rest-client 1.6.14 → 1.7.0.rc1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
-SHA256:
-  metadata.gz: 317f1bdcf77b2dae0fe9a08a165a56c71fb9c3d79b71c8d6c5a12cb1e4868a4e
-  data.tar.gz: d2a662189817597ff1fca0e6685cdd5d06bdac1ca72bf9a932f1d7def456b26b
+SHA1:
+  metadata.gz: bf3dedbad07361a8b9256ccfe76b123db48c00b3
+  data.tar.gz: 74cc0618213110d4aababe7911c367e84e2f813b
 SHA512:
-  metadata.gz: f789e7291285e26aa719119331d0d1a6322ec618a25eb2626a1a8486e3584fb07e52d25dfb7a56972cb495e5e2cad6c67eae5f3da98d66974d51f3c4fc2566f1
-  data.tar.gz: cf43508dbbc1f6977b3e8ad047651591760b8f386e3daa472888fc81f262b3d2669798f847b88fdd7b6f6f77b2a44990688c88efc53e02072bb9f284459c6b41
+  metadata.gz: 1230bc04a0a791ff416e9592dbd9ecf96bc315f39ddcebdd41266f4e84dbfd5ded56a79796a13e4b4598f2a0443c09dc8e925a73351e4d77bebd62d43338dc3f
+  data.tar.gz: 3a90bb3dc2297d6a6206780c4b088633ec098c535195592b86e481902cd794974ce0552b668ab75f1992eda0615c6ffc1282e76f835de72fdd5d8836ff89b491

data/.gitignore

@@ -1,8 +1,9 @@
+*.gem
 .idea
 .rvmrc
+Gemfile.lock
 doc
-rdoc
 pkg
-*.gem
+rdoc
 scratchpad.rb
-/Gemfile.lock
+/.bundle/

data/.travis.yml

@@ -1,3 +1,14 @@
 language: ruby
 rvm:
-  - "1.8.7"
+  - "1.9.2"
+  - "1.9.3"
+  - "2.0.0"
+  # Forgo 2.1.0 until Travis has a satisfactory fix for
+  # https://github.com/travis-ci/travis-ci/issues/2220
+  - "2.1"  # always the latest 2.1.x
+  - "jruby-19mode"
+script:
+  bundle exec rake test
+branches:
+  except:
+    - "readme-edits"

data/AUTHORS

@@ -11,12 +11,14 @@ Braintree
 Brian Donovan
 Caleb Land
 Chris Dinn
+Chris Frohoff
 Chris Green
 Coda Hale
 Crawford
 Cyril Rohr
 Dan Mayer
 David Backeus
+David Perkowski
 Dmitri Dolguikh
 Dusty Doris
 Dylan Egan
@@ -32,16 +34,19 @@ Hiro Asari
 Hugh McGowan
 Ian Warshak
 Ivan Makfinsky
+JH. Chabran
 James Edward Gray II
 Jari Bakken
 Jeff Remer
-JH. Chabran
+Jeffrey Hardy
+Jeremy Kemper
 John Barnette
 Jon Rowe
 Jordi Massaguer Pla
 Juan Alvarez
 Julien Kirch
 Justin Coyne
+Justin Lambert
 Keith Rarick
 Kenichi Kamiya
 Kevin Read
@@ -51,7 +56,7 @@ Lars Gierth
 Lawrence Leonard Gilbert
 Lee Jarvis
 Lennon Day-Reynolds
-macournoyer
+Marc-André Cournoyer
 Matthew Manning
 Michael Klett
 Mike Fletcher
@@ -62,14 +67,15 @@ Oscar Del Ben
 Pablo Astigarraga
 Paul Dlug
 Pedro Belo
-rafael.ssouza
 Philip Corliss
+Pierre-Louis Gottfrois
+Rafael Ssouza
 Rick "technoweenie"
 Robert Eanes
 Rodrigo Panachi
 Syl Turner
 T. Watanabe
 Tekin
-tpresa
 W. Andrew Loe III
 Waynn Lue
+tpresa

data/Gemfile

@@ -1,6 +1,10 @@
 source "https://rubygems.org"
 
