mechanize 2.7.6 → 2.8.2

data/test/test_mechanize_cookie_jar.rb

@@ -1,4 +1,5 @@
 require 'mechanize/test_case'
+require 'fileutils'
 
 class TestMechanizeCookieJar < Mechanize::TestCase
 
@@ -39,23 +40,23 @@ class TestMechanizeCookieJar < Mechanize::TestCase
       :path     => '/',
       :expires  => Time.now + (10 * 86400),
       :for_domain => true,
-      :domain   => 'rubyforge.org'
+      :domain   => 'rubygems.org'
    }.merge(options)
   end
 
   def test_two_cookies_same_domain_and_name_different_paths
-    url = URI 'http://rubyforge.org/'
+    url = URI 'http://rubygems.org/'
 
     cookie = Mechanize::Cookie.new(cookie_values)
     @jar.add(url, cookie)
     @jar.add(url, Mechanize::Cookie.new(cookie_values(:path => '/onetwo')))
 
     assert_equal(1, @jar.cookies(url).length)
-    assert_equal 2, @jar.cookies(URI('http://rubyforge.org/onetwo')).length
+    assert_equal 2, @jar.cookies(URI('http://rubygems.org/onetwo')).length
   end
 
   def test_domain_case
-    url = URI 'http://rubyforge.org/'
+    url = URI 'http://rubygems.org/'
 
     # Add one cookie with an expiration date in the future
     cookie = Mechanize::Cookie.new(cookie_values)
@@ -63,49 +64,49 @@ class TestMechanizeCookieJar < Mechanize::TestCase
     assert_equal(1, @jar.cookies(url).length)
 
     @jar.add(url, Mechanize::Cookie.new(
-        cookie_values(:domain => 'RuByForge.Org', :name   => 'aaron')))
+        cookie_values(:domain => 'rubygems.Org', :name   => 'aaron')))
 
     assert_equal(2, @jar.cookies(url).length)
 
-    url2 = URI 'http://RuByFoRgE.oRg/'
+    url2 = URI 'http://rubygems.oRg/'
     assert_equal(2, @jar.cookies(url2).length)
   end
 
   def test_host_only
-    url = URI.parse('http://rubyforge.org/')
+    url = URI.parse('http://rubygems.org/')
 
     @jar.add(url, Mechanize::Cookie.new(
-        cookie_values(:domain => 'rubyforge.org', :for_domain => false)))
+        cookie_values(:domain => 'rubygems.org', :for_domain => false)))
 
     assert_equal(1, @jar.cookies(url).length)
 
-    assert_equal(1, @jar.cookies(URI('http://RubyForge.org/')).length)
+    assert_equal(1, @jar.cookies(URI('http://rubygems.org/')).length)
 
-    assert_equal(1, @jar.cookies(URI('https://RubyForge.org/')).length)
+    assert_equal(1, @jar.cookies(URI('https://rubygems.org/')).length)
 
-    assert_equal(0, @jar.cookies(URI('http://www.rubyforge.org/')).length)
+    assert_equal(0, @jar.cookies(URI('http://www.rubygems.org/')).length)
   end
 
   def test_empty_value
     values = cookie_values(:value => "")
-    url = URI 'http://rubyforge.org/'
+    url = URI 'http://rubygems.org/'
 
     # Add one cookie with an expiration date in the future
     cookie = Mechanize::Cookie.new(values)
     @jar.add(url, cookie)
     assert_equal(1, @jar.cookies(url).length)
 
-    @jar.add url, Mechanize::Cookie.new(values.merge(:domain => 'RuByForge.Org',
+    @jar.add url, Mechanize::Cookie.new(values.merge(:domain => 'rubygems.Org',
                                                      :name   => 'aaron'))
 
     assert_equal(2, @jar.cookies(url).length)
 
-    url2 = URI 'http://RuByFoRgE.oRg/'
+    url2 = URI 'http://rubygems.oRg/'
     assert_equal(2, @jar.cookies(url2).length)
   end
 
   def test_add_future_cookies
-    url = URI 'http://rubyforge.org/'
+    url = URI 'http://rubygems.org/'
 
     # Add one cookie with an expiration date in the future
     cookie = Mechanize::Cookie.new(cookie_values)
@@ -117,14 +118,14 @@ class TestMechanizeCookieJar < Mechanize::TestCase
     assert_equal(1, @jar.cookies(url).length)
 
     # Make sure we can get the cookie from different paths
-    assert_equal(1, @jar.cookies(URI('http://rubyforge.org/login')).length)
+    assert_equal(1, @jar.cookies(URI('http://rubygems.org/login')).length)
 
     # Make sure we can't get the cookie from different domains
     assert_equal(0, @jar.cookies(URI('http://google.com/')).length)
   end
 
   def test_add_multiple_cookies
-    url = URI 'http://rubyforge.org/'
+    url = URI 'http://rubygems.org/'
 
     # Add one cookie with an expiration date in the future
     cookie = Mechanize::Cookie.new(cookie_values)
@@ -136,14 +137,14 @@ class TestMechanizeCookieJar < Mechanize::TestCase
     assert_equal(2, @jar.cookies(url).length)
 
     # Make sure we can get the cookie from different paths
-    assert_equal(2, @jar.cookies(URI('http://rubyforge.org/login')).length)
+    assert_equal(2, @jar.cookies(URI('http://rubygems.org/login')).length)
 
     # Make sure we can't get the cookie from different domains
     assert_equal(0, @jar.cookies(URI('http://google.com/')).length)
   end
 
   def test_add_rejects_cookies_that_do_not_contain_an_embedded_dot
-    url = URI 'http://rubyforge.org/'
+    url = URI 'http://rubygems.org/'
 
     tld_cookie = Mechanize::Cookie.new(cookie_values(:domain => '.org'))
     @jar.add(url, tld_cookie)
@@ -196,43 +197,43 @@ class TestMechanizeCookieJar < Mechanize::TestCase
   end
 
   def test_cookie_without_leading_dot_does_not_cause_substring_match
-    url = URI 'http://arubyforge.org/'
+    url = URI 'http://arubygems.org/'
 
-    cookie = Mechanize::Cookie.new(cookie_values(:domain => 'rubyforge.org'))
+    cookie = Mechanize::Cookie.new(cookie_values(:domain => 'rubygems.org'))
     @jar.add(url, cookie)
 
     assert_equal(0, @jar.cookies(url).length)
   end
 
   def test_cookie_without_leading_dot_matches_subdomains
-    url = URI 'http://admin.rubyforge.org/'
+    url = URI 'http://admin.rubygems.org/'
 
-    cookie = Mechanize::Cookie.new(cookie_values(:domain => 'rubyforge.org'))
+    cookie = Mechanize::Cookie.new(cookie_values(:domain => 'rubygems.org'))
     @jar.add(url, cookie)
 
     assert_equal(1, @jar.cookies(url).length)
   end
 
   def test_cookies_with_leading_dot_match_subdomains
-    url = URI 'http://admin.rubyforge.org/'
+    url = URI 'http://admin.rubygems.org/'
 
-    @jar.add(url, Mechanize::Cookie.new(cookie_values(:domain => '.rubyforge.org')))
+    @jar.add(url, Mechanize::Cookie.new(cookie_values(:domain => '.rubygems.org')))
 
     assert_equal(1, @jar.cookies(url).length)
   end
 
   def test_cookies_with_leading_dot_match_parent_domains
-    url = URI 'http://rubyforge.org/'
+    url = URI 'http://rubygems.org/'
 
-    @jar.add(url, Mechanize::Cookie.new(cookie_values(:domain => '.rubyforge.org')))
+    @jar.add(url, Mechanize::Cookie.new(cookie_values(:domain => '.rubygems.org')))
 
     assert_equal(1, @jar.cookies(url).length)
   end
 
   def test_cookies_with_leading_dot_match_parent_domains_exactly
-    url = URI 'http://arubyforge.org/'
+    url = URI 'http://arubygems.org/'
 
-    @jar.add(url, Mechanize::Cookie.new(cookie_values(:domain => '.rubyforge.org')))
+    @jar.add(url, Mechanize::Cookie.new(cookie_values(:domain => '.rubygems.org')))
 
     assert_equal(0, @jar.cookies(url).length)
   end
@@ -275,7 +276,7 @@ class TestMechanizeCookieJar < Mechanize::TestCase
   end
 
   def test_clear_bang
-    url = URI 'http://rubyforge.org/'
+    url = URI 'http://rubygems.org/'
 
     # Add one cookie with an expiration date in the future
     cookie = Mechanize::Cookie.new(cookie_values)
@@ -289,7 +290,7 @@ class TestMechanizeCookieJar < Mechanize::TestCase
   end
 
   def test_save_cookies_yaml
-    url = URI 'http://rubyforge.org/'
+    url = URI 'http://rubygems.org/'
 
     # Add one cookie with an expiration date in the future
     cookie = Mechanize::Cookie.new(cookie_values)
@@ -315,7 +316,7 @@ class TestMechanizeCookieJar < Mechanize::TestCase
   end
 
   def test_save_session_cookies_yaml
-    url = URI 'http://rubyforge.org/'
+    url = URI 'http://rubygems.org/'
 
     # Add one cookie with an expiration date in the future
     cookie = Mechanize::Cookie.new(cookie_values)
@@ -341,7 +342,7 @@ class TestMechanizeCookieJar < Mechanize::TestCase
 
 
   def test_save_cookies_cookiestxt
-    url = URI 'http://rubyforge.org/'
+    url = URI 'http://rubygems.org/'
 
     # Add one cookie with an expiration date in the future
     cookie = Mechanize::Cookie.new(cookie_values)
@@ -378,7 +379,7 @@ class TestMechanizeCookieJar < Mechanize::TestCase
   end
 
   def test_expire_cookies
-    url = URI 'http://rubyforge.org/'
+    url = URI 'http://rubygems.org/'
 
     # Add one cookie with an expiration date in the future
     cookie = Mechanize::Cookie.new(cookie_values)
@@ -390,7 +391,7 @@ class TestMechanizeCookieJar < Mechanize::TestCase
     assert_equal(2, @jar.cookies(url).length)
 
     # Make sure we can get the cookie from different paths
-    assert_equal(2, @jar.cookies(URI('http://rubyforge.org/login')).length)
+    assert_equal(2, @jar.cookies(URI('http://rubygems.org/login')).length)
 
     # Expire the first cookie
     @jar.add(url, Mechanize::Cookie.new(
@@ -405,7 +406,7 @@ class TestMechanizeCookieJar < Mechanize::TestCase
 
   def test_session_cookies
     values = cookie_values(:expires => nil)
-    url = URI 'http://rubyforge.org/'
+    url = URI 'http://rubygems.org/'
 
     # Add one cookie with an expiration date in the future
     cookie = Mechanize::Cookie.new(values)
@@ -417,7 +418,7 @@ class TestMechanizeCookieJar < Mechanize::TestCase
     assert_equal(2, @jar.cookies(url).length)
 
     # Make sure we can get the cookie from different paths
-    assert_equal(2, @jar.cookies(URI('http://rubyforge.org/login')).length)
+    assert_equal(2, @jar.cookies(URI('http://rubygems.org/login')).length)
 
     # Expire the first cookie
     @jar.add(url, Mechanize::Cookie.new(values.merge(:expires => Time.now - (10 * 86400))))
@@ -430,7 +431,7 @@ class TestMechanizeCookieJar < Mechanize::TestCase
 
     # When given a URI with a blank path, CookieJar#cookies should return
     # cookies with the path '/':
-    url = URI 'http://rubyforge.org'
+    url = URI 'http://rubygems.org'
     assert_equal '', url.path
     assert_equal(0, @jar.cookies(url).length)
     # Now add a cookie with the path set to '/':
@@ -441,7 +442,7 @@ class TestMechanizeCookieJar < Mechanize::TestCase
 
   def test_paths
     values = cookie_values(:path => "/login", :expires => nil)
-    url = URI 'http://rubyforge.org/login'
+    url = URI 'http://rubygems.org/login'
 
     # Add one cookie with an expiration date in the future
     cookie = Mechanize::Cookie.new(values)
@@ -453,8 +454,8 @@ class TestMechanizeCookieJar < Mechanize::TestCase
     assert_equal(2, @jar.cookies(url).length)
 
     # Make sure we don't get the cookie in a different path
-    assert_equal(0, @jar.cookies(URI('http://rubyforge.org/hello')).length)
-    assert_equal(0, @jar.cookies(URI('http://rubyforge.org/')).length)
+    assert_equal(0, @jar.cookies(URI('http://rubygems.org/hello')).length)
+    assert_equal(0, @jar.cookies(URI('http://rubygems.org/')).length)
 
     # Expire the first cookie
     @jar.add(url, Mechanize::Cookie.new(values.merge( :expires => Time.now - (10 * 86400))))
@@ -467,7 +468,7 @@ class TestMechanizeCookieJar < Mechanize::TestCase
   end
 
   def test_save_and_read_cookiestxt
-    url = URI 'http://rubyforge.org/'
+    url = URI 'http://rubygems.org/'
 
     # Add one cookie with an expiration date in the future
     cookie = Mechanize::Cookie.new(cookie_values)
@@ -486,7 +487,7 @@ class TestMechanizeCookieJar < Mechanize::TestCase
   end
 
   def test_save_and_read_cookiestxt_with_session_cookies
-    url = URI 'http://rubyforge.org/'
+    url = URI 'http://rubygems.org/'
 
     @jar.add(url, Mechanize::Cookie.new(cookie_values(:expires => nil)))
 
@@ -500,10 +501,41 @@ class TestMechanizeCookieJar < Mechanize::TestCase
     assert_equal(0, @jar.cookies(url).length)
   end
 
+  def test_prevent_command_injection_when_saving
+    skip if windows?
+    url = URI 'http://rubygems.org/'
+    path = '| ruby -rfileutils -e \'FileUtils.touch("vul.txt")\''
+
+    @jar.add(url, Mechanize::Cookie.new(cookie_values))
+
+    in_tmpdir do
+      @jar.save_as(path, :cookiestxt)
+      assert_equal(false, File.exist?('vul.txt'))
+    end
+  end
+
+  def test_prevent_command_injection_when_loading
+    skip if windows?
+    url = URI 'http://rubygems.org/'
+    path = '| ruby -rfileutils -e \'FileUtils.touch("vul.txt")\''
+
+    @jar.add(url, Mechanize::Cookie.new(cookie_values))
+
+    in_tmpdir do
+      @jar.save_as("cookies.txt", :cookiestxt)
+      @jar.clear!
+
+      assert_raises Errno::ENOENT do
+        @jar.load(path, :cookiestxt)
+      end
+      assert_equal(false, File.exist?('vul.txt'))
+    end
+  end
+
   def test_save_and_read_expired_cookies
-    url = URI 'http://rubyforge.org/'
+    url = URI 'http://rubygems.org/'
 
-    @jar.jar['rubyforge.org'] = {}
+    @jar.jar['rubygems.org'] = {}
 
 
     @jar.add url, Mechanize::Cookie.new(cookie_values)
@@ -515,7 +547,7 @@ class TestMechanizeCookieJar < Mechanize::TestCase
     # thanks to michal "ocher" ochman for reporting the bug responsible for this test.
     values = cookie_values(:expires => nil)
     values_ssl = values.merge(:name => 'Baz', :domain => "#{values[:domain]}:443")
-    url = URI 'https://rubyforge.org/login'
+    url = URI 'https://rubygems.org/login'
 
     cookie = Mechanize::Cookie.new(values)
     @jar.add(url, cookie)
@@ -527,8 +559,8 @@ class TestMechanizeCookieJar < Mechanize::TestCase
   end
 
   def test_secure_cookie
-    nurl = URI 'http://rubyforge.org/login'
-    surl = URI 'https://rubyforge.org/login'
+    nurl = URI 'http://rubygems.org/login'
+    surl = URI 'https://rubygems.org/login'
 
     ncookie = Mechanize::Cookie.new(cookie_values(:name => 'Foo1'))
     scookie = Mechanize::Cookie.new(cookie_values(:name => 'Foo2', :secure => true))
@@ -543,10 +575,10 @@ class TestMechanizeCookieJar < Mechanize::TestCase
   end
 
   def test_save_cookies_cookiestxt_subdomain
-    top_url = URI 'http://rubyforge.org/'
-    subdomain_url = URI 'http://admin.rubyforge.org/'
+    top_url = URI 'http://rubygems.org/'
+    subdomain_url = URI 'http://admin.rubygems.org/'
 
-    # cookie1 is for *.rubyforge.org; cookie2 is only for rubyforge.org, no subdomains
+    # cookie1 is for *.rubygems.org; cookie2 is only for rubygems.org, no subdomains
     cookie1 = Mechanize::Cookie.new(cookie_values)
     cookie2 = Mechanize::Cookie.new(cookie_values(:name => 'Boo', :for_domain => false))
 
@@ -572,8 +604,8 @@ class TestMechanizeCookieJar < Mechanize::TestCase
       # * Cookies that match subdomains may have a leading dot, and must have
       #   TRUE as the second field.
       cookies_txt = File.readlines("cookies.txt")
-      assert_equal(1, cookies_txt.grep( /^rubyforge\.org\tFALSE/ ).length)
-      assert_equal(1, cookies_txt.grep( /^\.rubyforge\.org\tTRUE/ ).length)
+      assert_equal(1, cookies_txt.grep( /^rubygems\.org\tFALSE/ ).length)
+      assert_equal(1, cookies_txt.grep( /^\.rubygems\.org\tTRUE/ ).length)
     end
 
     assert_equal(2, @jar.cookies(top_url).length)

data/test/test_mechanize_download.rb

@@ -46,6 +46,19 @@ class TestMechanizeDownload < Mechanize::TestCase
     end
   end
 
+  def test_save_bang_does_not_allow_command_injection
+    skip if windows?
+    uri = URI.parse 'http://example/foo.html'
+    body_io = StringIO.new '0123456789'
+
+    download = @parser.new uri, nil, body_io
+
+    in_tmpdir do
+      download.save!('| ruby -rfileutils -e \'FileUtils.touch("vul.txt")\'')
+      refute_operator(File, :exist?, "vul.txt")
+    end
+  end
+
   def test_save_tempfile
     uri = URI.parse 'http://example/foo.html'
     Tempfile.open @NAME do |body_io|
@@ -84,6 +97,5 @@ class TestMechanizeDownload < Mechanize::TestCase
 
     assert_equal "foo.html", download.filename
   end
-
 end
 

data/test/test_mechanize_file.rb

@@ -103,5 +103,15 @@ class TestMechanizeFile < Mechanize::TestCase
     end
   end
 
+  def test_save_bang_does_not_allow_command_injection
+    skip if windows?
+    uri = URI 'http://example/test.html'
+    page = Mechanize::File.new uri, nil, ''
+
+    in_tmpdir do
+      page.save!('| ruby -rfileutils -e \'FileUtils.touch("vul.txt")\'')
+      refute_operator(File, :exist?, "vul.txt")
+    end
+  end
 end
 

data/test/test_mechanize_file_connection.rb

@@ -3,19 +3,37 @@ require 'mechanize/test_case'
 class TestMechanizeFileConnection < Mechanize::TestCase
 
   def test_request
-    uri = URI.parse "file://#{File.expand_path __FILE__}"
+    file_path = File.expand_path(__FILE__)
+    uri = URI.parse "file://#{file_path}"
     conn = Mechanize::FileConnection.new
 
     body = ''
 
     conn.request uri, nil do |response|
+      assert_equal(file_path, response.file_path)
       response.read_body do |part|
         body << part
       end
     end
 
-    assert_equal File.read(__FILE__), body
+    assert_equal File.read(__FILE__), body.gsub(/\r\n/, "\n")
   end
 
-end
+  def test_request_on_uri_with_windows_drive
+    uri_string = "file://C:/path/to/file.html"
+    expected_file_path = "C:/path/to/file.html"
+
+    uri = URI.parse(uri_string)
+    conn = Mechanize::FileConnection.new
 
+    called = false
+    yielded_file_path = nil
+    conn.request(uri, nil) do |response|
+      called = true
+      yielded_file_path = response.file_path
+    end
+
+    assert(called)
+    assert_equal(expected_file_path, yielded_file_path)
+  end
+end