mechanize 2.7.6 → 2.7.7

checksums.yaml

@@ -1,7 +1,7 @@
 ---
-SHA1:
-  metadata.gz: 7e684f2f1ceb7fca81909282b30a28c04272caef
-  data.tar.gz: c08ef7e0f2aefd788f9808175afb4f97bce60b3f
+SHA256:
+  metadata.gz: feff4acdf05edc4c615ab91f9ab0b7abfd1987dbd998ed07a36489189594edf2
+  data.tar.gz: efce735d57a4b2259f30a630829f432f270e3aa353fb9d4f5ad032df06387e84
 SHA512:
-  metadata.gz: fed2bde694313e6ddae6d44bbbf0ac90aa6b651ab7027628125b2095b33a73dc3fdaf8481335197ab0cf9cbea7c9dfa9396f4e3c4199cdc3563f76b20728f18c
-  data.tar.gz: a547f0f8d1c6f8d0b7c8ff580e487b64b79fbec3cca64a514407243529248e6892f66d9af746bc6c429458750e7b5782510cb3e8180f8464f08c8c0c0c0351b9
+  metadata.gz: f83a08c469e67045f58f3f3685cb17618db889dd85d1b7f2e56da1c9ae7744f36815a1f811f09bd99614c529b42f2038100a64fb06cdee1569d43bb831ea3fae
+  data.tar.gz: c01289d967e87c40e0936c2f973847da696bc92d9255a5c5f20099ff795ce57430f45a631a02a9395cfe7066e27731ec040a879fd255468b43cf9a1b5149c3eb

data/.github/workflows/ci-test.yml

@@ -0,0 +1,25 @@
+name: "ci"
+
+on:
+  push:
+    branches: [ master ]
+  pull_request:
+    branches: [ "*" ]
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        ruby-version: ["2.3", "2.4", "2.5", "2.6", "2.7", "3.0", "jruby"]
+
+    steps:
+    - uses: actions/checkout@v2
+    - name: Set up Ruby
+      uses: ruby/setup-ruby@v1
+      with:
+        ruby-version: ${{ matrix.ruby-version }}
+        bundler-cache: true
+    - name: Run tests
+      run: bundle exec rake

data/CHANGELOG.rdoc

@@ -1,5 +1,32 @@
 = Mechanize CHANGELOG
 
+=== 2.7.7 / 2021-02-01
+
+* Security fixes for CVE-2021-21289
+
+  Mechanize `>= v2.0`, `< v2.7.7` allows for OS commands to be injected into several classes'
+  methods via implicit use of Ruby's `Kernel.open` method. Exploitation is possible only if
+  untrusted input is used as a local filename and passed to any of these calls:
+
+  - `Mechanize::CookieJar#load`: since v2.0 (see 208e3ed)
+  - `Mechanize::CookieJar#save_as`: since v2.0 (see 5b776a4)
+  - `Mechanize#download`: since v2.2 (see dc91667)
+  - `Mechanize::Download#save` and `#save!` since v2.1 (see 98b2f51, bd62ff0)
+  - `Mechanize::File#save` and `#save_as`: since v2.1 (see 2bf7519)
+  - `Mechanize::FileResponse#read_body`: since v2.0 (see 01039f5)
+
+  See https://github.com/sparklemotion/mechanize/security/advisories/GHSA-qrqm-fpv6-6r8g for more
+  information.
+
+  Also see #547, #548. Thank you, @kyoshidajp!
+
+* New Features
+  * Support for Ruby 3.0 by adding `webrick` as a runtime dependency. (#557) @pvalena
+
+* Bug fix
+  * Ignore input fields with blank names (#542, #536)
+
+
 === 2.7.6
 
 * New Features

data/EXAMPLES.rdoc

@@ -24,29 +24,6 @@ example, <code>do ... end.submit</code> is the same as <code>{ ...
     end
   end
 
-== Rubyforge
-
-  require 'rubygems'
-  require 'mechanize'
-
-  a = Mechanize.new
-  a.get('http://rubyforge.org/') do |page|
-    # Click the login link
-    login_page = a.click(page.link_with(:text => /Log In/))
-
-    # Submit the login form
-    my_page = login_page.form_with(:action => '/account/login.php') do |f|
-      f.form_loginname  = ARGV[0]
-      f.form_pw         = ARGV[1]
-    end.click_button
-
-    my_page.links.each do |link|
-      text = link.text.strip
-      next unless text.length > 0
-      puts text
-    end
-  end
-
 == File Upload
 
 Upload a file to flickr.
@@ -129,7 +106,7 @@ This example also demonstrates subclassing Mechanize.
 
   class TestMech < Mechanize
     def process
-      get 'http://rubyforge.org/'
+      get 'http://rubygems.org/'
       search_form = page.forms.first
       search_form.words = 'WWW'
       submit search_form

data/Gemfile

@@ -1,6 +1,8 @@
 source 'https://rubygems.org'
 
-# In order to be able to install on 1.9.3 and 2.0.0
-ruby RUBY_VERSION
+gem "rake"
+gem "bundler"
+gem "rdoc"
+gem "minitest"
 
 gemspec

data/README.rdoc

@@ -48,7 +48,7 @@ Copyright (c) 2005 by Michael Neumann (mneumann@ntecs.de)
 
 Copyright (c) 2006-2011:
 
-* {Aaron Patterson}[http://tenderlovemaking.com] (aaronp@rubyforge.org)
+* {Aaron Patterson}[http://tenderlovemaking.com] (aaron.patterson@gmail.com)
 * {Mike Dalessio}[http://mike.daless.io] (mike@csa.net)
 
