mechanize 2.8.4 → 2.8.5

Sign up to get free protection for your applications and to get access to all the features.
Files changed (6) hide show
  1. checksums.yaml +4 -4
  2. data/CHANGELOG.md +7 -0
  3. data/lib/mechanize/http/agent.rb +9 -4
  4. data/lib/mechanize/version.rb +1 -1
  5. data/test/test_mechanize_http_agent.rb +23 -2
  6. metadata +2 -2
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: d8b4e424716d3f5d8fdc1fe82efca4412eee6b414c0cafee9cdced96023e632d
4
- data.tar.gz: b4450930235cb304ced9e63cede8fd3abe3bc7c7f38530ef6127be8208de3c93
3
+ metadata.gz: 6464b4f3e7e1248feaca2b3d335d6e1c079895317d6ceb8e3999924b53d1ace0
4
+ data.tar.gz: 16fb65c1b39a57c312ca1a45002c89e266fb2cd8720f4239b98c13ffa3629830
5
5
  SHA512:
6
- metadata.gz: cb936d26c46330432cd5d230b5e54b3792de5a2e39d3aa3a09a4904e5cf0f4bd9547c489772f3cd8d989e171022a18943bf4d09f0420038ed36d941978605a4f
7
- data.tar.gz: 3b8103cfa2759f937b43384ac13ae0b8be9d22505841199fd0acd8fc0f4c4d86e0844571bbcd930da2d55e54f2178bbe222f9876959851ee694988bd5b874668
6
+ metadata.gz: 5d853dddbc85ec4a87d708ea2a970a3cecb11c868da9673f38d75bff6c6449e2b4ec32881fcb4066ee6d53d96812e6620adb9c8bf4a33e825ced05d7890bc057
7
+ data.tar.gz: b688fb7da123ee2768dc3f7772dfa943373c80d7e7ce8daeb5ceff772992f6f781db61e71515b24b7efe020180a6990b32aceeb1bcf4750f0328d20c3eced009
data/CHANGELOG.md CHANGED
@@ -1,5 +1,12 @@
1
1
  # Mechanize CHANGELOG
2
2
 
3
+ ## 2.8.5 / 2022-06-09
4
+
5
+ ### Security
6
+
7
+ Fixes low-severity CVE-2022-31033, "Authorization header leak on port redirect." See [GHSA-64qm-hrgp-pgr9](https://github.com/sparklemotion/mechanize/security/advisories/GHSA-64qm-hrgp-pgr9) for more details.
8
+
9
+
3
10
  ## 2.8.4 / 2022-01-17
4
11
 
5
12
  ### Fix
data/lib/mechanize/http/agent.rb CHANGED
@@ -9,7 +9,8 @@ require 'webrobots'
9
9
 
10
10
  class Mechanize::HTTP::Agent
11
11
 
12
- CREDENTIAL_HEADERS = ['Authorization', 'Cookie']
12
+ CREDENTIAL_HEADERS = ['Authorization']
13
+ COOKIE_HEADERS = ['Cookie']
13
14
  POST_HEADERS = ['Content-Length', 'Content-MD5', 'Content-Type']
14
15
 
15
16
  # :section: Headers
@@ -998,10 +999,14 @@ class Mechanize::HTTP::Agent
998
999
  end
999
1000
 
1000
1001
  # Make sure we clear credential headers if being redirected to another site
1001
- if new_uri.host != page.uri.host
1002
- CREDENTIAL_HEADERS.each do |ch|
1003
- headers.delete_if { |h| h.casecmp?(ch) }
1002
+ if new_uri.host == page.uri.host
1003
+ if new_uri.port != page.uri.port
1004
+ # https://datatracker.ietf.org/doc/html/rfc6265#section-8.5
1005
+ # cookies are OK to be shared across ports on the same host
1006
+ CREDENTIAL_HEADERS.each { |ch| headers.delete_if { |h| h.casecmp?(ch) } }
1004
1007
  end
1008
+ else
1009
+ (COOKIE_HEADERS + CREDENTIAL_HEADERS).each { |ch| headers.delete_if { |h| h.casecmp?(ch) } }
1005
1010
  end
1006
1011
 
1007
1012
  fetch new_uri, redirect_method, headers, [], referer, redirects + 1
data/lib/mechanize/version.rb CHANGED
@@ -1,4 +1,4 @@
1
1
  # frozen_string_literal: true
2
2
  class Mechanize
3
- VERSION = "2.8.4"
3
+ VERSION = "2.8.5"
4
4
  end
data/test/test_mechanize_http_agent.rb CHANGED
@@ -1569,7 +1569,7 @@ class TestMechanizeHttpAgent < Mechanize::TestCase
1569
1569
  refute_includes(headers.keys, "AUTHORIZATION")
1570
1570
  refute_includes(headers.keys, "cookie")
1571
1571
 
1572
- assert_match 'range|bytes=0-9999', page.body
1572
+ assert_match("range|bytes=0-9999", page.body)
1573
1573
  refute_match("authorization|Basic xxx", page.body)
1574
1574
  refute_match("cookie|name=value", page.body)
1575
1575
  end
@@ -1590,11 +1590,32 @@ class TestMechanizeHttpAgent < Mechanize::TestCase
1590
1590
  assert_includes(headers.keys, "AUTHORIZATION")
1591
1591
  assert_includes(headers.keys, "cookie")
1592
1592
 
1593
- assert_match 'range|bytes=0-9999', page.body
1593
+ assert_match("range|bytes=0-9999", page.body)
1594
1594
  assert_match("authorization|Basic xxx", page.body)
1595
1595
  assert_match("cookie|name=value", page.body)
1596
1596
  end
1597
1597
 
1598
+ def test_response_redirect_to_same_site_diff_port_with_credential
1599
+ @agent.redirect_ok = true
1600
+
1601
+ headers = {
1602
+ 'Range' => 'bytes=0-9999',
1603
+ 'AUTHORIZATION' => 'Basic xxx',
1604
+ 'cookie' => 'name=value',
1605
+ }
1606
+
1607
+ page = html_page ''
1608
+ page = @agent.response_redirect({ 'Location' => 'http://example:81/http_headers' }, :get,
1609
+ page, 0, headers)
1610
+
1611
+ refute_includes(headers.keys, "AUTHORIZATION")
1612
+ assert_includes(headers.keys, "cookie")
1613
+
1614
+ assert_match("range|bytes=0-9999", page.body)
1615
+ refute_match("authorization|Basic xxx", page.body)
1616
+ assert_match("cookie|name=value", page.body)
1617
+ end
1618
+
1598
1619
  def test_response_redirect_not_ok
1599
1620
  @agent.redirect_ok = false
1600
1621
 
metadata CHANGED
@@ -1,7 +1,7 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: mechanize
3
3
  version: !ruby/object:Gem::Version
4
- version: 2.8.4
4
+ version: 2.8.5
5
5
  platform: ruby
6
6
  authors:
7
7
  - Eric Hodel
@@ -12,7 +12,7 @@ authors:
12
12
  autorequire:
13
13
  bindir: bin
14
14
  cert_chain: []
15
- date: 2022-01-17 00:00:00.000000000 Z
15
+ date: 2022-06-09 00:00:00.000000000 Z
16
16
  dependencies:
17
17
  - !ruby/object:Gem::Dependency
18
18
  name: addressable