-gemspec
+if !!File::ALT_SEPARATOR
+  gemspec :name => 'rest-client.windows'
+else
+  gemspec :name => 'rest-client'
+end
 
 group :test do
   gem 'rake'

data/LICENSE

@@ -0,0 +1,21 @@
+The MIT License (MIT)
+
+Copyright (c) 2008-2014 Rest Client Authors
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

data/README.rdoc

@@ -1,6 +1,7 @@
 = REST Client -- simple DSL for accessing HTTP and REST resources
 
-Build status: {<img src="https://travis-ci.org/rest-client/rest-client.svg?branch=1.6-legacy" alt="Build Status" />}[https://travis-ci.org/rest-client/rest-client]
+Build status: {<img src="https://travis-ci.org/rest-client/rest-client.png" />}[https://travis-ci.org/rest-client/rest-client]
+
 
 A simple HTTP and REST client for Ruby, inspired by the Sinatra's microframework style
 of specifying actions: get, put, post, delete.
@@ -8,6 +9,27 @@ of specifying actions: get, put, post, delete.
 * Main page: https://github.com/rest-client/rest-client
 * Mailing list: rest.client@librelist.com (send a mail to subscribe).
 
+== Requirements
+
+MRI Ruby 1.9.2 and newer are supported. Alternative interpreters compatible with
+1.9.1+ should work as well.
+
+Ruby 1.8.7 is no longer supported.  That's because the Ruby 1.8.7 interpreter
+itself no longer has official support, _not_ _even_ _security_ _patches!_ If you
+have been putting off upgrading your servers, now is the time.
+({More info is on the Ruby developers'
+blog.}[http://www.ruby-lang.org/en/news/2013/06/30/we-retire-1-8-7/])
+
+The rest-client gem depends on these other gems for installation and usage:
+
+* {mime-types}[http://rubygems.org/gems/mime-types]
+* {netrc}[http://rubygems.org/gems/netrc]
+* {rdoc}[http://rubygems.org/gems/rdoc]
+
+If you want to hack on the code, you should also have {the Bundler
+gem}[http://bundler.io/] installed so it can manage all necessary development
+dependencies for you.
+
 == Usage: Raw URL
 
   require 'rest_client'
@@ -59,7 +81,7 @@ This does two things for you:
 
 If you are sending params that do not contain a File object but the payload needs to be multipart then:
 
-  RestClient.post '/data', :foo => 'bar', :multipart => true
+  RestClient.post '/data', {:foo => 'bar', :multipart => true}
 
 == Usage: ActiveResource-Style
 
@@ -298,3 +320,6 @@ Released under the MIT License: http://www.opensource.org/licenses/mit-license.p
 "Master Shake" photo (http://www.flickr.com/photos/solgrundy/924205581/) by
 "SolGrundy"; used under terms of the Creative Commons Attribution-ShareAlike 2.0
 Generic license (http://creativecommons.org/licenses/by-sa/2.0/)
+
+Code for reading Windows root certificate store derived from work by Puppet;
+used under terms of the Apache License, Version 2.0.

data/Rakefile

@@ -1,38 +1,106 @@
-begin
-  # optionally load `rake build/install/release tasks'
-  require 'bundler/gem_tasks'
-rescue LoadError
+# load `rake build/install/release tasks'
+require 'bundler/setup'
+require_relative './lib/restclient/version'
+
+namespace :ruby do
+  Bundler::GemHelper.install_tasks(:name => 'rest-client')
 end
 
 require "rspec/core/rake_task"
 
 desc "Run all specs"
-task :spec => ["spec:unit", "spec:integration"]
+RSpec::Core::RakeTask.new('spec')
 
 desc "Run unit specs"
 RSpec::Core::RakeTask.new('spec:unit') do |t|
-  t.pattern = ['spec/*_spec.rb']
+  t.pattern = 'spec/unit/*_spec.rb'
 end
 
 desc "Run integration specs"
 RSpec::Core::RakeTask.new('spec:integration') do |t|
-  t.pattern = ['spec/integration/*_spec.rb']
+  t.pattern = 'spec/integration/*_spec.rb'
 end
 
 desc "Print specdocs"
 RSpec::Core::RakeTask.new(:doc) do |t|
   t.rspec_opts = ["--format", "specdoc", "--dry-run"]
-  t.pattern = ['spec/*_spec.rb']
+  t.pattern = 'spec/**/*_spec.rb'
 end
 
 desc "Run all examples with RCov"
 RSpec::Core::RakeTask.new('rcov') do |t|
-  t.pattern = ['spec/*_spec.rb']
+  t.pattern = 'spec/*_spec.rb'
   t.rcov = true
   t.rcov_opts = ['--exclude', 'examples']
 end
 
