webrick 1.3.1 → 1.6.1

data/lib/webrick/cookie.rb

@@ -1,3 +1,4 @@
+# frozen_string_literal: false
 #
 # cookie.rb -- Cookie class
 #
@@ -9,17 +10,59 @@
 # $IPR: cookie.rb,v 1.16 2002/09/21 12:23:35 gotoyuzo Exp $
 
 require 'time'
-require 'webrick/httputils'
+require_relative 'httputils'
 
 module WEBrick
+
+  ##
+  # Processes HTTP cookies
+
   class Cookie
 
+    ##
+    # The cookie name
+
     attr_reader :name
-    attr_accessor :value, :version
-    attr_accessor :domain, :path, :secure
-    attr_accessor :comment, :max_age
+
+    ##
+    # The cookie value
+
+    attr_accessor :value
+
+    ##
+    # The cookie version
+
+    attr_accessor :version
+
+    ##
+    # The cookie domain
+    attr_accessor :domain
+
+    ##
+    # The cookie path
+
+    attr_accessor :path
+
+    ##
+    # Is this a secure cookie?
+
+    attr_accessor :secure
+
+    ##
+    # The cookie comment
+
+    attr_accessor :comment
+
+    ##
+    # The maximum age of the cookie
+
+    attr_accessor :max_age
+
     #attr_accessor :comment_url, :discard, :port
 
+    ##
+    # Creates a new cookie with the given +name+ and +value+
+
     def initialize(name, value)
       @name = name
       @value = value
@@ -29,14 +72,25 @@ module WEBrick
       @expires = @comment_url = @discard = @port = nil
     end
 
+    ##
+    # Sets the cookie expiration to the time +t+.  The expiration time may be
+    # a false value to disable expiration or a Time or HTTP format time string
+    # to set the expiration date.
+
     def expires=(t)
       @expires = t && (t.is_a?(Time) ? t.httpdate : t.to_s)
     end
 
+    ##
+    # Retrieves the expiration time as a Time
+
     def expires
       @expires && Time.parse(@expires)
     end
 
+    ##
+    # The cookie string suitable for use in an HTTP header
+
     def to_s
       ret = ""
       ret << @name << "=" << @value
@@ -50,14 +104,16 @@ module WEBrick
       ret
     end
 
-    # Cookie::parse()
-    #   It parses Cookie field sent from the user agent.
+    ##
+    # Parses a Cookie field sent from the user-agent.  Returns an array of
+    # cookies.
+
     def self.parse(str)
       if str
         ret = []
         cookie = nil
         ver = 0
-        str.split(/[;,]\s+/).each{|x|
+        str.split(/;\s+/).each{|x|
           key, val = x.split(/=/,2)
           val = val ? HTTPUtils::dequote(val) : ""
           case key
@@ -76,6 +132,9 @@ module WEBrick
       end
     end
 
+    ##
+    # Parses the cookie in +str+
+
     def self.parse_set_cookie(str)
       cookie_elem = str.split(/;/)
       first_elem = cookie_elem.shift
@@ -101,6 +160,9 @@ module WEBrick
       return cookie
     end
 
+    ##
+    # Parses the cookies in +str+
+
     def self.parse_set_cookies(str)
       return str.split(/,(?=[^;,]*=)|,$/).collect{|c|
         parse_set_cookie(c)

data/lib/webrick/htmlutils.rb

@@ -1,3 +1,4 @@
+# frozen_string_literal: false
 #--
 # htmlutils.rb -- HTMLUtils Module
 #
@@ -15,12 +16,13 @@ module WEBrick
     # Escapes &, ", > and < in +string+
 
     def escape(string)
-      str = string ? string.dup : ""
+      return "" unless string
+      str = string.b
       str.gsub!(/&/n, '&amp;')
       str.gsub!(/\"/n, '&quot;')
       str.gsub!(/>/n, '&gt;')
       str.gsub!(/</n, '&lt;')
-      str
+      str.force_encoding(string.encoding)
     end
     module_function :escape
 

data/lib/webrick/httpauth.rb

@@ -1,3 +1,4 @@
+# frozen_string_literal: false
 #
 # httpauth.rb -- HTTP access authentication
 #
@@ -8,11 +9,11 @@
 #
 # $IPR: httpauth.rb,v 1.14 2003/07/22 19:20:42 gotoyuzo Exp $
 
