RubyGems - mechanize - Versions diffs - 2.7.3 → 2.8.0 - Mend

mechanize 2.7.3 → 2.8.0

Potentially problematic release.

This version of mechanize might be problematic. Click here for more details.

Files changed (137) hide show

checksums.yaml +5 -5
data/.github/workflows/ci-test.yml +45 -0
data/.gitignore +15 -0
data/.yardopts +8 -0
data/{CHANGELOG.rdoc → CHANGELOG.md} +149 -62
data/EXAMPLES.rdoc +2 -25
data/Gemfile +3 -0
data/{LICENSE.rdoc → LICENSE.txt} +4 -0
data/README.md +79 -0
data/Rakefile +36 -37
data/examples/{rubyforge.rb → rubygems.rb} +7 -6
data/lib/mechanize.rb +75 -33
data/lib/mechanize/chunked_termination_error.rb +1 -0
data/lib/mechanize/content_type_error.rb +1 -0
data/lib/mechanize/cookie.rb +1 -13
data/lib/mechanize/cookie_jar.rb +4 -12
data/lib/mechanize/directory_saver.rb +15 -2
data/lib/mechanize/download.rb +2 -1
data/lib/mechanize/element_matcher.rb +29 -14
data/lib/mechanize/element_not_found_error.rb +1 -0
data/lib/mechanize/file.rb +2 -1
data/lib/mechanize/file_connection.rb +5 -3
data/lib/mechanize/file_request.rb +1 -0
data/lib/mechanize/file_response.rb +5 -4
data/lib/mechanize/file_saver.rb +1 -0
data/lib/mechanize/form.rb +119 -46
data/lib/mechanize/form/button.rb +1 -0
data/lib/mechanize/form/check_box.rb +1 -0
data/lib/mechanize/form/field.rb +47 -0
data/lib/mechanize/form/file_upload.rb +1 -0
data/lib/mechanize/form/hidden.rb +1 -0
data/lib/mechanize/form/image_button.rb +1 -0
data/lib/mechanize/form/keygen.rb +1 -0
data/lib/mechanize/form/multi_select_list.rb +8 -14
data/lib/mechanize/form/option.rb +3 -1
data/lib/mechanize/form/radio_button.rb +1 -0
data/lib/mechanize/form/reset.rb +1 -0
data/lib/mechanize/form/select_list.rb +1 -0
data/lib/mechanize/form/submit.rb +1 -0
data/lib/mechanize/form/text.rb +1 -0
data/lib/mechanize/form/textarea.rb +1 -0
data/lib/mechanize/headers.rb +1 -0
data/lib/mechanize/history.rb +2 -1
data/lib/mechanize/http.rb +1 -0
data/lib/mechanize/http/agent.rb +115 -64
data/lib/mechanize/http/auth_challenge.rb +1 -0
data/lib/mechanize/http/auth_realm.rb +2 -1
data/lib/mechanize/http/auth_store.rb +3 -0
data/lib/mechanize/http/content_disposition_parser.rb +18 -3
data/lib/mechanize/http/www_authenticate_parser.rb +5 -5
data/lib/mechanize/image.rb +1 -0
data/lib/mechanize/page.rb +166 -55
data/lib/mechanize/page/base.rb +1 -0
data/lib/mechanize/page/frame.rb +4 -1
data/lib/mechanize/page/image.rb +3 -0
data/lib/mechanize/page/label.rb +1 -0
data/lib/mechanize/page/link.rb +13 -1
data/lib/mechanize/page/meta_refresh.rb +1 -0
data/lib/mechanize/parser.rb +4 -3
data/lib/mechanize/pluggable_parsers.rb +14 -1
data/lib/mechanize/prependable.rb +1 -0
data/lib/mechanize/redirect_limit_reached_error.rb +1 -0
data/lib/mechanize/redirect_not_get_or_head_error.rb +1 -0
data/lib/mechanize/response_code_error.rb +2 -1
data/lib/mechanize/response_read_error.rb +1 -0
data/lib/mechanize/robots_disallowed_error.rb +1 -0
data/lib/mechanize/test_case.rb +39 -29
data/lib/mechanize/test_case/bad_chunking_servlet.rb +1 -0
data/lib/mechanize/test_case/basic_auth_servlet.rb +1 -0
data/lib/mechanize/test_case/content_type_servlet.rb +1 -0
data/lib/mechanize/test_case/digest_auth_servlet.rb +1 -0