-task :default => :spec
+task :default do
+  sh 'rake -T'
+end
+
+def alias_task(alias_task, original)
+  desc "Alias for rake #{original}"
+  task alias_task, Rake.application[original].arg_names => original
+end
+alias_task(:test, :spec)
+
+############################
+
+WindowsPlatforms = %w{x86-mingw32 x64-mingw32 x86-mswin32}
+
+namespace :all do
+
+  desc "Build rest-client #{RestClient::VERSION} for all platforms"
+  task :build => ['ruby:build'] + \
+    WindowsPlatforms.map {|p| "windows:#{p}:build"}
+
+  desc "Create tag v#{RestClient::VERSION} and for all platforms build and push " \
+    "rest-client #{RestClient::VERSION} to Rubygems"
+  task :release => ['build', 'ruby:release'] + \
+    WindowsPlatforms.map {|p| "windows:#{p}:push"}
+
+end
+
+namespace :windows do
+  spec_path = File.join(File.dirname(__FILE__), 'rest-client.windows.gemspec')
+
+  WindowsPlatforms.each do |platform|
+    namespace platform do
+      gem_filename = "rest-client-#{RestClient::VERSION}-#{platform}.gem"
+      base = File.dirname(__FILE__)
+      pkg_dir = File.join(base, 'pkg')
+      gem_file_path = File.join(pkg_dir, gem_filename)
+
+      desc "Build #{gem_filename} into the pkg directory"
+      task 'build' do
+        orig_platform = ENV['BUILD_PLATFORM']
+        begin
+          ENV['BUILD_PLATFORM'] = platform
+
+          sh("gem build -V #{spec_path}") do |ok, res|
+            if ok
+              FileUtils.mkdir_p(pkg_dir)
+              FileUtils.mv(File.join(base, gem_filename), pkg_dir)
+              Bundler.ui.confirm("rest-client #{RestClient::VERSION} " +
+                                 "built to pkg/#{gem_filename}")
+            else
+              abort "Command `gem build` failed: #{res}"
+            end
+          end
+
+        ensure
+          ENV['BUILD_PLATFORM'] = orig_platform
+        end
+      end
+
+      desc "Push #{gem_filename} to Rubygems"
+      task 'push' do
+        sh("gem push #{gem_file_path}")
+      end
+    end
+  end
+
+end
 
 ############################
 

data/bin/restclient

@@ -50,7 +50,7 @@ if @verb
     end
     exit 0
   rescue RestClient::Exception => e
-    puts e.response.body if e.respond_to? :response
+    puts e.response.body if e.respond_to?(:response) && e.response
     raise
   end
 end

data/history.md

@@ -1,19 +1,25 @@
-# 1.6.14
-
-- This release is unchanged from 1.6.9. It was published in order to supersede
-  the malicious 1.6.10-13 versions, even for users who are still pinning to the
-  legacy 1.6.x series. All users are encouraged to upgrade to rest-client 2.x.
-
-# 1.6.10, 1.6.11, 1.6.12, 1.6.13 (CVE-2019-15224)
-
-- These versions were pushed by a malicious actor and included a backdoor permitting
-  remote code execution in Rails environments.
-- They were live for about five days before being yanked.
-  https://github.com/rest-client/rest-client/issues/713
-
-# 1.6.9
-
-- Move rdoc to a development dependency
+# 1.7.0
+
+- This release drops support for Ruby 1.8.7 and breaks compatibility in a few
+  other relatively minor ways
+- Upgrade to mime-types ~> 2.0
+- Don't CGI.unescape cookie values sent to the server (issue #89)
+- Add support for reading credentials from netrc
+- Lots of SSL changes and enhancements: (#268)
+  - Enable peer verification by default (setting `VERIFY_PEER` with OpenSSL)
+  - By default, use the system default certificate store for SSL verification,
+    even on Windows (this uses a separate Windows build that pulls in ffi)
+  - Add support for SSL `ca_path`
+  - Add support for SSL `cert_store`
+  - Add support for SSL `verify_callback` (with some caveats for jruby, OS X, #277)
+  - Add support for SSL ciphers, and choose secure ones by default
+- Run tests under travis
+- Several other bugfixes and test improvements
+  - Convert Errno::ETIMEDOUT to RestClient::RequestTimeout
+  - Handle more HTTP response codes from recent standards
+  - Save raw responses to binary mode tempfile (#110)
+  - Disable timeouts with :timeout => nil rather than :timeout => -1
+  - Drop all Net::HTTP monkey patches
 
