icalendar 2.12.1 → 2.12.2

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: c581285bbacae9839202046bea20f80be28315865013f9f59e50851fbbed7a34
-  data.tar.gz: 8be871aab3ba233a56a6442783f6a32cbf138ae145fc777bed68fdf4beff0826
+  metadata.gz: ad06e861392ab70f0e800ac4f2a6b81f019aaf3548a35e513f02bcc975968b86
+  data.tar.gz: 16562bdeae817fc8afd4e0b6de7090a42c0b095cb56640d5b9183cfb3a07bb74
 SHA512:
-  metadata.gz: e847fc2a27df55033006bfc9b9d1572563a9a9bafc8cf286959e82e4a47f0c64fcda9a7b7470e37031e635a1e9b086eda769b75108a02e020782c1683fad763e
-  data.tar.gz: 3a8f8503ace1467d352d586ede3e4c8c91b7ab5d1fec5271c5add7658014a1cc61fc4b2f2ec32b09d481746ff14139fb83b7d14f63b23526056b183bb9133de6
+  metadata.gz: 927cd1536b413039b75f4c2a100ca169bb17897c10754b4806762d341aaa4b7800fc93e7bc81566681a678a853fefc0d54fad5fdd0316c10f0245f91864d2faf
+  data.tar.gz: 5d9c09347062a5dd73ad23cd75905c5508b8a72ce0447241ee282fa6bbcc7d259e4a26309fc90af718f14f14b18ca78403bc849898b42147c5368ae6edb21d13

data/CHANGELOG.md

@@ -1,5 +1,8 @@
 ## Unreleased
 
+## 2.12.2 - 2026-03-21
+- Fix a potential property injection issue through escaping control characters in URI values - Wes Ring
+
 ## 2.12.1 - 2025-10-19
 - Fix a problem with invalid ics generation for calendars with custom properties that include a `tzid` parameter.
 

data/lib/icalendar/values/uri.rb

@@ -6,6 +6,7 @@ module Icalendar
   module Values
 
     class Uri < Value
+      CONTROL_BYTES_REGEX = /[\x00-\x1F\x7F]/.freeze
 
       def initialize(value, *args)
         parsed = URI.parse(value) rescue value
@@ -13,7 +14,7 @@ module Icalendar
       end
 
       def value_ical
-        value.to_s
+        value.to_s.gsub(CONTROL_BYTES_REGEX) { |char| "%%%02X" % char.ord }
       end
     end
 

data/lib/icalendar/version.rb

@@ -2,6 +2,6 @@
 
 module Icalendar
 
-  VERSION = '2.12.1'
+  VERSION = '2.12.2'
 
 end

data/spec/values/uri_spec.rb

@@ -0,0 +1,43 @@
+require 'spec_helper'
+
+describe Icalendar::Values::Uri do
+  describe '#value_ical' do
+    it 'percent-encodes CRLF to prevent content-line injection' do
+      value = described_class.new("https://a.example/ok\r\nATTENDEE:mailto:evil@example.com")
+
+      expect(value.value_ical).to eq('https://a.example/ok%0D%0AATTENDEE:mailto:evil@example.com')
+    end
+
+    it 'percent-encodes the full ASCII control range' do
+      raw = "https://example.com/a\tb\f#{0.chr}#{127.chr}"
+      value = described_class.new(raw)
+
+      expect(value.value_ical).to eq('https://example.com/a%09b%0C%00%7F')
+    end
+
+    it 'leaves valid printable URI characters unchanged' do
+      raw = 'https://example.com/a-path?q=one%20two&x=@tag#frag'
+      value = described_class.new(raw)
+
+      expect(value.value_ical).to eq(raw)
+    end
+  end
+
+  describe '#to_ical' do
+    it 'serializes injected CRLF on the same content line' do
+      value = described_class.new("https://a.example/ok\r\nATTENDEE:mailto:evil@example.com")
+
+      expect(value.to_ical(Icalendar::Values::Text)).to eq(
+        ';VALUE=URI:https://a.example/ok%0D%0AATTENDEE:mailto:evil@example.com'
+      )
+    end
+  end
+end
+
+describe Icalendar::Values::CalAddress do
+  it 'inherits URI control-byte encoding' do
+    value = described_class.new("mailto:user@example.com\r\nORGANIZER:mailto:evil@example.com")
+
+    expect(value.value_ical).to eq('mailto:user@example.com%0D%0AORGANIZER:mailto:evil@example.com')
+  end
+end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: icalendar
 version: !ruby/object:Gem::Version
-  version: 2.12.1
+  version: 2.12.2
 platform: ruby
 authors:
 - Ryan Ahearn
@@ -292,6 +292,7 @@ files:
 - spec/values/period_spec.rb
 - spec/values/recur_spec.rb
 - spec/values/text_spec.rb
+- spec/values/uri_spec.rb
 - spec/values/utc_offset_spec.rb
 homepage: https://github.com/icalendar/icalendar
 licenses:
@@ -361,4 +362,5 @@ test_files:
 - spec/values/period_spec.rb
 - spec/values/recur_spec.rb
 - spec/values/text_spec.rb
+- spec/values/uri_spec.rb
 - spec/values/utc_offset_spec.rb