data/lib/mechanize/test_case/file_upload_servlet.rb +1 -0
data/lib/mechanize/test_case/form_servlet.rb +1 -0
data/lib/mechanize/test_case/gzip_servlet.rb +4 -3
data/lib/mechanize/test_case/header_servlet.rb +1 -0
data/lib/mechanize/test_case/http_refresh_servlet.rb +2 -2
data/lib/mechanize/test_case/infinite_redirect_servlet.rb +1 -0
data/lib/mechanize/test_case/infinite_refresh_servlet.rb +2 -2
data/lib/mechanize/test_case/many_cookies_as_string_servlet.rb +1 -0
data/lib/mechanize/test_case/many_cookies_servlet.rb +1 -0
data/lib/mechanize/test_case/modified_since_servlet.rb +1 -0
data/lib/mechanize/test_case/ntlm_servlet.rb +1 -0
data/lib/mechanize/test_case/one_cookie_no_spaces_servlet.rb +1 -0
data/lib/mechanize/test_case/one_cookie_servlet.rb +1 -0
data/lib/mechanize/test_case/quoted_value_cookie_servlet.rb +1 -0
data/lib/mechanize/test_case/redirect_servlet.rb +1 -0
data/lib/mechanize/test_case/referer_servlet.rb +1 -0
data/lib/mechanize/test_case/refresh_with_empty_url.rb +1 -0
data/lib/mechanize/test_case/refresh_without_url.rb +1 -0
data/lib/mechanize/test_case/response_code_servlet.rb +1 -0
data/lib/mechanize/test_case/robots_txt_servlet.rb +15 -0
data/lib/mechanize/test_case/send_cookies_servlet.rb +1 -0
data/lib/mechanize/test_case/server.rb +1 -0
data/lib/mechanize/test_case/servlets.rb +4 -0
data/lib/mechanize/test_case/verb_servlet.rb +5 -6
data/lib/mechanize/unauthorized_error.rb +2 -1
data/lib/mechanize/unsupported_scheme_error.rb +5 -2
data/lib/mechanize/util.rb +90 -43
data/lib/mechanize/version.rb +4 -0
data/lib/mechanize/xml_file.rb +1 -0
data/mechanize.gemspec +69 -0
data/test/htdocs/dir with spaces/foo.html +1 -0
data/test/htdocs/find_link.html +1 -4
data/test/htdocs/tc_links.html +1 -1
data/test/test_mechanize.rb +111 -55
data/test/test_mechanize_cookie.rb +75 -60
data/test/test_mechanize_cookie_jar.rb +112 -59
data/test/test_mechanize_download.rb +13 -1
data/test/test_mechanize_file.rb +10 -0
data/test/test_mechanize_file_connection.rb +21 -3
data/test/test_mechanize_file_response.rb +26 -2
data/test/test_mechanize_form.rb +46 -11
data/test/test_mechanize_form_check_box.rb +10 -0
data/test/test_mechanize_form_encoding.rb +3 -8
data/test/test_mechanize_form_keygen.rb +1 -0
data/test/test_mechanize_form_multi_select_list.rb +5 -1
data/test/test_mechanize_http_agent.rb +175 -18
data/test/test_mechanize_http_auth_challenge.rb +14 -0
data/test/test_mechanize_http_auth_realm.rb +7 -1
data/test/test_mechanize_http_auth_store.rb +37 -0
data/test/test_mechanize_http_content_disposition_parser.rb +35 -1
data/test/test_mechanize_http_www_authenticate_parser.rb +24 -0
data/test/test_mechanize_link.rb +60 -4
data/test/test_mechanize_page.rb +82 -7
data/test/test_mechanize_page_encoding.rb +2 -3
data/test/test_mechanize_page_image.rb +1 -1
data/test/test_mechanize_page_link.rb +20 -5
data/test/test_mechanize_page_meta_refresh.rb +1 -1
data/test/test_mechanize_parser.rb +12 -2
data/test/test_mechanize_util.rb +46 -11
metadata +198 -99
data/.gemtest +0 -0
data/.travis.yml +0 -26
data/Manifest.txt +0 -205
data/README.rdoc +0 -83
data/lib/mechanize/monkey_patch.rb +0 -17
data/test/htdocs/robots.txt +0 -2