 # 1.6.8
 

data/lib/restclient.rb

@@ -1,13 +1,7 @@
 require 'uri'
 require 'zlib'
 require 'stringio'
-
-begin
-  require 'net/https'
-rescue LoadError => e
-  raise e unless RUBY_PLATFORM =~ /linux/
-  raise LoadError, "no such file to load -- net/https. Try running apt-get install libopenssl-ruby"
-end
+require 'net/https'
 
 require File.dirname(__FILE__) + '/restclient/version'
 require File.dirname(__FILE__) + '/restclient/platform'
@@ -18,7 +12,7 @@ require File.dirname(__FILE__) + '/restclient/response'
 require File.dirname(__FILE__) + '/restclient/raw_response'
 require File.dirname(__FILE__) + '/restclient/resource'
 require File.dirname(__FILE__) + '/restclient/payload'
-require File.dirname(__FILE__) + '/restclient/net_http_ext'
+require File.dirname(__FILE__) + '/restclient/windows'
 
 # This module's static methods are the entry point for using the REST client.
 #

data/lib/restclient/exceptions.rb

@@ -40,13 +40,16 @@ module RestClient
               415 => 'Unsupported Media Type',
               416 => 'Requested Range Not Satisfiable',
               417 => 'Expectation Failed',
-              418 => 'I\'m A Teapot',
+              418 => 'I\'m A Teapot', #RFC2324
               421 => 'Too Many Connections From This IP',
               422 => 'Unprocessable Entity', #WebDAV
               423 => 'Locked', #WebDAV
               424 => 'Failed Dependency', #WebDAV
               425 => 'Unordered Collection', #WebDAV
               426 => 'Upgrade Required',
+              428 => 'Precondition Required', #RFC6585
+              429 => 'Too Many Requests', #RFC6585
+              431 => 'Request Header Fields Too Large', #RFC6585
               449 => 'Retry With', #Microsoft
               450 => 'Blocked By Windows Parental Controls', #Microsoft
 
@@ -59,7 +62,9 @@ module RestClient
               506 => 'Variant Also Negotiates',
               507 => 'Insufficient Storage', #WebDAV
               509 => 'Bandwidth Limit Exceeded', #Apache
-              510 => 'Not Extended'}
+              510 => 'Not Extended',
+              511 => 'Network Authentication Required', # RFC6585
+  }
 
   # Compatibility : make the Response act like a Net::HTTPResponse when needed
   module ResponseForException

data/lib/restclient/platform.rb

@@ -23,7 +23,8 @@ module RestClient
     # @return [Boolean]
     #
     def self.jruby?
-      RUBY_PLATFORM == 'java'
+      # defined on mri >= 1.9
+      RUBY_ENGINE == 'jruby'
     end
   end
 end

data/lib/restclient/request.rb

@@ -1,6 +1,8 @@
 require 'tempfile'
 require 'mime/types'
 require 'cgi'
+require 'netrc'
+require 'set'
 
 module RestClient
   # This class is used internally by RestClient to send the request, but you can also
@@ -19,22 +21,87 @@ module RestClient
   # * :block_response call the provided block with the HTTPResponse as parameter
   # * :raw_response return a low-level RawResponse instead of a Response
   # * :max_redirects maximum number of redirections (default to 10)
-  # * :verify_ssl enable ssl verification, possible values are constants from OpenSSL::SSL
-  # * :timeout and :open_timeout passing in -1 will disable the timeout by setting the corresponding net timeout values to nil
-  # * :ssl_client_cert, :ssl_client_key, :ssl_ca_file
-  # * :ssl_verify_callback, :ssl_verify_callback_warnings
+  # * :verify_ssl enable ssl verification, possible values are constants from
+  #     OpenSSL::SSL::VERIFY_*, defaults to OpenSSL::SSL::VERIFY_PEER
+  # * :timeout and :open_timeout are how long to wait for a response and to
+  #     open a connection, in seconds. Pass nil to disable the timeout.
+  # * :ssl_client_cert, :ssl_client_key, :ssl_ca_file, :ssl_ca_path,
+  #     :ssl_cert_store, :ssl_verify_callback, :ssl_verify_callback_warnings
+  # * :ssl_version specifies the SSL version for the underlying Net::HTTP connection
+  # * :ssl_ciphers sets SSL ciphers for the connection. See
+  #     OpenSSL::SSL::SSLContext#ciphers=
   class Request
 
     attr_reader :method, :url, :headers, :cookies,
                 :payload, :user, :password, :timeout, :max_redirects,
-                :open_timeout, :raw_response, :verify_ssl, :ssl_client_cert,
-                :ssl_client_key, :ssl_ca_file, :processed_headers, :args,
-                :ssl_verify_callback, :ssl_verify_callback_warnings
+                :open_timeout, :raw_response, :processed_headers, :args,
+                :ssl_opts
 
     def self.execute(args, & block)
       new(args).execute(& block)
     end
 
+    # This is similar to the list now in ruby core, but adds HIGH and RC4-MD5
+    # for better compatibility (similar to Firefox) and moves AES-GCM cipher
+    # suites above DHE/ECDHE CBC suites (similar to Chromium).
+    # https://github.com/ruby/ruby/commit/699b209cf8cf11809620e12985ad33ae33b119ee
+    #
+    # This list will be used by default if the Ruby global OpenSSL default
+    # ciphers appear to be a weak list.
+    DefaultCiphers = %w{
+      !aNULL
+      !eNULL
+      !EXPORT
+      !SSLV2
+      !LOW
+
+      ECDHE-ECDSA-AES128-GCM-SHA256
+      ECDHE-RSA-AES128-GCM-SHA256
+      ECDHE-ECDSA-AES256-GCM-SHA384
+      ECDHE-RSA-AES256-GCM-SHA384
+      DHE-RSA-AES128-GCM-SHA256
+      DHE-DSS-AES128-GCM-SHA256
+      DHE-RSA-AES256-GCM-SHA384
+      DHE-DSS-AES256-GCM-SHA384
+      AES128-GCM-SHA256
+      AES256-GCM-SHA384
+      ECDHE-ECDSA-AES128-SHA256
+      ECDHE-RSA-AES128-SHA256
+      ECDHE-ECDSA-AES128-SHA
+      ECDHE-RSA-AES128-SHA
+      ECDHE-ECDSA-AES256-SHA384
+      ECDHE-RSA-AES256-SHA384
+      ECDHE-ECDSA-AES256-SHA
+      ECDHE-RSA-AES256-SHA
+      DHE-RSA-AES128-SHA256
+      DHE-RSA-AES256-SHA256
+      DHE-RSA-AES128-SHA
+      DHE-RSA-AES256-SHA
+      DHE-DSS-AES128-SHA256
+      DHE-DSS-AES256-SHA256
+      DHE-DSS-AES128-SHA
+      DHE-DSS-AES256-SHA
+      AES128-SHA256
+      AES256-SHA256
+      AES128-SHA
+      AES256-SHA
+      ECDHE-ECDSA-RC4-SHA
+      ECDHE-RSA-RC4-SHA
+      RC4-SHA
+
+      HIGH
+      +RC4
+      RC4-MD5
+    }.join(":")
+
+    # A set of weak default ciphers that we will override by default.
+    WeakDefaultCiphers = Set.new([
+      "ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW",
+    ])
+
+    SSLOptionList = %w{client_cert client_key ca_file ca_path cert_store
+                       version ciphers verify_callback verify_callback_warnings}
+
     def initialize args
       @method = args[:method] or raise ArgumentError, "must pass :method"
       @headers = args[:headers] || {}
@@ -47,16 +114,57 @@ module RestClient
       @payload = Payload.generate(args[:payload])
       @user = args[:user]
       @password = args[:password]
-      @timeout = args[:timeout]
-      @open_timeout = args[:open_timeout]
+      if args.include?(:timeout)
+        @timeout = args[:timeout]
+      end
+      if args.include?(:open_timeout)
+        @open_timeout = args[:open_timeout]
+      end
       @block_response = args[:block_response]
       @raw_response = args[:raw_response] || false
-      @verify_ssl = args[:verify_ssl] || false
-      @ssl_client_cert = args[:ssl_client_cert] || nil
-      @ssl_client_key = args[:ssl_client_key] || nil
-      @ssl_ca_file = args[:ssl_ca_file] || nil
-      @ssl_verify_callback = args[:ssl_verify_callback] || nil
-      @ssl_verify_callback_warnings = args.fetch(:ssl_verify_callback, true)
+
+      @ssl_opts = {}
+
+      if args.include?(:verify_ssl)
+        v_ssl = args.fetch(:verify_ssl)
+        if v_ssl
+          if v_ssl == true
+            # interpret :verify_ssl => true as VERIFY_PEER
+            @ssl_opts[:verify_ssl] = OpenSSL::SSL::VERIFY_PEER
+          else
+            # otherwise pass through any truthy values
+            @ssl_opts[:verify_ssl] = v_ssl
+          end
+        else
+          # interpret all falsy :verify_ssl values as VERIFY_NONE
+          @ssl_opts[:verify_ssl] = OpenSSL::SSL::VERIFY_NONE
+        end
+      else
+        # if :verify_ssl was not passed, default to VERIFY_PEER
+        @ssl_opts[:verify_ssl] = OpenSSL::SSL::VERIFY_PEER
+      end
+
+      SSLOptionList.each do |key|
+        source_key = ('ssl_' + key).to_sym
+        if args.has_key?(source_key)
+          @ssl_opts[key.to_sym] = args.fetch(source_key)
+        end
+      end
+
+      # If there's no CA file, CA path, or cert store provided, use default
+      if !ssl_ca_file && !ssl_ca_path && !@ssl_opts.include?(:cert_store)
+        @ssl_opts[:cert_store] = self.class.default_ssl_cert_store
+      end
+
+      unless @ssl_opts.include?(:ciphers)
+        # If we're on a Ruby version that has insecure default ciphers,
+        # override it with our default list.
+        if WeakDefaultCiphers.include?(
+             OpenSSL::SSL::SSLContext::DEFAULT_PARAMS.fetch(:ciphers))
+          @ssl_opts[:ciphers] = DefaultCiphers
+        end
+      end
+
       @tf = nil # If you are a raw request, this is your tempfile
       @max_redirects = args[:max_redirects] || 10
       @processed_headers = make_headers headers
@@ -70,6 +178,16 @@ module RestClient
       payload.close if payload
     end
 
+    # SSL-related options
+    def verify_ssl
+      @ssl_opts.fetch(:verify_ssl)
+    end
+    SSLOptionList.each do |key|
+      define_method('ssl_' + key) do
+        @ssl_opts[key.to_sym]
+      end
+    end
+
     # Extract the query parameters and append them to the url
     def process_url_params url, headers
       url_params = {}
@@ -91,13 +209,46 @@ module RestClient
 
     def make_headers user_headers
       unless @cookies.empty?
-        user_headers[:cookie] = @cookies.map { |(key, val)| "#{key.to_s}=#{CGI::unescape(val)}" }.sort.join('; ')
+
+        # Validate that the cookie names and values look sane. If you really
+        # want to pass scary characters, just set the Cookie header directly.
+        # RFC6265 is actually much more restrictive than we are.
+        @cookies.each do |key, val|
+          unless valid_cookie_key?(key)
+            raise ArgumentError.new("Invalid cookie name: #{key.inspect}")
+          end
+          unless valid_cookie_value?(val)
+            raise ArgumentError.new("Invalid cookie value: #{val.inspect}")
+          end
+        end
+
+        user_headers[:cookie] = @cookies.map { |key, val| "#{key}=#{val}" }.sort.join('; ')
       end
       headers = stringify_headers(default_headers).merge(stringify_headers(user_headers))
       headers.merge!(@payload.headers) if @payload
       headers
     end
 
