mechanize 2.8.4 → 2.8.5

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (6) hide show
  1. checksums.yaml +4 -4
  2. data/CHANGELOG.md +7 -0
  3. data/lib/mechanize/http/agent.rb +9 -4
  4. data/lib/mechanize/version.rb +1 -1
  5. data/test/test_mechanize_http_agent.rb +23 -2
  6. metadata +2 -2
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: d8b4e424716d3f5d8fdc1fe82efca4412eee6b414c0cafee9cdced96023e632d
4
- data.tar.gz: b4450930235cb304ced9e63cede8fd3abe3bc7c7f38530ef6127be8208de3c93
3
+ metadata.gz: 6464b4f3e7e1248feaca2b3d335d6e1c079895317d6ceb8e3999924b53d1ace0
4
+ data.tar.gz: 16fb65c1b39a57c312ca1a45002c89e266fb2cd8720f4239b98c13ffa3629830
5
5
  SHA512:
6
- metadata.gz: cb936d26c46330432cd5d230b5e54b3792de5a2e39d3aa3a09a4904e5cf0f4bd9547c489772f3cd8d989e171022a18943bf4d09f0420038ed36d941978605a4f
7
- data.tar.gz: 3b8103cfa2759f937b43384ac13ae0b8be9d22505841199fd0acd8fc0f4c4d86e0844571bbcd930da2d55e54f2178bbe222f9876959851ee694988bd5b874668
6
+ metadata.gz: 5d853dddbc85ec4a87d708ea2a970a3cecb11c868da9673f38d75bff6c6449e2b4ec32881fcb4066ee6d53d96812e6620adb9c8bf4a33e825ced05d7890bc057
7
+ data.tar.gz: b688fb7da123ee2768dc3f7772dfa943373c80d7e7ce8daeb5ceff772992f6f781db61e71515b24b7efe020180a6990b32aceeb1bcf4750f0328d20c3eced009
data/CHANGELOG.md CHANGED
@@ -1,5 +1,12 @@
1
1
  # Mechanize CHANGELOG
2
2
 
3
+ ## 2.8.5 / 2022-06-09
4
+
5
+ ### Security
6
+
7
+ Fixes low-severity CVE-2022-31033, "Authorization header leak on port redirect." See [GHSA-64qm-hrgp-pgr9](https://github.com/sparklemotion/mechanize/security/advisories/GHSA-64qm-hrgp-pgr9) for more details.
8
+
9
+
3
10
  ## 2.8.4 / 2022-01-17
4
11
 
5
12
  ### Fix
data/lib/mechanize/http/agent.rb CHANGED
@@ -9,7 +9,8 @@ require 'webrobots'
9
9
 
10
10
  class Mechanize::HTTP::Agent
11
11
 
12
- CREDENTIAL_HEADERS = ['Authorization', 'Cookie']
12
+ CREDENTIAL_HEADERS = ['Authorization']
13
+ COOKIE_HEADERS = ['Cookie']
13
14
  POST_HEADERS = ['Content-Length', 'Content-MD5', 'Content-Type']
14
15
 
15
16
  # :section: Headers
@@ -998,10 +999,14 @@ class Mechanize::HTTP::Agent
998
999
  end
999
1000
 
1000
1001
  # Make sure we clear credential headers if being redirected to another site
1001
- if new_uri.host != page.uri.host
1002
- CREDENTIAL_HEADERS.each do |ch|
1003
- headers.delete_if { |h| h.casecmp?(ch) }
1002
+ if new_uri.host == page.uri.host
1003
+ if new_uri.port != page.uri.port
1004
+ # https://datatracker.ietf.org/doc/html/rfc6265#section-8.5
1005
+ # cookies are OK to be shared across ports on the same host
1006
+ CREDENTIAL_HEADERS.each { |ch| headers.delete_if { |h| h.casecmp?(ch) } }
1004
1007
  end
1008
+ else
1009
+ (COOKIE_HEADERS + CREDENTIAL_HEADERS).each { |ch| headers.delete_if { |h| h.casecmp?(ch) } }
1005
1010
  end
1006
1011
 
1007
1012
  fetch new_uri, redirect_method, headers, [], referer, redirects + 1
data/lib/mechanize/version.rb CHANGED
@@ -1,4 +1,4 @@
1
1
  # frozen_string_literal: true
2
2
  class Mechanize
3
- VERSION = "2.8.4"
3
+ VERSION = "2.8.5"
4
4
  end
data/test/test_mechanize_http_agent.rb CHANGED
@@ -1569,7 +1569,7 @@ class TestMechanizeHttpAgent < Mechanize::TestCase
1569
1569
  refute_includes(headers.keys, "AUTHORIZATION")
1570
1570
  refute_includes(headers.keys, "cookie")
1571
1571
 
1572
- assert_match 'range|bytes=0-9999', page.body
1572
+ assert_match("range|bytes=0-9999", page.body)
1573
1573
  refute_match("authorization|Basic xxx", page.body)
1574
1574
  refute_match("cookie|name=value", page.body)
1575
1575
  end
@@ -1590,11 +1590,32 @@ class TestMechanizeHttpAgent < Mechanize::TestCase
1590
1590
  assert_includes(headers.keys, "AUTHORIZATION")
1591
1591
  assert_includes(headers.keys, "cookie")
1592
1592
 
1593
- assert_match 'range|bytes=0-9999', page.body
1593
+ assert_match("range|bytes=0-9999", page.body)
1594
1594
  assert_match("authorization|Basic xxx", page.body)
1595
1595
  assert_match("cookie|name=value", page.body)
1596
1596
  end
1597
1597
 
1598
+ def test_response_redirect_to_same_site_diff_port_with_credential
1599
+ @agent.redirect_ok = true
1600
+
1601
+ headers = {
1602
+ 'Range' => 'bytes=0-9999',
1603
+ 'AUTHORIZATION' => 'Basic xxx',
1604
+ 'cookie' => 'name=value',
1605
+ }
1606
+
1607
+ page = html_page ''
1608
+ page = @agent.response_redirect({ 'Location' => 'http://example:81/http_headers' }, :get,
1609
+ page, 0, headers)
1610
+
1611
+ refute_includes(headers.keys, "AUTHORIZATION")
1612
+ assert_includes(headers.keys, "cookie")
1613
+
1614
+ assert_match("range|bytes=0-9999", page.body)
1615
+ refute_match("authorization|Basic xxx", page.body)
1616
+ assert_match("cookie|name=value", page.body)
1617
+ end
1618
+
1598
1619
  def test_response_redirect_not_ok
1599
1620
  @agent.redirect_ok = false
1600
1621
 
metadata CHANGED
@@ -1,7 +1,7 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: mechanize
3
3
  version: !ruby/object:Gem::Version
4
- version: 2.8.4
4
+ version: 2.8.5
5
5
  platform: ruby
6
6
  authors:
7
7
  - Eric Hodel
@@ -12,7 +12,7 @@ authors:
12
12
  autorequire:
13
13
  bindir: bin
14
14
  cert_chain: []
15
- date: 2022-01-17 00:00:00.000000000 Z
15
+ date: 2022-06-09 00:00:00.000000000 Z
16
16
  dependencies:
17
17
  - !ruby/object:Gem::Dependency
18
18
  name: addressable