data/test/test_mechanize_download.rb CHANGED Viewed

@@ -46,6 +46,19 @@ class TestMechanizeDownload < Mechanize::TestCase
     end
   end
+  def test_save_bang_does_not_allow_command_injection
+    skip if windows?
+    uri = URI.parse 'http://example/foo.html'
+    body_io = StringIO.new '0123456789'
+    download = @parser.new uri, nil, body_io
+    in_tmpdir do
+      download.save!('| ruby -rfileutils -e \'FileUtils.touch("vul.txt")\'')
+      refute_operator(File, :exist?, "vul.txt")
+    end
+  end
   def test_save_tempfile
     uri = URI.parse 'http://example/foo.html'
     Tempfile.open @NAME do |body_io|
@@ -84,6 +97,5 @@ class TestMechanizeDownload < Mechanize::TestCase
     assert_equal "foo.html", download.filename
   end
 end

data/test/test_mechanize_file.rb CHANGED Viewed

@@ -103,5 +103,15 @@ class TestMechanizeFile < Mechanize::TestCase
     end
   end
+  def test_save_bang_does_not_allow_command_injection
+    skip if windows?
+    uri = URI 'http://example/test.html'
+    page = Mechanize::File.new uri, nil, ''
+    in_tmpdir do
+      page.save!('| ruby -rfileutils -e \'FileUtils.touch("vul.txt")\'')
+      refute_operator(File, :exist?, "vul.txt")
+    end
+  end
 end

data/test/test_mechanize_file_connection.rb CHANGED Viewed

@@ -3,19 +3,37 @@ require 'mechanize/test_case'
 class TestMechanizeFileConnection < Mechanize::TestCase
   def test_request
-    uri = URI.parse "file://#{File.expand_path __FILE__}"
+    file_path = File.expand_path(__FILE__)
+    uri = URI.parse "file://#{file_path}"
     conn = Mechanize::FileConnection.new
     body = ''
     conn.request uri, nil do |response|
+      assert_equal(file_path, response.file_path)
       response.read_body do |part|
         body << part
       end
     end
-    assert_equal File.read(__FILE__), body
+    assert_equal File.read(__FILE__), body.gsub(/\r\n/, "\n")
   end
-end
+  def test_request_on_uri_with_windows_drive
+    uri_string = "file://C:/path/to/file.html"
+    expected_file_path = "C:/path/to/file.html"
+    uri = URI.parse(uri_string)
+    conn = Mechanize::FileConnection.new
+    called = false
+    yielded_file_path = nil
+    conn.request(uri, nil) do |response|
+      called = true
+      yielded_file_path = response.file_path
+    end
+    assert(called)
+    assert_equal(expected_file_path, yielded_file_path)
+  end
+end

data/test/test_mechanize_file_response.rb CHANGED Viewed

@@ -1,11 +1,15 @@
 require 'mechanize/test_case'
 class TestMechanizeFileResponse < Mechanize::TestCase
+  def test_file_path
+    res = Mechanize::FileResponse.new("/path/to/foo.html")
+    assert_equal("/path/to/foo.html", res.file_path)
+  end
   def test_content_type
     Tempfile.open %w[pi .nothtml] do |tempfile|
       res = Mechanize::FileResponse.new tempfile.path
-      assert_equal nil, res['content-type']
+      assert_nil res['content-type']
     end
     Tempfile.open %w[pi .xhtml] do |tempfile|
@@ -19,5 +23,25 @@ class TestMechanizeFileResponse < Mechanize::TestCase
     end
   end
-end
+  def test_read_body
+    Tempfile.open %w[pi .html] do |tempfile|
+      tempfile.write("asdfasdfasdf")
+      tempfile.close
+      res = Mechanize::FileResponse.new(tempfile.path)
+      res.read_body do |input|
+        assert_equal("asdfasdfasdf", input)
+      end
+    end
+  end
+  def test_read_body_does_not_allow_command_injection
+    skip if windows?
+    in_tmpdir do
+      FileUtils.touch('| ruby -rfileutils -e \'FileUtils.touch("vul.txt")\'')
+      res = Mechanize::FileResponse.new('| ruby -rfileutils -e \'FileUtils.touch("vul.txt")\'')
+      res.read_body { |_| }
+      refute_operator(File, :exist?, "vul.txt")
+    end
+  end
+end