-require 'webrick/httpauth/basicauth'
-require 'webrick/httpauth/digestauth'
-require 'webrick/httpauth/htpasswd'
-require 'webrick/httpauth/htdigest'
-require 'webrick/httpauth/htgroup'
+require_relative 'httpauth/basicauth'
+require_relative 'httpauth/digestauth'
+require_relative 'httpauth/htpasswd'
+require_relative 'httpauth/htdigest'
+require_relative 'httpauth/htgroup'
 
 module WEBrick
 

data/lib/webrick/httpauth/authenticator.rb

@@ -1,3 +1,4 @@
+# frozen_string_literal: false
 #--
 # httpauth/authenticator.rb -- Authenticator mix-in module.
 #
@@ -16,10 +17,10 @@ module WEBrick
 
     module Authenticator
 
-      RequestField      = "Authorization"
-      ResponseField     = "WWW-Authenticate"
-      ResponseInfoField = "Authentication-Info"
-      AuthException     = HTTPStatus::Unauthorized
+      RequestField      = "Authorization" # :nodoc:
+      ResponseField     = "WWW-Authenticate" # :nodoc:
+      ResponseInfoField = "Authentication-Info" # :nodoc:
+      AuthException     = HTTPStatus::Unauthorized # :nodoc:
 
       ##
       # Method of authentication, must be overridden by the including class
@@ -43,6 +44,8 @@ module WEBrick
 
       private
 
+      # :stopdoc:
+
       ##
       # Initializes the authenticator from +config+
 
@@ -96,6 +99,8 @@ module WEBrick
           log(:info, fmt, *args)
         end
       end
+
+      # :startdoc:
     end
 
     ##
@@ -103,10 +108,10 @@ module WEBrick
     # authentication schemes for proxies.
 
     module ProxyAuthenticator
-      RequestField  = "Proxy-Authorization"
-      ResponseField = "Proxy-Authenticate"
-      InfoField     = "Proxy-Authentication-Info"
-      AuthException = HTTPStatus::ProxyAuthenticationRequired
+      RequestField  = "Proxy-Authorization" # :nodoc:
+      ResponseField = "Proxy-Authenticate" # :nodoc:
+      InfoField     = "Proxy-Authentication-Info" # :nodoc:
+      AuthException = HTTPStatus::ProxyAuthenticationRequired # :nodoc:
     end
   end
 end

data/lib/webrick/httpauth/basicauth.rb

@@ -1,3 +1,4 @@
+# frozen_string_literal: false
 #
 # httpauth/basicauth.rb -- HTTP basic access authentication
 #
@@ -7,9 +8,9 @@
 #
 # $IPR: basicauth.rb,v 1.5 2003/02/20 07:15:47 gotoyuzo Exp $
 
-require 'webrick/config'
-require 'webrick/httpstatus'
-require 'webrick/httpauth/authenticator'
+require_relative '../config'
+require_relative '../httpstatus'
+require_relative 'authenticator'
 
 module WEBrick
   module HTTPAuth
@@ -23,7 +24,7 @@ module WEBrick
     #
     #   config = { :Realm => 'BasicAuth example realm' }
     #
-    #   htpasswd = WEBrick::HTTPAuth::Htpasswd.new 'my_password_file'
+    #   htpasswd = WEBrick::HTTPAuth::Htpasswd.new 'my_password_file', password_hash: :bcrypt
     #   htpasswd.set_passwd config[:Realm], 'username', 'password'
     #   htpasswd.flush
     #
@@ -34,7 +35,7 @@ module WEBrick
     class BasicAuth
       include Authenticator
 
