie/ruby_compat.rb
 - lib/http/cookie/scanner.rb
+- lib/http/cookie/uri_parser.rb
 - lib/http/cookie/version.rb
 - lib/http/cookie_jar.rb
 - lib/http/cookie_jar/abstract_saver.rb
@@ -156,7 +158,7 @@ homepage: https://github.com/sparklemotion/http-cookie
 licenses:
 - MIT
 metadata: {}
-post_install_message:
+post_install_message: 
 rdoc_options: []
 require_paths:
 - lib
@@ -171,8 +173,8 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.3.14
-signing_key:
+rubygems_version: 3.5.9
+signing_key: 
 specification_version: 4
 summary: A Ruby library to handle HTTP Cookies based on RFC 6265
 test_files: