mechanize 2.8.2 → 2.8.5
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/.github/workflows/ci-test.yml +3 -3
- data/CHANGELOG.md +21 -0
- data/lib/mechanize/cookie_jar.rb +13 -1
- data/lib/mechanize/http/agent.rb +9 -4
- data/lib/mechanize/version.rb +1 -1
- data/lib/mechanize.rb +1 -1
- data/test/test_mechanize_http_agent.rb +23 -2
- metadata +3 -3
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 6464b4f3e7e1248feaca2b3d335d6e1c079895317d6ceb8e3999924b53d1ace0
|
4
|
+
data.tar.gz: 16fb65c1b39a57c312ca1a45002c89e266fb2cd8720f4239b98c13ffa3629830
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 5d853dddbc85ec4a87d708ea2a970a3cecb11c868da9673f38d75bff6c6449e2b4ec32881fcb4066ee6d53d96812e6620adb9c8bf4a33e825ced05d7890bc057
|
7
|
+
data.tar.gz: b688fb7da123ee2768dc3f7772dfa943373c80d7e7ce8daeb5ceff772992f6f781db61e71515b24b7efe020180a6990b32aceeb1bcf4750f0328d20c3eced009
|
@@ -16,7 +16,7 @@ jobs:
|
|
16
16
|
- uses: actions/checkout@v2
|
17
17
|
- uses: ruby/setup-ruby@v1
|
18
18
|
with:
|
19
|
-
ruby-version: "3.
|
19
|
+
ruby-version: "3.1"
|
20
20
|
bundler-cache: true
|
21
21
|
- run: bundle exec rake rubocop
|
22
22
|
|
@@ -25,7 +25,7 @@ jobs:
|
|
25
25
|
strategy:
|
26
26
|
fail-fast: false
|
27
27
|
matrix:
|
28
|
-
ruby-version: ["2.5", "2.6", "2.7", "3.0", "jruby", "truffleruby-head"]
|
28
|
+
ruby-version: ["2.5", "2.6", "2.7", "3.0", "3.1", "head", "jruby", "truffleruby-head"]
|
29
29
|
|
30
30
|
runs-on: ubuntu-latest
|
31
31
|
steps:
|
@@ -48,6 +48,6 @@ jobs:
|
|
48
48
|
- uses: actions/checkout@v2
|
49
49
|
- uses: ruby/setup-ruby@v1
|
50
50
|
with:
|
51
|
-
ruby-version: "3.
|
51
|
+
ruby-version: "3.1"
|
52
52
|
bundler-cache: true
|
53
53
|
- run: bundle exec rake test
|
data/CHANGELOG.md
CHANGED
@@ -1,5 +1,26 @@
|
|
1
1
|
# Mechanize CHANGELOG
|
2
2
|
|
3
|
+
## 2.8.5 / 2022-06-09
|
4
|
+
|
5
|
+
### Security
|
6
|
+
|
7
|
+
Fixes low-severity CVE-2022-31033, "Authorization header leak on port redirect." See [GHSA-64qm-hrgp-pgr9](https://github.com/sparklemotion/mechanize/security/advisories/GHSA-64qm-hrgp-pgr9) for more details.
|
8
|
+
|
9
|
+
|
10
|
+
## 2.8.4 / 2022-01-17
|
11
|
+
|
12
|
+
### Fix
|
13
|
+
|
14
|
+
* `Mechanize::CookieJar#load` calls `Psych.safe_load` when using Psych >= 3.1
|
15
|
+
|
16
|
+
|
17
|
+
## 2.8.3 / 2021-11-11
|
18
|
+
|
19
|
+
### Update
|
20
|
+
|
21
|
+
* Update the "Linux Firefox" user agent string to rev94 (#587) Thank you, @ncs1!
|
22
|
+
|
23
|
+
|
3
24
|
## 2.8.2 / 2021-08-06
|
4
25
|
|
5
26
|
### Dependencies
|
data/lib/mechanize/cookie_jar.rb
CHANGED
@@ -149,7 +149,7 @@ class Mechanize
|
|
149
149
|
return super(input, opthash) if opthash[:format] != :yaml
|
150
150
|
|
151
151
|
begin
|
152
|
-
data =
|
152
|
+
data = load_yaml(input)
|
153
153
|
rescue ArgumentError
|
154
154
|
@logger.warn "unloadable YAML cookie data discarded" if @logger
|
155
155
|
return self
|
@@ -174,6 +174,18 @@ class Mechanize
|
|
174
174
|
return self
|
175
175
|
end
|
176
176
|
end
|
177
|
+
|
178
|
+
private
|
179
|
+
|
180
|
+
if YAML.name == "Psych" && Gem::Requirement.new(">= 3.1").satisfied_by?(Gem::Version.new(Psych::VERSION))
|
181
|
+
def load_yaml(yaml)
|
182
|
+
YAML.safe_load(yaml, aliases: true, permitted_classes: ["Mechanize::Cookie", "Time"])
|
183
|
+
end
|
184
|
+
else
|
185
|
+
def load_yaml(yaml)
|
186
|
+
YAML.load(yaml) # rubocop:disable Security/YAMLLoad
|
187
|
+
end
|
188
|
+
end
|
177
189
|
end
|
178
190
|
|
179
191
|
class ::HTTP::CookieJar
|
data/lib/mechanize/http/agent.rb
CHANGED
@@ -9,7 +9,8 @@ require 'webrobots'
|
|
9
9
|
|
10
10
|
class Mechanize::HTTP::Agent
|
11
11
|
|
12
|
-
CREDENTIAL_HEADERS = ['Authorization'
|
12
|
+
CREDENTIAL_HEADERS = ['Authorization']
|
13
|
+
COOKIE_HEADERS = ['Cookie']
|
13
14
|
POST_HEADERS = ['Content-Length', 'Content-MD5', 'Content-Type']
|
14
15
|
|
15
16
|
# :section: Headers
|
@@ -998,10 +999,14 @@ class Mechanize::HTTP::Agent
|
|
998
999
|
end
|
999
1000
|
|
1000
1001
|
# Make sure we clear credential headers if being redirected to another site
|