+    # Do some sanity checks on cookie keys.
+    #
+    # Properly it should be a valid TOKEN per RFC 2616, but lots of servers are
+    # more liberal.
+    #
+    # Disallow the empty string as well as keys containing control characters,
+    # equals sign, semicolon, comma, or space.
+    #
+    def valid_cookie_key?(string)
+      return false if string.empty?
+
+      ! Regexp.new('[\x0-\x1f\x7f=;, ]').match(string)
+    end
+
+    # Validate cookie values. Rather than following RFC 6265, allow anything
+    # but control characters, comma, and semicolon.
+    def valid_cookie_value?(value)
+      ! Regexp.new('[\x0-\x1f\x7f,;]').match(value)
+    end
+
     def net_http_class
       if RestClient.proxy
         proxy_uri = URI.parse(RestClient.proxy)
@@ -111,6 +262,15 @@ module RestClient
       Net::HTTP.const_get(method.to_s.capitalize)
     end
 
+    def net_http_do_request(http, req, body=nil, &block)
+      if body != nil && body.respond_to?(:read)
+        req.body_stream = body
+        return http.request(req, nil, &block)
+      else
+        return http.request(req, body, &block)
+      end
+    end
+
     def parse_url(url)
       url = "http://#{url}" unless url.match(/^http/)
       URI.parse(url)
@@ -120,6 +280,9 @@ module RestClient
       uri = parse_url(url)
       @user = CGI.unescape(uri.user) if uri.user
       @password = CGI.unescape(uri.password) if uri.password
+      if !@user && !@password
+        @user, @password = Netrc.read[uri.host]
+      end
       uri
     end
 
@@ -140,6 +303,30 @@ module RestClient
       end
     end
 
+    # Return a certificate store that can be used to validate certificates with
+    # the system certificate authorities. This will probably not do anything on
+    # OS X, which monkey patches OpenSSL in terrible ways to insert its own
+    # validation. On most *nix platforms, this will add the system certifcates
+    # using OpenSSL::X509::Store#set_default_paths. On Windows, this will use
+    # RestClient::Windows::RootCerts to look up the CAs trusted by the system.
+    #
+    # @return [OpenSSL::X509::Store]
+    #
+    def self.default_ssl_cert_store
+      cert_store = OpenSSL::X509::Store.new
+      cert_store.set_default_paths
+
+      # set_default_paths() doesn't do anything on Windows, so look up
+      # certificates using the win32 API.
+      if RestClient::Platform.windows?
+        RestClient::Windows::RootCerts.instance.to_a.uniq.each do |cert|
+          cert_store.add_cert(cert)
+        end
+      end
+
+      cert_store
+    end
+
     def print_verify_callback_warnings
       warned = false
       if RestClient::Platform.mac?
@@ -159,27 +346,20 @@ module RestClient
 
       net = net_http_class.new(uri.host, uri.port)
       net.use_ssl = uri.is_a?(URI::HTTPS)
-      if @verify_ssl
-        if @verify_ssl.is_a? Integer
-          net.verify_mode = @verify_ssl
-        else
-          net.verify_mode = OpenSSL::SSL::VERIFY_PEER
-        end
-      else
-        net.verify_mode = OpenSSL::SSL::VERIFY_NONE
-      end
-      net.cert = @ssl_client_cert if @ssl_client_cert
-      net.key = @ssl_client_key if @ssl_client_key
-      net.ca_file = @ssl_ca_file if @ssl_ca_file
-      net.read_timeout = @timeout if @timeout
-      net.open_timeout = @open_timeout if @open_timeout
+      net.ssl_version = ssl_version if ssl_version
+      net.ciphers = ssl_ciphers if ssl_ciphers
 
-      # disable the timeout if the timeout value is -1
-      net.read_timeout = nil if @timeout == -1
-      net.open_timeout = nil if @open_timeout == -1
+      net.verify_mode = verify_ssl
 
-      # verify_callback isn't well supported on all platforms, but do allow
-      # users to set one if they want.
+      net.cert = ssl_client_cert if ssl_client_cert
+      net.key = ssl_client_key if ssl_client_key
+      net.ca_file = ssl_ca_file if ssl_ca_file
+      net.ca_path = ssl_ca_path if ssl_ca_path
+      net.cert_store = ssl_cert_store if ssl_cert_store
+
+      # We no longer rely on net.verify_callback for the main SSL verification
+      # because it's not well supported on all platforms (see comments below).
+      # But do allow users to set one if they want.
       if ssl_verify_callback
         net.verify_callback = ssl_verify_callback
 