data/test/test_mechanize_form.rb CHANGED Viewed

@@ -65,6 +65,18 @@ class TestMechanizeForm < Mechanize::TestCase
     assert query.all? { |x| x[1] == '' }
   end
+  def test_build_query_blank_input_name
+    html = Nokogiri::HTML <<-HTML
+<form>
+  <input type="text" name="" value="foo" />
+</form>
+    HTML
+    form = Mechanize::Form.new html.at('form'), @mech, @page
+    assert_equal [], form.build_query
+  end
   def test_build_query_radio_button_duplicate
     html = Nokogiri::HTML <<-HTML
 <form>
@@ -214,7 +226,7 @@ class TestMechanizeForm < Mechanize::TestCase
     @form['name'] = 'Aaron'
-    assert @form.has_field?('name')
+    assert_equal true, @form.has_field?('name')
   end
   def test_has_value_eh
@@ -222,7 +234,7 @@ class TestMechanizeForm < Mechanize::TestCase
     @form['name'] = 'Aaron'
-    assert @form.has_value?('Aaron')
+    assert_equal true, @form.has_value?('Aaron')
   end
   def test_keys
@@ -651,6 +663,25 @@ class TestMechanizeForm < Mechanize::TestCase
            "Image button missing")
   end
+  def test_reset
+    page = @mech.get("http://localhost/form_test.html")
+    get_form = page.forms.find { |f| f.name == "get_form1" }
+    image_button = get_form.buttons.first
+    submit_button = get_form.submits.first
+    new_page = @mech.submit(get_form, submit_button)
+    assert_equal "http://localhost/form_post?first_name=", new_page.uri.to_s
+    new_page = @mech.submit(get_form, image_button)
+    assert_equal "http://localhost/form_post?first_name=&button.x=0&button.y=0", new_page.uri.to_s
+    get_form.reset
+    new_page = @mech.submit(get_form, submit_button)
+    assert_equal "http://localhost/form_post?first_name=", new_page.uri.to_s
+  end
   def test_post_with_space_in_action
     page = @mech.get("http://localhost/form_test.html")
     post_form = page.forms.find { |f| f.name == "post_form2" }
@@ -844,15 +875,19 @@ class TestMechanizeForm < Mechanize::TestCase
   def test_form_and_fields_dom_id
     # blatant copypasta of test above
     page = @mech.get("http://localhost/form_test.html")
-    form = page.form_with(:dom_id => 'generic_form')
-    form_by_id = page.form_with(:id => 'generic_form')
+    form = page.form_with(dom_id: 'generic_form')
+    assert_equal(1, form.fields_with(dom_id: 'name_first').length)
+    assert_equal('first_name', form.field_with(dom_id: 'name_first').name)
-    assert_equal(1, form.fields_with(:dom_id => 'name_first').length)
-    assert_equal('first_name', form.field_with(:dom_id => 'name_first').name)
+    assert_equal(form, page.form_with(id: 'generic_form'))
+    assert_equal(form, page.form_with(css: '#generic_form'))
-    #  *_with(:id => blah) should work exactly like (:dom_id => blah)
-    assert_equal(form, form_by_id)
-    assert_equal(form.fields_with(:dom_id => 'name_first'), form.fields_with(:id => 'name_first'))
+    fields_by_dom_id = form.fields_with(dom_id: 'name_first')
+    assert_equal(fields_by_dom_id, form.fields_with(id: 'name_first'))
+    assert_equal(fields_by_dom_id, form.fields_with(css: '#name_first'))
+    assert_equal(fields_by_dom_id, form.fields_with(xpath: '//*[@id="name_first"]'))
+    assert_equal(fields_by_dom_id, form.fields_with(search: '//*[@id="name_first"]'))
   end
   def test_form_and_fields_dom_class
@@ -895,9 +930,9 @@ class TestMechanizeForm < Mechanize::TestCase
     page = @mech.get("http://localhost/form_multival.html")
     form = page.form_with(:name => 'post_form')
-    assert(!form.has_field?('intarweb'))
+    assert_equal false, form.has_field?('intarweb')
     assert form.add_field!('intarweb')
-    assert(form.has_field?('intarweb'))
+    assert_equal true, form.has_field?('intarweb')
   end
   def test_fill_unexisting_form