-      AuthScheme = "Basic"
+      AuthScheme = "Basic" # :nodoc:
 
       ##
       # Used by UserDB to create a basic password entry
@@ -80,7 +81,15 @@ module WEBrick
           error("%s: the user is not allowed.", userid)
           challenge(req, res)
         end
-        if password.crypt(encpass) != encpass
+
+        case encpass
+        when /\A\$2[aby]\$/
+          password_matches = BCrypt::Password.new(encpass.sub(/\A\$2[aby]\$/, '$2a$')) == password
+        else
+          password_matches = password.crypt(encpass) == encpass
+        end
+
+        unless password_matches
           error("%s: password unmatch.", userid)
           challenge(req, res)
         end
@@ -89,8 +98,7 @@ module WEBrick
       end
 
       ##
-      # Returns a challenge response which asks for for authentication
-      # information
+      # Returns a challenge response which asks for authentication information
 
       def challenge(req, res)
         res[@response_field] = "#{@auth_scheme} realm=\"#{@realm}\""

data/lib/webrick/httpauth/digestauth.rb

@@ -1,3 +1,4 @@
+# frozen_string_literal: false
 #
 # httpauth/digestauth.rb -- HTTP digest access authentication
 #
@@ -11,9 +12,9 @@
 #
 # $IPR: digestauth.rb,v 1.5 2003/02/20 07:15:47 gotoyuzo Exp $
 
-require 'webrick/config'
-require 'webrick/httpstatus'
-require 'webrick/httpauth/authenticator'
+require_relative '../config'
+require_relative '../httpstatus'
+require_relative 'authenticator'
 require 'digest/md5'
 require 'digest/sha1'
 
@@ -45,9 +46,22 @@ module WEBrick
     class DigestAuth
       include Authenticator
 
-      AuthScheme = "Digest"
-      OpaqueInfo = Struct.new(:time, :nonce, :nc)
-      attr_reader :algorithm, :qop
+      AuthScheme = "Digest" # :nodoc:
+
+      ##
+      # Struct containing the opaque portion of the digest authentication
+
+      OpaqueInfo = Struct.new(:time, :nonce, :nc) # :nodoc:
+
+      ##
+      # Digest authentication algorithm
+
+      attr_reader :algorithm
+
+      ##
+      # Quality of protection.  RFC 2617 defines "auth" and "auth-int"
+
+      attr_reader :qop
 
       ##
       # Used by UserDB to create a digest password entry
@@ -97,7 +111,7 @@ module WEBrick
         @instance_key = hexdigest(self.__id__, Time.now.to_i, Process.pid)
         @opaques = {}
         @last_nonce_expire = Time.now
-        @mutex = Mutex.new
+        @mutex = Thread::Mutex.new
       end
 
       ##
@@ -115,8 +129,7 @@ module WEBrick
       end
 
       ##
-      # Returns a challenge response which asks for for authentication
-      # information
+      # Returns a challenge response which asks for authentication information
 
       def challenge(req, res, stale=false)
         nonce = generate_next_nonce(req)
@@ -142,6 +155,8 @@ module WEBrick
 
       private
 
+      # :stopdoc:
+
       MustParams = ['username','realm','nonce','uri','response']
       MustParamsAuth = ['cnonce','nc']
 
@@ -189,7 +204,7 @@ module WEBrick
 
         password = @userdb.get_passwd(@realm, auth_req['username'], @reload_db)
         unless password
-          error('%s: the user is not allowd.', auth_req['username'])
+          error('%s: the user is not allowed.', auth_req['username'])
           return false
         end
 