@@ -197,30 +377,70 @@ module RestClient
         end
       end
 
+      if OpenSSL::SSL::VERIFY_PEER == OpenSSL::SSL::VERIFY_NONE
+        warn('WARNING: OpenSSL::SSL::VERIFY_PEER == OpenSSL::SSL::VERIFY_NONE')
+        warn('This dangerous monkey patch leaves you open to MITM attacks!')
+        warn('Try passing :verify_ssl => false instead.')
+      end
+
+      if defined? @timeout
+        if @timeout == -1
+          warn 'To disable read timeouts, please set timeout to nil instead of -1'
+          @timeout = nil
+        end
+        net.read_timeout = @timeout
+      end
+      if defined? @open_timeout
+        if @open_timeout == -1
+          warn 'To disable open timeouts, please set open_timeout to nil instead of -1'
+          @open_timeout = nil
+        end
+        net.open_timeout = @open_timeout
+      end
+
       RestClient.before_execution_procs.each do |before_proc|
         before_proc.call(req, args)
       end
 
       log_request
 
+
       net.start do |http|
         if @block_response
-          http.request(req, payload ? payload.to_s : nil, & @block_response)
+          net_http_do_request(http, req, payload ? payload.to_s : nil,
+                           & @block_response)
         else
-          res = http.request(req, payload ? payload.to_s : nil) { |http_response| fetch_body(http_response) }
+          res = net_http_do_request(http, req, payload ? payload.to_s : nil) \
+            { |http_response| fetch_body(http_response) }
           log_response res
           process_result res, & block
         end
       end
     rescue EOFError
       raise RestClient::ServerBrokeConnection
-    rescue Timeout::Error
+    rescue Timeout::Error, Errno::ETIMEDOUT
       raise RestClient::RequestTimeout
+
     rescue OpenSSL::SSL::SSLError => error
-      # UGH. Not sure if this is needed at all. SSLCertificateNotVerified is not being used internally.
-      # I think it would be better to leave SSLError processing to the client (they'd have to do that anyway...)
-      raise SSLCertificateNotVerified.new(error.message) if error.message.include?("certificate verify failed")
-      raise error
+      # TODO: deprecate and remove RestClient::SSLCertificateNotVerified and just
+      # pass through OpenSSL::SSL::SSLError directly.
+      #
+      # Exceptions in verify_callback are ignored [1], and jruby doesn't support
+      # it at all [2]. RestClient has to catch OpenSSL::SSL::SSLError and either
+      # re-throw it as is, or throw SSLCertificateNotVerified based on the
+      # contents of the message field of the original exception.
+      #
+      # The client has to handle OpenSSL::SSL::SSLError exceptions anyway, so
+      # we shouldn't make them handle both OpenSSL and RestClient exceptions.
+      #
+      # [1] https://github.com/ruby/ruby/blob/89e70fe8e7/ext/openssl/ossl.c#L238
+      # [2] https://github.com/jruby/jruby/issues/597
+
+      if error.message.include?("certificate verify failed")
+        raise SSLCertificateNotVerified.new(error.message)
+      else
+        raise error
+      end
     end
 
     def setup_credentials(req)
@@ -233,17 +453,18 @@ module RestClient
         # Stolen from http://www.ruby-forum.com/topic/166423
         # Kudos to _why!
         @tf = Tempfile.new("rest-client")
+        @tf.binmode
         size, total = 0, http_response.header['Content-Length'].to_i
         http_response.read_body do |chunk|
           @tf.write chunk
           size += chunk.size
           if RestClient.log
             if size == 0
-              RestClient.log << "#{@method} #{@url} done (0 length file\n)"
+              RestClient.log << "%s %s done (0 length file\n)" % [@method, @url]
             elsif total == 0
-              RestClient.log << "#{@method} #{@url} (zero content length)\n"
+              RestClient.log << "%s %s (zero content length)\n" % [@method, @url]
             else
-              RestClient.log << "#{@method} #{@url} %d%% done (%d of %d)\n" % [(size * 100) / total, size, total]
+              RestClient.log << "%s %s %d%% done (%d of %d)\n" % [@method, @url, (size * 100) / total, size, total]
             end
           end
         end
@@ -335,9 +556,10 @@ module RestClient
     end
 
     private
-      def parser
-        URI.const_defined?(:Parser) ? URI::Parser.new : URI
-      end
+
+    def parser
+      URI.const_defined?(:Parser) ? URI::Parser.new : URI
+    end
 
   end
 end