data/test/test_mechanize_form_check_box.rb CHANGED Viewed

@@ -8,6 +8,16 @@ class TestMechanizeFormCheckBox < Mechanize::TestCase
     @page = @mech.get('http://localhost/tc_checkboxes.html')
   end
+  def test_search
+    form = @page.forms.first
+    checkbox = form.checkbox_with(name: 'green')
+    assert_equal('green', checkbox.name)
+    assert_equal(checkbox, form.checkbox_with('green'))
+    assert_equal(checkbox, form.checkbox_with(search: 'input[@type=checkbox][@name=green]'))
+  end
   def test_check
     form = @page.forms.first

data/test/test_mechanize_form_encoding.rb CHANGED Viewed

@@ -8,15 +8,10 @@ class TestMechanizeFormEncoding < Mechanize::TestCase
   INPUTTED_VALUE = "テスト" # "test" in Japanese UTF-8 encoding
   CONTENT_ENCODING = 'Shift_JIS' # one of Japanese encoding
-  encoded_value = "\x83\x65\x83\x58\x83\x67" # "test" in Japanese Shift_JIS encoding
-  encoded_value.force_encoding(::Encoding::SHIFT_JIS) if encoded_value.respond_to?(:force_encoding)
+  encoded_value = "\x83\x65\x83\x58\x83\x67".force_encoding(::Encoding::SHIFT_JIS) # "test" in Japanese Shift_JIS encoding
   EXPECTED_QUERY = "first_name=#{CGI.escape(encoded_value)}&first_name=&gender=&green%5Beggs%5D="
-  if Mechanize::Util::NEW_RUBY_ENCODING
-    ENCODING_ERRORS = [EncodingError, Encoding::ConverterNotFoundError] # and so on
-  else
-    ENCODING_ERRORS = [Iconv::InvalidEncoding, Iconv::IllegalSequence]
-  end
+  ENCODING_ERRORS = [EncodingError, Encoding::ConverterNotFoundError] # and so on
   ENCODING_LOG_MESSAGE = /INFO -- : form encoding: Shift_JIS/
   INVALID_ENCODING = 'UTF-eight'
@@ -72,7 +67,7 @@ class TestMechanizeFormEncoding < Mechanize::TestCase
     node['enctype'] = 'application/x-www-form-urlencoded'
     form = Mechanize::Form.new(node)
-    assert_equal nil, form.encoding
+    assert_nil form.encoding
   end
   def test_post_form_with_form_encoding

data/test/test_mechanize_form_keygen.rb CHANGED Viewed

@@ -22,6 +22,7 @@ class TestMechanizeFormKeygen < Mechanize::TestCase
   end
   def test_spki_signature
+    skip("JRuby PKI doesn't handle this for reasons I've been unable to understand") if RUBY_ENGINE=~/jruby/
     spki = OpenSSL::Netscape::SPKI.new @keygen.value
     assert_equal @keygen.challenge, spki.challenge
     assert_equal @keygen.key.public_key.to_pem, spki.public_key.to_pem

data/test/test_mechanize_form_multi_select_list.rb CHANGED Viewed

@@ -32,9 +32,13 @@ class TestMechanizeFormMultiSelectList < Mechanize::TestCase
   end
   def test_option_with
-    option = @select.option_with :value => '1'
+    option = @select.option_with value: '1'
     assert_equal '1', option.value
+    option = @select.option_with search: 'option[@selected]'
+    assert_equal '2', option.value
   end
   def test_options_with