@@ -220,9 +235,11 @@ module WEBrick
           ha2 = hexdigest(req.request_method, auth_req['uri'])
           ha2_res = hexdigest("", auth_req['uri'])
         elsif auth_req['qop'] == "auth-int"
-          ha2 = hexdigest(req.request_method, auth_req['uri'],
-                          hexdigest(req.body))
-          ha2_res = hexdigest("", auth_req['uri'], hexdigest(res.body))
+          body_digest = @h.new
+          req.body { |chunk| body_digest.update(chunk) }
+          body_digest = body_digest.hexdigest
+          ha2 = hexdigest(req.request_method, auth_req['uri'], body_digest)
+          ha2_res = hexdigest("", auth_req['uri'], body_digest)
         end
 
         if auth_req['qop'] == "auth" || auth_req['qop'] == "auth-int"
@@ -273,23 +290,8 @@ module WEBrick
 
       def split_param_value(string)
         ret = {}
-        while string.bytesize != 0
-          case string
-          when /^\s*([\w\-\.\*\%\!]+)=\s*\"((\\.|[^\"])*)\"\s*,?/
-            key = $1
-            matched = $2
-            string = $'
-            ret[key] = matched.gsub(/\\(.)/, "\\1")
-          when /^\s*([\w\-\.\*\%\!]+)=\s*([^,\"]*),?/
-            key = $1
-            matched = $2
-            string = $'
-            ret[key] = matched.clone
-          when /^s*^,/
-            string = $'
-          else
-            break
-          end
+        string.scan(/\G\s*([\w\-.*%!]+)=\s*(?:\"((?>\\.|[^\"])*)\"|([^,\"]*))\s*,?/) do
+          ret[$1] = $3 || $2.gsub(/\\(.)/, "\\1")
         end
         ret
       end
@@ -297,7 +299,7 @@ module WEBrick
       def generate_next_nonce(req)
         now = "%012d" % req.request_time.to_i
         pk  = hexdigest(now, @instance_key)[0,32]
-        nonce = [now + ":" + pk].pack("m*").chop # it has 60 length of chars.
+        nonce = [now + ":" + pk].pack("m0") # it has 60 length of chars.
         nonce
       end
 
@@ -375,6 +377,7 @@ module WEBrick
         @h.hexdigest(args.join(":"))
       end
 
+      # :startdoc:
     end
 
     ##
@@ -384,7 +387,7 @@ module WEBrick
       include ProxyAuthenticator
 
       private
-      def check_uri(req, auth_req)
+      def check_uri(req, auth_req) # :nodoc:
         return true
       end
     end

data/lib/webrick/httpauth/htdigest.rb

@@ -1,3 +1,4 @@
+# frozen_string_literal: false
 #
 # httpauth/htdigest.rb -- Apache compatible htdigest file
 #
@@ -7,8 +8,8 @@
 #
 # $IPR: htdigest.rb,v 1.4 2003/07/22 19:20:45 gotoyuzo Exp $
 
-require 'webrick/httpauth/userdb'
-require 'webrick/httpauth/digestauth'
+require_relative 'userdb'
+require_relative 'digestauth'
 require 'tempfile'
 
 module WEBrick
@@ -37,9 +38,9 @@ module WEBrick
         @path = path
         @mtime = Time.at(0)
         @digest = Hash.new
-        @mutex = Mutex::new
+        @mutex = Thread::Mutex::new
         @auth_type = DigestAuth
-        open(@path,"a").close unless File::exist?(@path)
+        File.open(@path,"a").close unless File.exist?(@path)
         reload
       end
 
@@ -50,7 +51,7 @@ module WEBrick
         mtime = File::mtime(@path)
         if mtime > @mtime
           @digest.clear
-          open(@path){|io|
+          File.open(@path){|io|
             while line = io.gets
               line.chomp!
               user, realm, pass = line.split(/:/, 3)
@@ -70,13 +71,16 @@ module WEBrick
 
       def flush(output=nil)
         output ||= @path
-        tmp = Tempfile.new("htpasswd", File::dirname(output))
+        tmp = Tempfile.create("htpasswd", File::dirname(output))
+        renamed = false
         begin
           each{|item| tmp.puts(item.join(":")) }
           tmp.close
           File::rename(tmp.path, output)
-        rescue
-          tmp.close(true)
+          renamed = true
+        ensure
+          tmp.close
+          File.unlink(tmp.path) if !renamed
         end
       end