1001
|
-
if new_uri.host
|
1002
|
-
|
1003
|
-
|
1002
|
+
if new_uri.host == page.uri.host
|
1003
|
+
if new_uri.port != page.uri.port
|
1004
|
+
# https://datatracker.ietf.org/doc/html/rfc6265#section-8.5
|
1005
|
+
# cookies are OK to be shared across ports on the same host
|
1006
|
+
CREDENTIAL_HEADERS.each { |ch| headers.delete_if { |h| h.casecmp?(ch) } }
|
1004
1007
|
end
|
1008
|
+
else
|
1009
|
+
(COOKIE_HEADERS + CREDENTIAL_HEADERS).each { |ch| headers.delete_if { |h| h.casecmp?(ch) } }
|
1005
1010
|
end
|
1006
1011
|
|
1007
1012
|
fetch new_uri, redirect_method, headers, [], referer, redirects + 1
|
data/lib/mechanize/version.rb
CHANGED
data/lib/mechanize.rb
CHANGED
@@ -115,7 +115,7 @@ class Mechanize
|
|
115
115
|
|
116
116
|
AGENT_ALIASES = {
|
117
117
|
'Mechanize' => "Mechanize/#{VERSION} Ruby/#{ruby_version} (http://github.com/sparklemotion/mechanize/)",
|
118
|
-
'Linux Firefox' => 'Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:
|
118
|
+
'Linux Firefox' => 'Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:94.0) Gecko/20100101 Firefox/94.0',
|
119
119
|
'Linux Konqueror' => 'Mozilla/5.0 (compatible; Konqueror/3; Linux)',
|
120
120
|
'Linux Mozilla' => 'Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.4) Gecko/20030624',
|
121
121
|
'Mac Firefox' => 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:43.0) Gecko/20100101 Firefox/43.0',
|
@@ -1569,7 +1569,7 @@ class TestMechanizeHttpAgent < Mechanize::TestCase
|
|
1569
1569
|
refute_includes(headers.keys, "AUTHORIZATION")
|
1570
1570
|
refute_includes(headers.keys, "cookie")
|
1571
1571
|
|
1572
|
-
assert_match
|
1572
|
+
assert_match("range|bytes=0-9999", page.body)
|
1573
1573
|
refute_match("authorization|Basic xxx", page.body)
|
1574
1574
|
refute_match("cookie|name=value", page.body)
|
1575
1575
|
end
|
@@ -1590,11 +1590,32 @@ class TestMechanizeHttpAgent < Mechanize::TestCase
|
|
1590
1590
|
assert_includes(headers.keys, "AUTHORIZATION")
|
1591
1591
|
assert_includes(headers.keys, "cookie")
|
1592
1592
|
|
1593
|
-
assert_match
|
1593
|
+
assert_match("range|bytes=0-9999", page.body)
|
1594
1594
|
assert_match("authorization|Basic xxx", page.body)
|
1595
1595
|
assert_match("cookie|name=value", page.body)
|
1596
1596
|
end
|
1597
1597
|
|
1598
|
+
def test_response_redirect_to_same_site_diff_port_with_credential
|
1599
|
+
@agent.redirect_ok = true
|
1600
|
+
|
1601
|
+
headers = {
|
1602
|
+
'Range' => 'bytes=0-9999',
|
1603
|
+
'AUTHORIZATION' => 'Basic xxx',
|
1604
|
+
'cookie' => 'name=value',
|
1605
|
+
}
|
1606
|
+
|
1607
|
+
page = html_page ''
|
1608
|
+
page = @agent.response_redirect({ 'Location' => 'http://example:81/http_headers' }, :get,
|
1609
|
+
page, 0, headers)
|
1610
|
+
|
1611
|
+
refute_includes(headers.keys, "AUTHORIZATION")
|
1612
|
+
assert_includes(headers.keys, "cookie")
|
1613
|
+
|
1614
|
+
assert_match("range|bytes=0-9999", page.body)
|
1615
|
+
refute_match("authorization|Basic xxx", page.body)
|
1616
|
+
assert_match("cookie|name=value", page.body)
|
1617
|
+
end
|
1618
|
+
|
1598
1619
|
def test_response_redirect_not_ok
|
1599
1620
|
@agent.redirect_ok = false
|
1600
1621
|
|
metadata
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: mechanize
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 2.8.
|
4
|
+
version: 2.8.5
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Eric Hodel
|
@@ -12,7 +12,7 @@ authors:
|
|
12
12
|
autorequire:
|
13
13
|
bindir: bin
|
14
14
|
cert_chain: []
|
15
|
-
date:
|
15
|
+
date: 2022-06-09 00:00:00.000000000 Z
|
16
16
|
dependencies:
|
17
17
|
- !ruby/object:Gem::Dependency
|
18
18
|
name: addressable
|
@@ -502,7 +502,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
502
502
|
- !ruby/object:Gem::Version
|
503
503
|
version: '0'
|
504
504
|
requirements: []
|
505
|
-
rubygems_version: 3.
|
505
|
+
rubygems_version: 3.3.5
|
506
506
|
signing_key:
|
507
507
|
specification_version: 4
|
508
508
|
summary: The Mechanize library is used for automating interaction with websites
|