data/test/test_mechanize_http_agent.rb CHANGED Viewed

@@ -16,13 +16,7 @@ class TestMechanizeHttpAgent < Mechanize::TestCase
     @res.instance_variable_set :@code, 200
     @res.instance_variable_set :@header, {}
-    @headers = if RUBY_VERSION >= '2.0.0' then
-                 %w[accept accept-encoding user-agent]
-               elsif RUBY_VERSION >= '1.9.0' then
-                 %w[accept user-agent]
-               else
-                 %w[accept]
-               end
+    @headers = %w[accept accept-encoding user-agent]
   end
   def auth_realm uri, scheme, type
@@ -33,6 +27,16 @@ class TestMechanizeHttpAgent < Mechanize::TestCase
     realm
   end
+  def jruby_zlib?
+    if RUBY_ENGINE == 'jruby'
+      meth = caller[0][/`(\w+)/, 1]
+      warn "#{meth}: skipped because how Zlib handles error is different in JRuby"
+      true
+    else
+      false
+    end
+  end
   def test_agent_is_named
     assert_equal 'mechanize', Mechanize::HTTP::Agent.new.http.name
     assert_equal 'unique', Mechanize::HTTP::Agent.new('unique').http.name
@@ -197,7 +201,7 @@ class TestMechanizeHttpAgent < Mechanize::TestCase
     page = @agent.fetch uri
-    assert_equal File.read(foo), page.body
+    assert_equal File.read(foo), page.body.gsub(/\r\n/, "\n")
     assert_kind_of Mechanize::Page, page
   end
@@ -494,6 +498,12 @@ class TestMechanizeHttpAgent < Mechanize::TestCase
     assert_match %r%^Digest %, @req['Authorization']
     assert_match %r%qop=auth%, @req['Authorization']
+    @req['Authorization'] = nil
+    @agent.request_auth @req, @uri
+    assert_match %r%^Digest %, @req['Authorization']
+    assert_match %r%qop=auth%, @req['Authorization']
   end
   def test_request_auth_iis_digest
@@ -668,6 +678,14 @@ class TestMechanizeHttpAgent < Mechanize::TestCase
     assert_equal 'absolute URL needed (not google)', e.message
   end
+  def test_resolve_uri_without_path
+    e = assert_raises ArgumentError do
+      @agent.resolve 'http:%5C%5Cfoo'
+    end
+    assert_equal 'hierarchical URL needed (not http:%5C%5Cfoo)', e.message
+  end
   def test_resolve_utf8
     uri = 'http://example?q=ü'
@@ -913,6 +931,8 @@ class TestMechanizeHttpAgent < Mechanize::TestCase
     body_io = StringIO.new \
       "\037\213\b\0002\002\225M\000\003+H,*\001"
+    skip if jruby_zlib?
     e = assert_raises Mechanize::Error do
       @agent.response_content_encoding @res, body_io
     end
@@ -944,6 +964,8 @@ class TestMechanizeHttpAgent < Mechanize::TestCase
     assert body_io.closed?
     assert_match %r%invalid compressed data -- crc error%, log.string
+  rescue IOError
+    raise unless jruby_zlib?
   end
   def test_response_content_encoding_gzip_checksum_corrupt_length
@@ -960,6 +982,8 @@ class TestMechanizeHttpAgent < Mechanize::TestCase
     assert body_io.closed?
     assert_match %r%invalid compressed data -- length error%, log.string
+  rescue IOError
+    raise unless jruby_zlib?
   end
   def test_response_content_encoding_gzip_checksum_truncated
@@ -976,6 +1000,8 @@ class TestMechanizeHttpAgent < Mechanize::TestCase
     assert body_io.closed?
     assert_match %r%unable to gunzip response: footer is not found%, log.string
+  rescue IOError
+    raise unless jruby_zlib?
   end
   def test_response_content_encoding_gzip_empty
@@ -1015,6 +1041,8 @@ class TestMechanizeHttpAgent < Mechanize::TestCase
     assert_equal 'part', body.read
     assert body_io.closed?
+  rescue IOError
+    raise unless jruby_zlib?
   end
   def test_response_content_encoding_none
@@ -1033,6 +1061,14 @@ class TestMechanizeHttpAgent < Mechanize::TestCase
     assert_equal 'part', body.read
   end
+  def test_response_content_encoding_identity
+    @res.instance_variable_set :@header, 'content-encoding' => %w[identity]
+    body = @agent.response_content_encoding @res, StringIO.new('part')
+    assert_equal 'part', body.read
+  end
   def test_response_content_encoding_tempfile_7_bit
     body_io = tempfile 'part'
@@ -1193,6 +1229,24 @@ class TestMechanizeHttpAgent < Mechanize::TestCase