 Copyright (c) 2011-2015:

data/examples/rubygems.rb

@@ -1,4 +1,4 @@
-# This example logs a user in to rubyforge and prints out the body of the
+# This example logs a user in to rubygems and prints out the body of the
 # page after logging the user in.
 require 'rubygems'
 require 'mechanize'
@@ -9,7 +9,7 @@ mech = Mechanize.new
 mech.log = Logger.new $stderr
 mech.agent.http.debug_output = $stderr
 
-# Load the rubyforge website
+# Load the rubygems website
 page = mech.get('https://rubygems.org/')
 page = mech.click page.link_with(:text => /Sign in/) # Click the login link
 form = page.forms[1] # Select the first form

data/lib/mechanize.rb

@@ -175,7 +175,7 @@ class Mechanize
   # as SSL parameters or proxies:
   #
   #   agent = Mechanize.new do |a|
-  #     a.proxy_host = 'proxy.example'
+  #     a.proxy_addr = 'proxy.example'
   #     a.proxy_port = 8080
   #   end
   #
@@ -396,7 +396,7 @@ class Mechanize
     io = if io_or_filename.respond_to? :write then
            io_or_filename
          else
-           open io_or_filename, 'wb'
+           ::File.open(io_or_filename, 'wb')
          end
 
     case page

data/lib/mechanize/cookie_jar.rb

@@ -65,7 +65,7 @@ class Mechanize
   class CookieJar < ::HTTP::CookieJar
     def save(output, *options)
       output.respond_to?(:write) or
-        return open(output, 'w') { |io| save(io, *options) }
+        return ::File.open(output, 'w') { |io| save(io, *options) }
 
       opthash = {
         :format => :yaml,
@@ -119,7 +119,7 @@ class Mechanize
 
     def load(input, *options)
       input.respond_to?(:write) or
-        return open(input, 'r') { |io| load(io, *options) }
+        return ::File.open(input, 'r') { |io| load(io, *options) }
 
       opthash = {
         :format => :yaml,

data/lib/mechanize/download.rb

@@ -71,7 +71,7 @@ class Mechanize::Download
     dirname = File.dirname filename
     FileUtils.mkdir_p dirname
 
-    open filename, 'wb' do |io|
+    ::File.open(filename, 'wb')do |io|
       until @body_io.eof? do
         io.write @body_io.read 16384
       end

data/lib/mechanize/file.rb

@@ -82,7 +82,7 @@ class Mechanize::File
     dirname = File.dirname filename
     FileUtils.mkdir_p dirname
 
-    open filename, 'wb' do |f|
+    ::File.open(filename, 'wb')do |f|
       f.write body
     end
 

data/lib/mechanize/file_response.rb

@@ -15,7 +15,7 @@ class Mechanize::FileResponse
     if directory?
       yield dir_body
     else
-      open @file_path, 'rb' do |io|
+      ::File.open(@file_path, 'rb') do |io|
         yield io.read
       end
     end

data/lib/mechanize/form.rb

@@ -305,7 +305,7 @@ class Mechanize::Form
     successful_controls = []
 
     (fields + checkboxes).reject do |f|
-      f.node["disabled"]
+      f.node["disabled"] || f.node["name"] == ""
     end.sort.each do |f|
       case f
       when Mechanize::Form::CheckBox

data/lib/mechanize/test_case.rb

@@ -230,9 +230,9 @@ class Net::HTTP # :nodoc:
     else
       filename = "htdocs#{path.gsub(/[^\/\\.\w\s]/, '_')}"
       unless PAGE_CACHE[filename]
-        open("#{Mechanize::TestCase::TEST_DIR}/#{filename}", 'rb') { |io|
+        ::File.open("#{Mechanize::TestCase::TEST_DIR}/#{filename}", 'rb') do |io|
           PAGE_CACHE[filename] = io.read
-        }
+        end
       end
 
       res.body = PAGE_CACHE[filename]

data/lib/mechanize/test_case/gzip_servlet.rb

@@ -13,8 +13,8 @@ class GzipServlet < WEBrick::HTTPServlet::AbstractServlet
     end
 
     if name = req.query['file'] then
-      open "#{TEST_DIR}/htdocs/#{name}" do |io|
-        string = ""
+      ::File.open("#{TEST_DIR}/htdocs/#{name}") do |io|
+        string = String.new
         zipped = StringIO.new string, 'w'
         Zlib::GzipWriter.wrap zipped do |gz|
           gz.write io.read
@@ -22,7 +22,7 @@ class GzipServlet < WEBrick::HTTPServlet::AbstractServlet
         res.body = string
       end
     else
-      res.body = ''
+      res.body = String.new
     end
 
     res['Content-Encoding'] = req['X-ResponseContentEncoding'] || 'gzip'

data/lib/mechanize/test_case/verb_servlet.rb

@@ -1,11 +1,9 @@
 class VerbServlet < WEBrick::HTTPServlet::AbstractServlet
   %w[HEAD GET POST PUT DELETE].each do |verb|
-    eval <<-METHOD
-      def do_#{verb}(req, res)
-        res.header['X-Request-Method'] = #{verb.dump}
-        res.body = #{verb.dump}
-      end
-    METHOD
+    define_method "do_#{verb}" do |req, res|
+      res.header['X-Request-Method'] = verb
+      res.body = verb
+    end
   end
 end
 

