RubyGems - mechanize - Versions diffs - 2.8.2 → 2.8.5 - Mend

mechanize 2.8.2 → 2.8.5

Files changed (9) hide show

checksums.yaml +4 -4
data/.github/workflows/ci-test.yml +3 -3
data/CHANGELOG.md +21 -0
data/lib/mechanize/cookie_jar.rb +13 -1
data/lib/mechanize/http/agent.rb +9 -4
data/lib/mechanize/version.rb +1 -1
data/lib/mechanize.rb +1 -1
data/test/test_mechanize_http_agent.rb +23 -2
metadata +3 -3

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 98e75d76ae1e421fbdb7f7ff435759e0799612f41d55918cf82bd77e689399bb
-  data.tar.gz: 439d3bf9e35c76a8f8e80daff1e76ad89c8fe3a1b9fd436f6274d1f7f4d1c2f4
+  metadata.gz: 6464b4f3e7e1248feaca2b3d335d6e1c079895317d6ceb8e3999924b53d1ace0
+  data.tar.gz: 16fb65c1b39a57c312ca1a45002c89e266fb2cd8720f4239b98c13ffa3629830
 SHA512:
-  metadata.gz: da510c4185aea0860d0b48b37c78d69db0b399374d1b79a4d54c8eb6748f8b9d9b4a946e050b673467ee5b808ecb298d13fb8e4dc0f41d4c62afdea8a8da4acc
-  data.tar.gz: 571af8b0552b726c32dbf4c9818fba409011c633cf0eed3e355ab6f63b605d7a8d1313ab638ee474933115e9415d046ac95595cb1ac37dfa4a49aeb69698149a
+  metadata.gz: 5d853dddbc85ec4a87d708ea2a970a3cecb11c868da9673f38d75bff6c6449e2b4ec32881fcb4066ee6d53d96812e6620adb9c8bf4a33e825ced05d7890bc057
+  data.tar.gz: b688fb7da123ee2768dc3f7772dfa943373c80d7e7ce8daeb5ceff772992f6f781db61e71515b24b7efe020180a6990b32aceeb1bcf4750f0328d20c3eced009

data/.github/workflows/ci-test.yml CHANGED Viewed

@@ -16,7 +16,7 @@ jobs:
     - uses: actions/checkout@v2
     - uses: ruby/setup-ruby@v1
       with:
-        ruby-version: "3.0"
+        ruby-version: "3.1"
         bundler-cache: true
     - run: bundle exec rake rubocop
@@ -25,7 +25,7 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        ruby-version: ["2.5", "2.6", "2.7", "3.0", "jruby", "truffleruby-head"]
+        ruby-version: ["2.5", "2.6", "2.7", "3.0", "3.1", "head", "jruby", "truffleruby-head"]
     runs-on: ubuntu-latest
     steps:
@@ -48,6 +48,6 @@ jobs:
     - uses: actions/checkout@v2
     - uses: ruby/setup-ruby@v1
       with:
-        ruby-version: "3.0"
+        ruby-version: "3.1"
         bundler-cache: true
     - run: bundle exec rake test

data/CHANGELOG.md CHANGED Viewed

@@ -1,5 +1,26 @@
 # Mechanize CHANGELOG
+## 2.8.5 / 2022-06-09
+### Security
+Fixes low-severity CVE-2022-31033, "Authorization header leak on port redirect." See [GHSA-64qm-hrgp-pgr9](https://github.com/sparklemotion/mechanize/security/advisories/GHSA-64qm-hrgp-pgr9) for more details.
+## 2.8.4 / 2022-01-17
+### Fix
+* `Mechanize::CookieJar#load` calls `Psych.safe_load` when using Psych >= 3.1
+## 2.8.3 / 2021-11-11
+### Update
+* Update the "Linux Firefox" user agent string to rev94 (#587) Thank you, @ncs1!
 ## 2.8.2 / 2021-08-06
 ### Dependencies

data/lib/mechanize/cookie_jar.rb CHANGED Viewed

@@ -149,7 +149,7 @@ class Mechanize
       return super(input, opthash) if opthash[:format] != :yaml
       begin
-        data = YAML.load(input) # rubocop:disable Security/YAMLLoad
+        data = load_yaml(input)
       rescue ArgumentError
         @logger.warn "unloadable YAML cookie data discarded" if @logger
         return self
@@ -174,6 +174,18 @@ class Mechanize
         return self
       end
     end
+    private
+    if YAML.name == "Psych" && Gem::Requirement.new(">= 3.1").satisfied_by?(Gem::Version.new(Psych::VERSION))
+      def load_yaml(yaml)
+        YAML.safe_load(yaml, aliases: true, permitted_classes: ["Mechanize::Cookie", "Time"])
+      end
+    else
+      def load_yaml(yaml)
+        YAML.load(yaml) # rubocop:disable Security/YAMLLoad
+      end
+    end
   end
   class ::HTTP::CookieJar