     end
   end
+  def test_response_meta_refresh_with_insecure_url
+    uri = URI.parse 'http://example/#id+1'
+    body = <<-BODY
+<title></title>
+<meta http-equiv="refresh" content="0; url=file:///dev/zero">
+    BODY
+    page = Mechanize::Page.new(uri, nil, body, 200, @mech)
+    @agent.follow_meta_refresh = true
+    assert_raises Mechanize::Error do
+      @agent.response_follow_meta_refresh(@res, uri, page,
+                                          @agent.redirection_limit)
+    end
+  end
   def test_response_parse
     body = '<title>hi</title>'
     @res.instance_variable_set :@header, 'content-type' => %w[text/html]
@@ -1288,7 +1342,7 @@ class TestMechanizeHttpAgent < Mechanize::TestCase
     body = io.read
     assert_equal 'part', body
-    assert_equal Encoding::BINARY, body.encoding if body.respond_to? :encoding
+    assert_equal Encoding::BINARY, body.encoding
   end
   def test_response_read_chunked_no_trailer
@@ -1368,17 +1422,15 @@ class TestMechanizeHttpAgent < Mechanize::TestCase
       io = @agent.response_read res, req, uri
-      expected = "π\n"
-      expected.force_encoding Encoding::BINARY if expected.respond_to? :encoding
+      expected = "π\n".force_encoding(Encoding::BINARY)
       # Ruby 1.8.7 doesn't let us set the write mode of the tempfile to binary,
       # so we should expect an inserted carriage return on some platforms
-      expected_with_carriage_return = "π\r\n"
-      expected_with_carriage_return.force_encoding Encoding::BINARY if expected_with_carriage_return.respond_to? :encoding
+      expected_with_carriage_return = "π\r\n".force_encoding(Encoding::BINARY)
       body = io.read
       assert_match(/^(#{expected}|#{expected_with_carriage_return})$/m, body)
-      assert_equal Encoding::BINARY, body.encoding if body.respond_to? :encoding
+      assert_equal Encoding::BINARY, body.encoding
     end
   end
@@ -1452,7 +1504,8 @@ class TestMechanizeHttpAgent < Mechanize::TestCase
     headers = {
       'Range' => 'bytes=0-9999',
       'Content-Type' => 'application/x-www-form-urlencoded',
-      'Content-Length' => '9999',
+      'CONTENT-LENGTH' => '9999',
+      'content-md5' => '14758f1afd44c09b7992073ccf00b43d',
     }
     page = fake_page
@@ -1464,6 +1517,7 @@ class TestMechanizeHttpAgent < Mechanize::TestCase
     assert_match 'range|bytes=0-9999', page.body
     refute_match 'content-type|application/x-www-form-urlencoded', page.body
     refute_match 'content-length|9999', page.body
+    refute_match 'content-md5|14758f1afd44c09b7992073ccf00b43d', page.body
   end
   def test_response_redirect_malformed
@@ -1479,6 +1533,16 @@ class TestMechanizeHttpAgent < Mechanize::TestCase
     assert_equal 'http://example/referer', requests.first['Referer']
   end
+  def test_response_redirect_insecure
+    @agent.redirect_ok = true
+    referer = page 'http://example/referer'
+    assert_raises Mechanize::Error do
+      @agent.response_redirect({ 'Location' => 'file:///etc/passwd' }, :get,
+                               fake_page, 0, {}, referer)
+    end
+  end
   def test_response_redirect_limit
     @agent.redirect_ok = true
     referer = page 'http://example/referer'
@@ -1489,6 +1553,48 @@ class TestMechanizeHttpAgent < Mechanize::TestCase
     end
   end
+  def test_response_redirect_to_cross_site_with_credential
+    @agent.redirect_ok = true
+    headers = {
+      'Range' => 'bytes=0-9999',
+      'AUTHORIZATION' => 'Basic xxx',
+      'cookie' => 'name=value',
+    }
+    page = html_page ''
+    page = @agent.response_redirect({ 'Location' => 'http://trap/http_headers' }, :get,
+                                    page, 0, headers)
+    refute_includes(headers.keys, "AUTHORIZATION")
+    refute_includes(headers.keys, "cookie")
+    assert_match 'range|bytes=0-9999', page.body
+    refute_match("authorization|Basic xxx", page.body)
+    refute_match("cookie|name=value", page.body)
+  end
+  def test_response_redirect_to_same_site_with_credential
+    @agent.redirect_ok = true