data/lib/mechanize/version.rb

@@ -1,3 +1,3 @@
 class Mechanize
-  VERSION = "2.7.6"
+  VERSION = "2.7.7"
 end

data/mechanize.gemspec

@@ -28,7 +28,7 @@ Gem::Specification.new do |spec|
   spec.email =
     [
       'drbrain@segment7.net',
-      'aaronp@rubyforge.org',
+      'aaron.patterson@gmail.com',
       'mike.dalessio@gmail.com',
       'knu@idaemons.org',
       'ljjarvis@gmail.com'
@@ -58,9 +58,5 @@ Gem::Specification.new do |spec|
   spec.add_runtime_dependency "ntlm-http",            [ ">= 0.1.1", "~> 0.1"   ]
   spec.add_runtime_dependency "webrobots",            [ "< 0.2",    ">= 0.0.9" ]
   spec.add_runtime_dependency "domain_name",          [ ">= 0.5.1", "~> 0.5"   ]
-
-  spec.add_development_dependency "rake"
-  spec.add_development_dependency "bundler",  "~> 1.3"
-  spec.add_development_dependency "rdoc",     "~> 4.0"
-  spec.add_development_dependency "minitest", "~> 5.0"
+  spec.add_runtime_dependency 'webrick', "~> 1.7"
 end

data/test/htdocs/tc_links.html

@@ -7,7 +7,7 @@
     <a href="thing.html" class="thing_link">Thing!</a>
     <a href="thing.html">Ruby <b>Rocks!</b></a>
     <!-- Testing a bug with escaped stuff in links:
-      http://rubyforge.org/pipermail/mechanize-users/2006-September/000002.html
+      http://rubygems.org/pipermail/mechanize-users/2006-September/000002.html
     -->
     <a href="link%20with%20space.html">encoded space</a>
     <a href="link with space.html">not encoded space</a>

data/test/test_mechanize.rb

@@ -345,6 +345,14 @@ but not <a href="/" rel="me nofollow">this</a>!
     end
   end
 
+  def test_download_does_not_allow_command_injection
+    in_tmpdir do
+      @mech.download('http://example', '| ruby -rfileutils -e \'FileUtils.touch("vul.txt")\'')
+
+      refute_operator(File, :exist?, "vul.txt")
+    end
+  end
+
   def test_get
     uri = URI 'http://localhost'
 
@@ -689,9 +697,7 @@ but not <a href="/" rel="me nofollow">this</a>!
   end
 
   def test_get_space
-    page = nil
-
-    page = @mech.get("http://localhost/tc_bad_links.html ")
+    @mech.get("http://localhost/tc_bad_links.html ")
 
     assert_match(/tc_bad_links.html$/, @mech.history.last.uri.to_s)
 
@@ -1056,6 +1062,11 @@ but not <a href="/" rel="me nofollow">this</a>!
   end
 
   def test_retry_change_requests_equals
+    unless Gem::Requirement.new("< 4.0.0").satisfied_by?(Gem::Version.new(Net::HTTP::Persistent::VERSION))
+      # see https://github.com/drbrain/net-http-persistent/pull/100
+      skip("net-http-persistent 4.0.0 and later does not support retry_change_requests")
+    end
+
     refute @mech.retry_change_requests
 
     @mech.retry_change_requests = true

data/test/test_mechanize_cookie.rb

@@ -141,7 +141,7 @@ class TestMechanizeCookie < Mechanize::TestCase
   def test_parse_date_fail
     url = URI.parse('http://localhost/')
 
-    dates = [ 
+    dates = [
               "20/06/95 21:07",
     ]
 
@@ -290,16 +290,16 @@ class TestMechanizeCookie < Mechanize::TestCase
   end
 
   def test_parse_valid_cookie
-    url = URI.parse('http://rubyforge.org/')
+    url = URI.parse('http://rubygems.org/')
     cookie_params = {}
     cookie_params['expires']   = 'expires=Sun, 27-Sep-2037 00:00:00 GMT'
     cookie_params['path']      = 'path=/'
-    cookie_params['domain']    = 'domain=.rubyforge.org'
+    cookie_params['domain']    = 'domain=.rubygems.org'
     cookie_params['httponly']  = 'HttpOnly'
     cookie_value = '12345%7D=ASDFWEE345%3DASda'
 
     expires = Time.parse('Sun, 27-Sep-2037 00:00:00 GMT')
-    
+
     cookie_params.keys.combine.each do |c|
       cookie_text = "#{cookie_value}; "
       c.each_with_index do |key, idx|
@@ -325,16 +325,16 @@ class TestMechanizeCookie < Mechanize::TestCase
   end
 
   def test_parse_valid_cookie_empty_value
-    url = URI.parse('http://rubyforge.org/')
+    url = URI.parse('http://rubygems.org/')
     cookie_params = {}
     cookie_params['expires']   = 'expires=Sun, 27-Sep-2037 00:00:00 GMT'
     cookie_params['path']      = 'path=/'
-    cookie_params['domain']    = 'domain=.rubyforge.org'
+    cookie_params['domain']    = 'domain=.rubygems.org'
     cookie_params['httponly']  = 'HttpOnly'
     cookie_value = '12345%7D='
 
     expires = Time.parse('Sun, 27-Sep-2037 00:00:00 GMT')
-    
+
     cookie_params.keys.combine.each do |c|
       cookie_text = "#{cookie_value}; "
       c.each_with_index do |key, idx|
@@ -361,16 +361,16 @@ class TestMechanizeCookie < Mechanize::TestCase
 
   # If no path was given, use the one from the URL
   def test_cookie_using_url_path
-    url = URI.parse('http://rubyforge.org/login.php')
+    url = URI.parse('http://rubygems.org/login.php')
     cookie_params = {}
     cookie_params['expires']   = 'expires=Sun, 27-Sep-2037 00:00:00 GMT'
     cookie_params['path']      = 'path=/'
-    cookie_params['domain']    = 'domain=.rubyforge.org'
+    cookie_params['domain']    = 'domain=.rubygems.org'
     cookie_params['httponly']  = 'HttpOnly'
     cookie_value = '12345%7D=ASDFWEE345%3DASda'
 
     expires = Time.parse('Sun, 27-Sep-2037 00:00:00 GMT')
-    
+
     cookie_params.keys.combine.each do |c|
       next if c.find { |k| k == 'path' }
       cookie_text = "#{cookie_value}; "
@@ -398,16 +398,16 @@ class TestMechanizeCookie < Mechanize::TestCase
 
   # Test using secure cookies
   def test_cookie_with_secure
-    url = URI.parse('http://rubyforge.org/')
+    url = URI.parse('http://rubygems.org/')
     cookie_params = {}
     cookie_params['expires']   = 'expires=Sun, 27-Sep-2037 00:00:00 GMT'
     cookie_params['path']      = 'path=/'
-    cookie_params['domain']    = 'domain=.rubyforge.org'
+    cookie_params['domain']    = 'domain=.rubygems.org'
     cookie_params['secure']    = 'secure'
     cookie_value = '12345%7D=ASDFWEE345%3DASda'
 
     expires = Time.parse('Sun, 27-Sep-2037 00:00:00 GMT')
-    
+
     cookie_params.keys.combine.each do |c|
       next unless c.find { |k| k == 'secure' }
       cookie_text = "#{cookie_value}; "
@@ -435,16 +435,16 @@ class TestMechanizeCookie < Mechanize::TestCase
   end
 
   def test_parse_cookie_no_spaces
-    url = URI.parse('http://rubyforge.org/')
+    url = URI.parse('http://rubygems.org/')
     cookie_params = {}
     cookie_params['expires']   = 'expires=Sun, 27-Sep-2037 00:00:00 GMT'
     cookie_params['path']      = 'path=/'
-    cookie_params['domain']    = 'domain=.rubyforge.org'
+    cookie_params['domain']    = 'domain=.rubygems.org'
     cookie_params['httponly']  = 'HttpOnly'
     cookie_value = '12345%7D=ASDFWEE345%3DASda'
 
     expires = Time.parse('Sun, 27-Sep-2037 00:00:00 GMT')
-    
+
     cookie_params.keys.combine.each do |c|
       cookie_text = "#{cookie_value};"
       c.each_with_index do |key, idx|
@@ -511,13 +511,13 @@ class TestMechanizeCookie < Mechanize::TestCase
   end
 
   def test_cookie_httponly
-    url = URI.parse('http://rubyforge.org/')
+    url = URI.parse('http://rubygems.org/')
     cookie_params = {}
     cookie_params['httponly']  = 'HttpOnly'
     cookie_value = '12345%7D=ASDFWEE345%3DASda'
 
     expires = Time.parse('Sun, 27-Sep-2037 00:00:00 GMT')
-    
+
     cookie_params.keys.combine.each do |c|
       cookie_text = "#{cookie_value}; "
       c.each_with_index do |key, idx|
@@ -532,7 +532,7 @@ class TestMechanizeCookie < Mechanize::TestCase
 
       assert_equal(true, cookie.httponly)
 
-      
+
       # if expires was set, make sure we parsed it
       if c.find { |k| k == 'expires' }
         assert_equal(expires, cookie.expires)

data/test/test_mechanize_cookie_jar.rb

@@ -1,4 +1,5 @@
 require 'mechanize/test_case'
+require 'fileutils'
 
 class TestMechanizeCookieJar < Mechanize::TestCase
 
@@ -39,23 +40,23 @@ class TestMechanizeCookieJar < Mechanize::TestCase
       :path     => '/',
       :expires  => Time.now + (10 * 86400),
       :for_domain => true,
-      :domain   => 'rubyforge.org'
+      :domain   => 'rubygems.org'
    }.merge(options)
   end
 
   def test_two_cookies_same_domain_and_name_different_paths
-    url = URI 'http://rubyforge.org/'
+    url = URI 'http://rubygems.org/'
 
     cookie = Mechanize::Cookie.new(cookie_values)
     @jar.add(url, cookie)
     @jar.add(url, Mechanize::Cookie.new(cookie_values(:path => '/onetwo')))
 
     assert_equal(1, @jar.cookies(url).length)
-    assert_equal 2, @jar.cookies(URI('http://rubyforge.org/onetwo')).length
+    assert_equal 2, @jar.cookies(URI('http://rubygems.org/onetwo')).length
   end
 
   def test_domain_case
-    url = URI 'http://rubyforge.org/'
+    url = URI 'http://rubygems.org/'
 
     # Add one cookie with an expiration date in the future
     cookie = Mechanize::Cookie.new(cookie_values)
@@ -63,49 +64,49 @@ class TestMechanizeCookieJar < Mechanize::TestCase
     assert_equal(1, @jar.cookies(url).length)
 
     @jar.add(url, Mechanize::Cookie.new(
-        cookie_values(:domain => 'RuByForge.Org', :name   => 'aaron')))
+        cookie_values(:domain => 'rubygems.Org', :name   => 'aaron')))
 
     assert_equal(2, @jar.cookies(url).length)
 
-    url2 = URI 'http://RuByFoRgE.oRg/'
+    url2 = URI 'http://rubygems.oRg/'
     assert_equal(2, @jar.cookies(url2).length)
   end
 
   def test_host_only
-    url = URI.parse('http://rubyforge.org/')
+    url = URI.parse('http://rubygems.org/')
 
     @jar.add(url, Mechanize::Cookie.new(
-        cookie_values(:domain => 'rubyforge.org', :for_domain => false)))
+        cookie_values(:domain => 'rubygems.org', :for_domain => false)))
 
     assert_equal(1, @jar.cookies(url).length)
 
-    assert_equal(1, @jar.cookies(URI('http://RubyForge.org/')).length)
+    assert_equal(1, @jar.cookies(URI('http://rubygems.org/')).length)
 
-    assert_equal(1, @jar.cookies(URI('https://RubyForge.org/')).length)
+    assert_equal(1, @jar.cookies(URI('https://rubygems.org/')).length)
 
-    assert_equal(0, @jar.cookies(URI('http://www.rubyforge.org/')).length)
+    assert_equal(0, @jar.cookies(URI('http://www.rubygems.org/')).length)
   end
 
   def test_empty_value
     values = cookie_values(:value => "")
-    url = URI 'http://rubyforge.org/'
+    url = URI 'http://rubygems.org/'
 
     # Add one cookie with an expiration date in the future
     cookie = Mechanize::Cookie.new(values)
     @jar.add(url, cookie)
     assert_equal(1, @jar.cookies(url).length)
 
-    @jar.add url, Mechanize::Cookie.new(values.merge(:domain => 'RuByForge.Org',
+    @jar.add url, Mechanize::Cookie.new(values.merge(:domain => 'rubygems.Org',
                                                      :name   => 'aaron'))
 
     assert_equal(2, @jar.cookies(url).length)
 
-    url2 = URI 'http://RuByFoRgE.oRg/'
+    url2 = URI 'http://rubygems.oRg/'
     assert_equal(2, @jar.cookies(url2).length)
   end
 
   def test_add_future_cookies
-    url = URI 'http://rubyforge.org/'
+    url = URI 'http://rubygems.org/'
 
     # Add one cookie with an expiration date in the future
     cookie = Mechanize::Cookie.new(cookie_values)
@@ -117,14 +118,14 @@ class TestMechanizeCookieJar < Mechanize::TestCase
     assert_equal(1, @jar.cookies(url).length)
 
     # Make sure we can get the cookie from different paths
-    assert_equal(1, @jar.cookies(URI('http://rubyforge.org/login')).length)
+    assert_equal(1, @jar.cookies(URI('http://rubygems.org/login')).length)
 
     # Make sure we can't get the cookie from different domains
     assert_equal(0, @jar.cookies(URI('http://google.com/')).length)
   end
 
   def test_add_multiple_cookies
-    url = URI 'http://rubyforge.org/'
+    url = URI 'http://rubygems.org/'
 
     # Add one cookie with an expiration date in the future
     cookie = Mechanize::Cookie.new(cookie_values)
@@ -136,14 +137,14 @@ class TestMechanizeCookieJar < Mechanize::TestCase
     assert_equal(2, @jar.cookies(url).length)
 
     # Make sure we can get the cookie from different paths
-    assert_equal(2, @jar.cookies(URI('http://rubyforge.org/login')).length)
+    assert_equal(2, @jar.cookies(URI('http://rubygems.org/login')).length)
 
     # Make sure we can't get the cookie from different domains
     assert_equal(0, @jar.cookies(URI('http://google.com/')).length)
   end
 
   def test_add_rejects_cookies_that_do_not_contain_an_embedded_dot
-    url = URI 'http://rubyforge.org/'
+    url = URI 'http://rubygems.org/'
 
     tld_cookie = Mechanize::Cookie.new(cookie_values(:domain => '.org'))
     @jar.add(url, tld_cookie)
@@ -196,43 +197,43 @@ class TestMechanizeCookieJar < Mechanize::TestCase
   end
 
   def test_cookie_without_leading_dot_does_not_cause_substring_match
-    url = URI 'http://arubyforge.org/'
+    url = URI 'http://arubygems.org/'
 
-    cookie = Mechanize::Cookie.new(cookie_values(:domain => 'rubyforge.org'))
+    cookie = Mechanize::Cookie.new(cookie_values(:domain => 'rubygems.org'))
     @jar.add(url, cookie)
 
     assert_equal(0, @jar.cookies(url).length)
   end
 
   def test_cookie_without_leading_dot_matches_subdomains
-    url = URI 'http://admin.rubyforge.org/'
+    url = URI 'http://admin.rubygems.org/'
 
-    cookie = Mechanize::Cookie.new(cookie_values(:domain => 'rubyforge.org'))
+    cookie = Mechanize::Cookie.new(cookie_values(:domain => 'rubygems.org'))
     @jar.add(url, cookie)
 
     assert_equal(1, @jar.cookies(url).length)
   end
 
   def test_cookies_with_leading_dot_match_subdomains
-    url = URI 'http://admin.rubyforge.org/'
+    url = URI 'http://admin.rubygems.org/'
 
-    @jar.add(url, Mechanize::Cookie.new(cookie_values(:domain => '.rubyforge.org')))
+    @jar.add(url, Mechanize::Cookie.new(cookie_values(:domain => '.rubygems.org')))
 
     assert_equal(1, @jar.cookies(url).length)
   end
 
   def test_cookies_with_leading_dot_match_parent_domains
-    url = URI 'http://rubyforge.org/'
+    url = URI 'http://rubygems.org/'
 
-    @jar.add(url, Mechanize::Cookie.new(cookie_values(:domain => '.rubyforge.org')))
+    @jar.add(url, Mechanize::Cookie.new(cookie_values(:domain => '.rubygems.org')))
 
     assert_equal(1, @jar.cookies(url).length)
   end
 
   def test_cookies_with_leading_dot_match_parent_domains_exactly
-    url = URI 'http://arubyforge.org/'
+    url = URI 'http://arubygems.org/'
 
-    @jar.add(url, Mechanize::Cookie.new(cookie_values(:domain => '.rubyforge.org')))
+    @jar.add(url, Mechanize::Cookie.new(cookie_values(:domain => '.rubygems.org')))
 
     assert_equal(0, @jar.cookies(url).length)
   end
@@ -275,7 +276,7 @@ class TestMechanizeCookieJar < Mechanize::TestCase
   end
 
   def test_clear_bang
-    url = URI 'http://rubyforge.org/'
+    url = URI 'http://rubygems.org/'
 
     # Add one cookie with an expiration date in the future
     cookie = Mechanize::Cookie.new(cookie_values)
@@ -289,7 +290,7 @@ class TestMechanizeCookieJar < Mechanize::TestCase
   end
 
   def test_save_cookies_yaml
-    url = URI 'http://rubyforge.org/'
+    url = URI 'http://rubygems.org/'
 
     # Add one cookie with an expiration date in the future
     cookie = Mechanize::Cookie.new(cookie_values)
@@ -315,7 +316,7 @@ class TestMechanizeCookieJar < Mechanize::TestCase
   end
 
   def test_save_session_cookies_yaml
-    url = URI 'http://rubyforge.org/'
+    url = URI 'http://rubygems.org/'
 
     # Add one cookie with an expiration date in the future
     cookie = Mechanize::Cookie.new(cookie_values)
@@ -341,7 +342,7 @@ class TestMechanizeCookieJar < Mechanize::TestCase
 
 
   def test_save_cookies_cookiestxt
-    url = URI 'http://rubyforge.org/'
+    url = URI 'http://rubygems.org/'
 
     # Add one cookie with an expiration date in the future
     cookie = Mechanize::Cookie.new(cookie_values)
@@ -378,7 +379,7 @@ class TestMechanizeCookieJar < Mechanize::TestCase
   end
 
   def test_expire_cookies
-    url = URI 'http://rubyforge.org/'
+    url = URI 'http://rubygems.org/'
 
     # Add one cookie with an expiration date in the future
     cookie = Mechanize::Cookie.new(cookie_values)
@@ -390,7 +391,7 @@ class TestMechanizeCookieJar < Mechanize::TestCase
     assert_equal(2, @jar.cookies(url).length)
 
     # Make sure we can get the cookie from different paths
-    assert_equal(2, @jar.cookies(URI('http://rubyforge.org/login')).length)
+    assert_equal(2, @jar.cookies(URI('http://rubygems.org/login')).length)
 
     # Expire the first cookie
     @jar.add(url, Mechanize::Cookie.new(
@@ -405,7 +406,7 @@ class TestMechanizeCookieJar < Mechanize::TestCase
 
   def test_session_cookies
     values = cookie_values(:expires => nil)
-    url = URI 'http://rubyforge.org/'
+    url = URI 'http://rubygems.org/'
 
     # Add one cookie with an expiration date in the future
     cookie = Mechanize::Cookie.new(values)
@@ -417,7 +418,7 @@ class TestMechanizeCookieJar < Mechanize::TestCase
     assert_equal(2, @jar.cookies(url).length)
 
     # Make sure we can get the cookie from different paths
-    assert_equal(2, @jar.cookies(URI('http://rubyforge.org/login')).length)
+    assert_equal(2, @jar.cookies(URI('http://rubygems.org/login')).length)
 
     # Expire the first cookie
     @jar.add(url, Mechanize::Cookie.new(values.merge(:expires => Time.now - (10 * 86400))))
@@ -430,7 +431,7 @@ class TestMechanizeCookieJar < Mechanize::TestCase
 
     # When given a URI with a blank path, CookieJar#cookies should return
     # cookies with the path '/':
-    url = URI 'http://rubyforge.org'
+    url = URI 'http://rubygems.org'
     assert_equal '', url.path
     assert_equal(0, @jar.cookies(url).length)
     # Now add a cookie with the path set to '/':
@@ -441,7 +442,7 @@ class TestMechanizeCookieJar < Mechanize::TestCase
 
   def test_paths
     values = cookie_values(:path => "/login", :expires => nil)
-    url = URI 'http://rubyforge.org/login'
+    url = URI 'http://rubygems.org/login'
 
     # Add one cookie with an expiration date in the future
     cookie = Mechanize::Cookie.new(values)
@@ -453,8 +454,8 @@ class TestMechanizeCookieJar < Mechanize::TestCase
     assert_equal(2, @jar.cookies(url).length)
 
     # Make sure we don't get the cookie in a different path
-    assert_equal(0, @jar.cookies(URI('http://rubyforge.org/hello')).length)
-    assert_equal(0, @jar.cookies(URI('http://rubyforge.org/')).length)
+    assert_equal(0, @jar.cookies(URI('http://rubygems.org/hello')).length)
+    assert_equal(0, @jar.cookies(URI('http://rubygems.org/')).length)
 
     # Expire the first cookie
     @jar.add(url, Mechanize::Cookie.new(values.merge( :expires => Time.now - (10 * 86400))))
@@ -467,7 +468,7 @@ class TestMechanizeCookieJar < Mechanize::TestCase
   end
 
   def test_save_and_read_cookiestxt
-    url = URI 'http://rubyforge.org/'
+    url = URI 'http://rubygems.org/'
 
     # Add one cookie with an expiration date in the future
     cookie = Mechanize::Cookie.new(cookie_values)
@@ -486,7 +487,7 @@ class TestMechanizeCookieJar < Mechanize::TestCase
   end
 
   def test_save_and_read_cookiestxt_with_session_cookies
-    url = URI 'http://rubyforge.org/'
+    url = URI 'http://rubygems.org/'
 
     @jar.add(url, Mechanize::Cookie.new(cookie_values(:expires => nil)))
 
@@ -500,10 +501,39 @@ class TestMechanizeCookieJar < Mechanize::TestCase
     assert_equal(0, @jar.cookies(url).length)
   end
 
+  def test_prevent_command_injection_when_saving
+    url = URI 'http://rubygems.org/'
+    path = '| ruby -rfileutils -e \'FileUtils.touch("vul.txt")\''
+
+    @jar.add(url, Mechanize::Cookie.new(cookie_values))
+
+    in_tmpdir do
+      @jar.save_as(path, :cookiestxt)
+      assert_equal(false, File.exist?('vul.txt'))
+    end
+  end
+
+  def test_prevent_command_injection_when_loading
+    url = URI 'http://rubygems.org/'
+    path = '| ruby -rfileutils -e \'FileUtils.touch("vul.txt")\''
+
+    @jar.add(url, Mechanize::Cookie.new(cookie_values))
+
+    in_tmpdir do
+      @jar.save_as("cookies.txt", :cookiestxt)
+      @jar.clear!
+
+      assert_raises Errno::ENOENT do
+        @jar.load(path, :cookiestxt)
+      end
+      assert_equal(false, File.exist?('vul.txt'))
+    end
+  end
+
   def test_save_and_read_expired_cookies
-    url = URI 'http://rubyforge.org/'
+    url = URI 'http://rubygems.org/'
 
-    @jar.jar['rubyforge.org'] = {}
+    @jar.jar['rubygems.org'] = {}
 
 
     @jar.add url, Mechanize::Cookie.new(cookie_values)
@@ -515,7 +545,7 @@ class TestMechanizeCookieJar < Mechanize::TestCase
     # thanks to michal "ocher" ochman for reporting the bug responsible for this test.
     values = cookie_values(:expires => nil)
     values_ssl = values.merge(:name => 'Baz', :domain => "#{values[:domain]}:443")
-    url = URI 'https://rubyforge.org/login'
+    url = URI 'https://rubygems.org/login'
 
     cookie = Mechanize::Cookie.new(values)
     @jar.add(url, cookie)
@@ -527,8 +557,8 @@ class TestMechanizeCookieJar < Mechanize::TestCase
   end
 
   def test_secure_cookie
-    nurl = URI 'http://rubyforge.org/login'
-    surl = URI 'https://rubyforge.org/login'
+    nurl = URI 'http://rubygems.org/login'
+    surl = URI 'https://rubygems.org/login'
 
     ncookie = Mechanize::Cookie.new(cookie_values(:name => 'Foo1'))
     scookie = Mechanize::Cookie.new(cookie_values(:name => 'Foo2', :secure => true))
@@ -543,10 +573,10 @@ class TestMechanizeCookieJar < Mechanize::TestCase
   end
 
   def test_save_cookies_cookiestxt_subdomain
-    top_url = URI 'http://rubyforge.org/'
-    subdomain_url = URI 'http://admin.rubyforge.org/'
+    top_url = URI 'http://rubygems.org/'
+    subdomain_url = URI 'http://admin.rubygems.org/'
 
-    # cookie1 is for *.rubyforge.org; cookie2 is only for rubyforge.org, no subdomains
+    # cookie1 is for *.rubygems.org; cookie2 is only for rubygems.org, no subdomains
     cookie1 = Mechanize::Cookie.new(cookie_values)
     cookie2 = Mechanize::Cookie.new(cookie_values(:name => 'Boo', :for_domain => false))
 
@@ -572,8 +602,8 @@ class TestMechanizeCookieJar < Mechanize::TestCase
       # * Cookies that match subdomains may have a leading dot, and must have
       #   TRUE as the second field.
       cookies_txt = File.readlines("cookies.txt")
-      assert_equal(1, cookies_txt.grep( /^rubyforge\.org\tFALSE/ ).length)
-      assert_equal(1, cookies_txt.grep( /^\.rubyforge\.org\tTRUE/ ).length)
+      assert_equal(1, cookies_txt.grep( /^rubygems\.org\tFALSE/ ).length)
+      assert_equal(1, cookies_txt.grep( /^\.rubygems\.org\tTRUE/ ).length)
     end
 
     assert_equal(2, @jar.cookies(top_url).length)

data/test/test_mechanize_download.rb

@@ -46,6 +46,18 @@ class TestMechanizeDownload < Mechanize::TestCase
     end
   end
 
+  def test_save_bang_does_not_allow_command_injection
+    uri = URI.parse 'http://example/foo.html'
+    body_io = StringIO.new '0123456789'
+
+    download = @parser.new uri, nil, body_io
+
+    in_tmpdir do
+      download.save!('| ruby -rfileutils -e \'FileUtils.touch("vul.txt")\'')
+      refute_operator(File, :exist?, "vul.txt")
+    end
+  end
+
   def test_save_tempfile
     uri = URI.parse 'http://example/foo.html'
     Tempfile.open @NAME do |body_io|
@@ -84,6 +96,5 @@ class TestMechanizeDownload < Mechanize::TestCase
 
     assert_equal "foo.html", download.filename
   end
-
 end
 

data/test/test_mechanize_file.rb

@@ -103,5 +103,14 @@ class TestMechanizeFile < Mechanize::TestCase
     end
   end
 
+  def test_save_bang_does_not_allow_command_injection
+    uri = URI 'http://example/test.html'
+    page = Mechanize::File.new uri, nil, ''
+
+    in_tmpdir do
+      page.save!('| ruby -rfileutils -e \'FileUtils.touch("vul.txt")\'')
+      refute_operator(File, :exist?, "vul.txt")
+    end
+  end
 end
 

data/test/test_mechanize_file_response.rb

@@ -1,7 +1,6 @@
 require 'mechanize/test_case'
 
 class TestMechanizeFileResponse < Mechanize::TestCase
-
   def test_content_type
     Tempfile.open %w[pi .nothtml] do |tempfile|
       res = Mechanize::FileResponse.new tempfile.path
@@ -19,5 +18,24 @@ class TestMechanizeFileResponse < Mechanize::TestCase
     end
   end
 
-end
+  def test_read_body
+    Tempfile.open %w[pi .html] do |tempfile|
+      tempfile.write("asdfasdfasdf")
+      tempfile.close
 