data/lib/mechanize/http/agent.rb CHANGED Viewed

@@ -9,7 +9,8 @@ require 'webrobots'
 class Mechanize::HTTP::Agent
-  CREDENTIAL_HEADERS = ['Authorization', 'Cookie']
+  CREDENTIAL_HEADERS = ['Authorization']
+  COOKIE_HEADERS = ['Cookie']
   POST_HEADERS = ['Content-Length', 'Content-MD5', 'Content-Type']
   # :section: Headers
@@ -998,10 +999,14 @@ class Mechanize::HTTP::Agent
     end
     # Make sure we clear credential headers if being redirected to another site
-    if new_uri.host != page.uri.host
-      CREDENTIAL_HEADERS.each do |ch|
-        headers.delete_if { |h| h.casecmp?(ch) }
+    if new_uri.host == page.uri.host
+      if new_uri.port != page.uri.port
+        # https://datatracker.ietf.org/doc/html/rfc6265#section-8.5
+        # cookies are OK to be shared across ports on the same host
+        CREDENTIAL_HEADERS.each { |ch| headers.delete_if { |h| h.casecmp?(ch) } }
       end
+    else
+      (COOKIE_HEADERS + CREDENTIAL_HEADERS).each { |ch| headers.delete_if { |h| h.casecmp?(ch) } }
     end
     fetch new_uri, redirect_method, headers, [], referer, redirects + 1

data/lib/mechanize/version.rb CHANGED Viewed

@@ -1,4 +1,4 @@
 # frozen_string_literal: true
 class Mechanize
-  VERSION = "2.8.2"
+  VERSION = "2.8.5"
 end

data/lib/mechanize.rb CHANGED Viewed

@@ -115,7 +115,7 @@ class Mechanize
   AGENT_ALIASES = {
     'Mechanize' => "Mechanize/#{VERSION} Ruby/#{ruby_version} (http://github.com/sparklemotion/mechanize/)",
-    'Linux Firefox' => 'Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:43.0) Gecko/20100101 Firefox/43.0',
+    'Linux Firefox' => 'Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:94.0) Gecko/20100101 Firefox/94.0',
     'Linux Konqueror' => 'Mozilla/5.0 (compatible; Konqueror/3; Linux)',
     'Linux Mozilla' => 'Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.4) Gecko/20030624',
     'Mac Firefox' => 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:43.0) Gecko/20100101 Firefox/43.0',

data/test/test_mechanize_http_agent.rb CHANGED Viewed

@@ -1569,7 +1569,7 @@ class TestMechanizeHttpAgent < Mechanize::TestCase
     refute_includes(headers.keys, "AUTHORIZATION")
     refute_includes(headers.keys, "cookie")
-    assert_match 'range|bytes=0-9999', page.body
+    assert_match("range|bytes=0-9999", page.body)
     refute_match("authorization|Basic xxx", page.body)
     refute_match("cookie|name=value", page.body)
   end
@@ -1590,11 +1590,32 @@ class TestMechanizeHttpAgent < Mechanize::TestCase
     assert_includes(headers.keys, "AUTHORIZATION")
     assert_includes(headers.keys, "cookie")
-    assert_match 'range|bytes=0-9999', page.body
+    assert_match("range|bytes=0-9999", page.body)
     assert_match("authorization|Basic xxx", page.body)
     assert_match("cookie|name=value", page.body)
   end
+  def test_response_redirect_to_same_site_diff_port_with_credential
+    @agent.redirect_ok = true
+    headers = {
+      'Range' => 'bytes=0-9999',
+      'AUTHORIZATION' => 'Basic xxx',
+      'cookie' => 'name=value',
+    }
+    page = html_page ''
+    page = @agent.response_redirect({ 'Location' => 'http://example:81/http_headers' }, :get,
+                                    page, 0, headers)
+    refute_includes(headers.keys, "AUTHORIZATION")
+    assert_includes(headers.keys, "cookie")
+    assert_match("range|bytes=0-9999", page.body)
+    refute_match("authorization|Basic xxx", page.body)
+    assert_match("cookie|name=value", page.body)
+  end
   def test_response_redirect_not_ok
     @agent.redirect_ok = false

metadata CHANGED Viewed

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: mechanize
 version: !ruby/object:Gem::Version
-  version: 2.8.2
+  version: 2.8.5
 platform: ruby
 authors:
 - Eric Hodel
@@ -12,7 +12,7 @@ authors:
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2021-08-06 00:00:00.000000000 Z
+date: 2022-06-09 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: addressable
@@ -502,7 +502,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.2.15
+rubygems_version: 3.3.5
 signing_key:
 specification_version: 4
 summary: The Mechanize library is used for automating interaction with websites