mechanize 2.8.2 → 2.8.5
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/.github/workflows/ci-test.yml +3 -3
- data/CHANGELOG.md +21 -0
- data/lib/mechanize/cookie_jar.rb +13 -1
- data/lib/mechanize/http/agent.rb +9 -4
- data/lib/mechanize/version.rb +1 -1
- data/lib/mechanize.rb +1 -1
- data/test/test_mechanize_http_agent.rb +23 -2
- metadata +3 -3
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 6464b4f3e7e1248feaca2b3d335d6e1c079895317d6ceb8e3999924b53d1ace0
|
|
4
|
+
data.tar.gz: 16fb65c1b39a57c312ca1a45002c89e266fb2cd8720f4239b98c13ffa3629830
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 5d853dddbc85ec4a87d708ea2a970a3cecb11c868da9673f38d75bff6c6449e2b4ec32881fcb4066ee6d53d96812e6620adb9c8bf4a33e825ced05d7890bc057
|
|
7
|
+
data.tar.gz: b688fb7da123ee2768dc3f7772dfa943373c80d7e7ce8daeb5ceff772992f6f781db61e71515b24b7efe020180a6990b32aceeb1bcf4750f0328d20c3eced009
|
|
@@ -16,7 +16,7 @@ jobs:
|
|
|
16
16
|
- uses: actions/checkout@v2
|
|
17
17
|
- uses: ruby/setup-ruby@v1
|
|
18
18
|
with:
|
|
19
|
-
ruby-version: "3.
|
|
19
|
+
ruby-version: "3.1"
|
|
20
20
|
bundler-cache: true
|
|
21
21
|
- run: bundle exec rake rubocop
|
|
22
22
|
|
|
@@ -25,7 +25,7 @@ jobs:
|
|
|
25
25
|
strategy:
|
|
26
26
|
fail-fast: false
|
|
27
27
|
matrix:
|
|
28
|
-
ruby-version: ["2.5", "2.6", "2.7", "3.0", "jruby", "truffleruby-head"]
|
|
28
|
+
ruby-version: ["2.5", "2.6", "2.7", "3.0", "3.1", "head", "jruby", "truffleruby-head"]
|
|
29
29
|
|
|
30
30
|
runs-on: ubuntu-latest
|
|
31
31
|
steps:
|
|
@@ -48,6 +48,6 @@ jobs:
|
|
|
48
48
|
- uses: actions/checkout@v2
|
|
49
49
|
- uses: ruby/setup-ruby@v1
|
|
50
50
|
with:
|
|
51
|
-
ruby-version: "3.
|
|
51
|
+
ruby-version: "3.1"
|
|
52
52
|
bundler-cache: true
|
|
53
53
|
- run: bundle exec rake test
|
data/CHANGELOG.md
CHANGED
|
@@ -1,5 +1,26 @@
|
|
|
1
1
|
# Mechanize CHANGELOG
|
|
2
2
|
|
|
3
|
+
## 2.8.5 / 2022-06-09
|
|
4
|
+
|
|
5
|
+
### Security
|
|
6
|
+
|
|
7
|
+
Fixes low-severity CVE-2022-31033, "Authorization header leak on port redirect." See [GHSA-64qm-hrgp-pgr9](https://github.com/sparklemotion/mechanize/security/advisories/GHSA-64qm-hrgp-pgr9) for more details.
|
|
8
|
+
|
|
9
|
+
|
|
10
|
+
## 2.8.4 / 2022-01-17
|
|
11
|
+
|
|
12
|
+
### Fix
|
|
13
|
+
|
|
14
|
+
* `Mechanize::CookieJar#load` calls `Psych.safe_load` when using Psych >= 3.1
|
|
15
|
+
|
|
16
|
+
|
|
17
|
+
## 2.8.3 / 2021-11-11
|
|
18
|
+
|
|
19
|
+
### Update
|
|
20
|
+
|
|
21
|
+
* Update the "Linux Firefox" user agent string to rev94 (#587) Thank you, @ncs1!