+      res = Mechanize::FileResponse.new(tempfile.path)
+      res.read_body do |input|
+        assert_equal("asdfasdfasdf", input)
+      end
+    end
+  end
+
+  def test_read_body_does_not_allow_command_injection
+    in_tmpdir do
+      FileUtils.touch('| ruby -rfileutils -e \'FileUtils.touch("vul.txt")\'')
+      res = Mechanize::FileResponse.new('| ruby -rfileutils -e \'FileUtils.touch("vul.txt")\'')
+      res.read_body { |_| }
+      refute_operator(File, :exist?, "vul.txt")
+    end
+  end
+end

data/test/test_mechanize_form.rb

@@ -65,6 +65,18 @@ class TestMechanizeForm < Mechanize::TestCase
     assert query.all? { |x| x[1] == '' }
   end
 
+  def test_build_query_blank_input_name
+    html = Nokogiri::HTML <<-HTML
+<form>
+  <input type="text" name="" value="foo" />
+</form>
+    HTML
+
+    form = Mechanize::Form.new html.at('form'), @mech, @page
+
+    assert_equal [], form.build_query
+  end
+
   def test_build_query_radio_button_duplicate
     html = Nokogiri::HTML <<-HTML
 <form>

data/test/test_mechanize_form_keygen.rb

@@ -22,6 +22,7 @@ class TestMechanizeFormKeygen < Mechanize::TestCase
   end
 
   def test_spki_signature
+    skip("JRuby PKI doesn't handle this for reasons I've been unable to understand") if RUBY_ENGINE=~/jruby/
     spki = OpenSSL::Netscape::SPKI.new @keygen.value
     assert_equal @keygen.challenge, spki.challenge
     assert_equal @keygen.key.public_key.to_pem, spki.public_key.to_pem

data/test/test_mechanize_http_agent.rb

@@ -935,7 +935,7 @@ class TestMechanizeHttpAgent < Mechanize::TestCase
     body_io = StringIO.new \
       "\037\213\b\0002\002\225M\000\003+H,*\001"
 
-    return if jruby_zlib?
+    skip if jruby_zlib?
 
     e = assert_raises Mechanize::Error do
       @agent.response_content_encoding @res, body_io
@@ -1590,6 +1590,11 @@ class TestMechanizeHttpAgent < Mechanize::TestCase
   end
 
   def test_retry_change_request_equals
+    unless Gem::Requirement.new("< 4.0.0").satisfied_by?(Gem::Version.new(Net::HTTP::Persistent::VERSION))
+      # see https://github.com/drbrain/net-http-persistent/pull/100
+      skip("net-http-persistent 4.0.0 and later does not support retry_change_requests")
+    end
+
     refute @agent.http.retry_change_requests
 
     @agent.retry_change_requests = true

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: mechanize
 version: !ruby/object:Gem::Version
-  version: 2.7.6
+  version: 2.7.7
 platform: ruby
 authors:
 - Eric Hodel
@@ -12,7 +12,7 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2018-06-02 00:00:00.000000000 Z
+date: 2021-02-01 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: net-http-digest_auth
@@ -151,61 +151,19 @@ dependencies:
       - !ruby/object:Gem::Version
         version: '0.5'
 - !ruby/object:Gem::Dependency
-  name: rake
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: '0'
-  type: :development
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: '0'
-- !ruby/object:Gem::Dependency
-  name: bundler
+  name: webrick
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.3'
-  type: :development
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '1.3'
-- !ruby/object:Gem::Dependency
-  name: rdoc
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '4.0'
-  type: :development
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '4.0'
-- !ruby/object:Gem::Dependency
-  name: minitest
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '5.0'
-  type: :development
+        version: '1.7'
+  type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '5.0'
+        version: '1.7'
 description: |-
   The Mechanize library is used for automating interaction with websites.
   Mechanize automatically stores and sends cookies, follows redirects,
@@ -214,22 +172,22 @@ description: |-
   a history.
 email:
 - drbrain@segment7.net
-- aaronp@rubyforge.org
+- aaron.patterson@gmail.com
 - mike.dalessio@gmail.com
 - knu@idaemons.org
 - ljjarvis@gmail.com
 executables: []
 extensions: []
 extra_rdoc_files:
-- EXAMPLES.rdoc
-- CHANGELOG.rdoc
 - GUIDE.rdoc
+- EXAMPLES.rdoc
 - LICENSE.rdoc
+- CHANGELOG.rdoc
 - README.rdoc
 files:
 - ".autotest"
+- ".github/workflows/ci-test.yml"
 - ".gitignore"
-- ".travis.yml"
 - CHANGELOG.rdoc
 - EXAMPLES.rdoc
 - GUIDE.rdoc
@@ -455,8 +413,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubyforge_project: 
-rubygems_version: 2.6.14.1
+rubygems_version: 3.1.4
 signing_key: 
 specification_version: 4
 summary: The Mechanize library is used for automating interaction with websites

data/.travis.yml

@@ -1,36 +0,0 @@
----
-language: ruby
-notifications:
-  email:
-  - drbrain@segment7.net
-  - ljjarvis@gmail.com
-  - knu@idaemons.org
-
-sudo: false
-
-# bundler is missing for jruby-head in travis-ci
-# https://github.com/travis-ci/travis-ci/issues/5861
-before_install:
-  - gem install --conservative bundler -v'1.13.7'
-
-script: rake test
-
-matrix:
-  include:
-    - rvm: 1.9.3
-    - rvm: 2.0.0
-    - rvm: 2.1
-    - rvm: 2.2
-    - rvm: 2.3.3
-    - rvm: 2.4.0
-    - rvm: ruby-head
-    - rvm: jruby-1.7.27
-    - rvm: jruby-9.1.14.0
-    - rvm: jruby-head
-  allow_failures:
-    - rvm: jruby-9.1.14.0
-    - rvm: jruby-head
-
-env:
-  global:
-    - JRUBY_OPTS="--debug"