+    headers = {
+      'Range' => 'bytes=0-9999',
+      'AUTHORIZATION' => 'Basic xxx',
+      'cookie' => 'name=value',
+    }
+    page = html_page ''
+    page = @agent.response_redirect({ 'Location' => '/http_headers' }, :get,
+                                    page, 0, headers)
+    assert_includes(headers.keys, "AUTHORIZATION")
+    assert_includes(headers.keys, "cookie")
+    assert_match 'range|bytes=0-9999', page.body
+    assert_match("authorization|Basic xxx", page.body)
+    assert_match("cookie|name=value", page.body)
+  end
   def test_response_redirect_not_ok
     @agent.redirect_ok = false
@@ -1524,6 +1630,11 @@ class TestMechanizeHttpAgent < Mechanize::TestCase
   end
   def test_retry_change_request_equals
+    unless Gem::Requirement.new("< 4.0.0").satisfied_by?(Gem::Version.new(Net::HTTP::Persistent::VERSION))
+      # see https://github.com/drbrain/net-http-persistent/pull/100
+      skip("net-http-persistent 4.0.0 and later does not support retry_change_requests")
+    end
     refute @agent.http.retry_change_requests
     @agent.retry_change_requests = true
@@ -1554,6 +1665,17 @@ class TestMechanizeHttpAgent < Mechanize::TestCase
     end
   end
+  def test_robots_infinite_loop
+    @agent.robots = true
+    @agent.redirect_ok = true
+    assert_raises Mechanize::RobotsDisallowedError do
+      @agent.fetch URI('http://301/norobots.html')
+    end
+    @agent.fetch URI('http://301/robots.html')
+  end
   def test_set_proxy
     @agent.set_proxy 'www.example.com', 9001, 'joe', 'lol'
@@ -1589,6 +1711,42 @@ class TestMechanizeHttpAgent < Mechanize::TestCase
     assert_equal 'invalid value for port: "nonexistent service"', e.message
   end
+  def test_set_proxy_with_scheme
+    @agent.set_proxy 'http://www.example.com', 9001, 'joe', 'lol'
+    assert_equal @agent.proxy_uri.host,     'www.example.com'
+    assert_equal @agent.proxy_uri.port,     9001
+    assert_equal @agent.proxy_uri.user,     'joe'
+    assert_equal @agent.proxy_uri.password, 'lol'
+  end
+  def test_set_proxy_url
+    @agent.set_proxy 'http://joe:lol@www.example.com:9001'
+    assert_equal @agent.proxy_uri.host,     'www.example.com'
+    assert_equal @agent.proxy_uri.port,     9001
+    assert_equal @agent.proxy_uri.user,     'joe'
+    assert_equal @agent.proxy_uri.password, 'lol'
+  end
+  def test_set_proxy_uri
+    @agent.set_proxy URI('http://joe:lol@www.example.com:9001')
+    assert_equal @agent.proxy_uri.host,     'www.example.com'
+    assert_equal @agent.proxy_uri.port,     9001
+    assert_equal @agent.proxy_uri.user,     'joe'
+    assert_equal @agent.proxy_uri.password, 'lol'
+  end
+  def test_set_proxy_url_and_credentials
+    @agent.set_proxy 'http://www.example.com:9001', nil, 'joe', 'lol'
+    assert_equal @agent.proxy_uri.host,     'www.example.com'
+    assert_equal @agent.proxy_uri.port,     9001
+    assert_equal @agent.proxy_uri.user,     'joe'
+    assert_equal @agent.proxy_uri.password, 'lol'
+  end
   def test_setting_agent_name
     mech = Mechanize.new 'user-set-name'
     assert_equal 'user-set-name', mech.agent.http.name
@@ -1601,7 +1759,7 @@ class TestMechanizeHttpAgent < Mechanize::TestCase
       @agent.cert_store = store
       @agent.certificate = ssl_certificate
       @agent.private_key = ssl_private_key
-      @agent.ssl_version = 'SSLv3' if RUBY_VERSION > '1.9'
+      @agent.ssl_version = 'SSLv3'
       @agent.verify_callback = proc { |ok, context| }
       http = @agent.http
@@ -1610,8 +1768,7 @@ class TestMechanizeHttpAgent < Mechanize::TestCase
       assert_equal store,                     http.cert_store
       assert_equal ssl_certificate,           http.certificate
       assert_equal ssl_private_key,           http.private_key
-      assert_equal 'SSLv3',                   http.ssl_version if
-        RUBY_VERSION > '1.9'
+      assert_equal 'SSLv3',                   http.ssl_version
       assert_equal OpenSSL::SSL::VERIFY_PEER, http.verify_mode
       assert http.verify_callback
     end