|
|
22
|
+
|
|
23
|
+
|
|
3
24
|
## 2.8.2 / 2021-08-06
|
|
4
25
|
|
|
5
26
|
### Dependencies
|
data/lib/mechanize/cookie_jar.rb
CHANGED
|
@@ -149,7 +149,7 @@ class Mechanize
|
|
|
149
149
|
return super(input, opthash) if opthash[:format] != :yaml
|
|
150
150
|
|
|
151
151
|
begin
|
|
152
|
-
data =
|
|
152
|
+
data = load_yaml(input)
|
|
153
153
|
rescue ArgumentError
|
|
154
154
|
@logger.warn "unloadable YAML cookie data discarded" if @logger
|
|
155
155
|
return self
|
|
@@ -174,6 +174,18 @@ class Mechanize
|
|
|
174
174
|
return self
|
|
175
175
|
end
|
|
176
176
|
end
|
|
177
|
+
|
|
178
|
+
private
|
|
179
|
+
|
|
180
|
+
if YAML.name == "Psych" && Gem::Requirement.new(">= 3.1").satisfied_by?(Gem::Version.new(Psych::VERSION))
|
|
181
|
+
def load_yaml(yaml)
|
|
182
|
+
YAML.safe_load(yaml, aliases: true, permitted_classes: ["Mechanize::Cookie", "Time"])
|
|
183
|
+
end
|
|
184
|
+
else
|
|
185
|
+
def load_yaml(yaml)
|
|
186
|
+
YAML.load(yaml) # rubocop:disable Security/YAMLLoad
|
|
187
|
+
end
|
|
188
|
+
end
|
|
177
189
|
end
|
|
178
190
|
|
|
179
191
|
class ::HTTP::CookieJar
|
data/lib/mechanize/http/agent.rb
CHANGED
|
@@ -9,7 +9,8 @@ require 'webrobots'
|
|
|
9
9
|
|
|
10
10
|
class Mechanize::HTTP::Agent
|
|
11
11
|
|
|
12
|
-
CREDENTIAL_HEADERS = ['Authorization'
|
|
12
|
+
CREDENTIAL_HEADERS = ['Authorization']
|
|
13
|
+
COOKIE_HEADERS = ['Cookie']
|
|
13
14
|
POST_HEADERS = ['Content-Length', 'Content-MD5', 'Content-Type']
|
|
14
15
|
|
|
15
16
|
# :section: Headers
|
|
@@ -998,10 +999,14 @@ class Mechanize::HTTP::Agent
|
|
|
998
999
|
end
|
|
999
1000
|
|
|
1000
1001
|
# Make sure we clear credential headers if being redirected to another site
|
|
1001
|
-
if new_uri.host
|
|
1002
|
-
|
|
1003
|
-
|
|
1002
|
+
if new_uri.host == page.uri.host
|
|
1003
|
+
if new_uri.port != page.uri.port
|
|
1004
|
+
# https://datatracker.ietf.org/doc/html/rfc6265#section-8.5
|
|
1005
|
+
# cookies are OK to be shared across ports on the same host
|
|
1006
|
+
CREDENTIAL_HEADERS.each { |ch| headers.delete_if { |h| h.casecmp?(ch) } }
|
|
1004
1007
|
end
|
|
1008
|
+
else
|
|
1009
|
+
(COOKIE_HEADERS + CREDENTIAL_HEADERS).each { |ch| headers.delete_if { |h| h.casecmp?(ch) } }
|
|
1005
1010
|
end
|
|
1006
1011
|
|
|
1007
1012
|
fetch new_uri, redirect_method, headers, [], referer, redirects + 1
|
data/lib/mechanize/version.rb
CHANGED
data/lib/mechanize.rb
CHANGED
|
@@ -115,7 +115,7 @@ class Mechanize
|
|
|
115
115
|
|
|
116
116
|
AGENT_ALIASES = {
|
|
117
117
|
'Mechanize' => "Mechanize/#{VERSION} Ruby/#{ruby_version} (http://github.com/sparklemotion/mechanize/)",
|
|
118
|
-
'Linux Firefox' => 'Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:
|
|
118
|
+
'Linux Firefox' => 'Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:94.0) Gecko/20100101 Firefox/94.0',
|
|
119
119
|
'Linux Konqueror' => 'Mozilla/5.0 (compatible; Konqueror/3; Linux)',
|
|
120
120
|
'Linux Mozilla' => 'Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.4) Gecko/20030624',
|
|
121
121
|
'Mac Firefox' => 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:43.0) Gecko/20100101 Firefox/43.0',
|
|
@@ -1569,7 +1569,7 @@ class TestMechanizeHttpAgent < Mechanize::TestCase
|
|
|
1569
1569
|
refute_includes(headers.keys, "AUTHORIZATION")
|
|
1570
1570
|
refute_includes(headers.keys, "cookie")
|
|
1571
1571
|
|
|
1572
|
-
assert_match
|
|
1572
|
+
assert_match("range|bytes=0-9999", page.body)
|
|
1573
1573
|
refute_match("authorization|Basic xxx", page.body)
|
|
1574
1574
|
refute_match("cookie|name=value", page.body)
|
|
1575
1575
|
end
|
|
@@ -1590,11 +1590,32 @@ class TestMechanizeHttpAgent < Mechanize::TestCase
|
|
|
1590
1590
|
assert_includes(headers.keys, "AUTHORIZATION")
|
|
1591
1591
|
assert_includes(headers.keys, "cookie")
|
|
1592
1592
|
|
|
1593
|
-
assert_match
|
|
1593
|
+
assert_match("range|bytes=0-9999", page.body)
|
|
1594
1594
|
assert_match("authorization|Basic xxx", page.body)
|
|
1595
1595
|
assert_match("cookie|name=value", page.body)
|
|
1596
1596
|
end
|
|
1597
1597
|
|
|
1598
|
+
def test_response_redirect_to_same_site_diff_port_with_credential
|
|
1599
|
+
@agent.redirect_ok = true
|
|
1600
|
+
|
|
1601
|
+
headers = {
|
|
1602
|
+
'Range' => 'bytes=0-9999',
|
|
1603
|
+
'AUTHORIZATION' => 'Basic xxx',
|
|
1604
|
+
'cookie' => 'name=value',
|
|
1605
|
+
}
|
|
1606
|
+
|
|
1607
|
+
page = html_page ''
|
|
1608
|
+
page = @agent.response_redirect({ 'Location' => 'http://example:81/http_headers' }, :get,
|
|
1609
|
+
page, 0, headers)
|
|
1610
|
+
|
|
1611
|
+
refute_includes(headers.keys, "AUTHORIZATION")
|
|
1612
|
+
assert_includes(headers.keys, "cookie")
|
|
1613
|
+
|
|
1614
|
+
assert_match("range|bytes=0-9999", page.body)
|
|
1615
|
+
refute_match("authorization|Basic xxx", page.body)
|
|
1616
|
+
assert_match("cookie|name=value", page.body)
|
|
1617
|
+
end
|
|
1618
|
+
|
|
1598
1619
|
def test_response_redirect_not_ok
|
|
1599
1620
|
@agent.redirect_ok = false
|
|
1600
1621
|
|
metadata
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: mechanize
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 2.8.
|
|
4
|
+
version: 2.8.5
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Eric Hodel
|
|
@@ -12,7 +12,7 @@ authors:
|
|
|
12
12
|
autorequire:
|
|
13
13
|
bindir: bin
|
|
14
14
|
cert_chain: []
|
|
15
|
-
date:
|
|
15
|
+
date: 2022-06-09 00:00:00.000000000 Z
|
|
16
16
|
dependencies:
|
|
17
17
|
- !ruby/object:Gem::Dependency
|
|
18
18
|
name: addressable
|
|
@@ -502,7 +502,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
|
502
502
|
- !ruby/object:Gem::Version
|
|
503
503
|
version: '0'
|
|
504
504
|
requirements: []
|
|
505
|
-
rubygems_version: 3.
|
|
505
|
+
rubygems_version: 3.3.5
|
|
506
506
|
signing_key:
|
|
507
507
|
specification_version: 4
|
|
508
508
|
summary: The Mechanize library is used for automating interaction with websites
|