* lib/cgi/cookie.rb (parse): don't allow , as a separator. [Bug #12791]

* lib/webrick/cookie.rb (parse): ditto. git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@56262 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
2022-11-09 12:17:21 -05:00 · 2016-09-27 03:17:47 +00:00 · 2016-09-27 03:17:47 +00:00 · 5f33c6b0f5
commit 5f33c6b0f5
parent f0137ba8cd
6 changed files with 30 additions and 4 deletions
--- a/6
+++ b/6
@ -1,3 +1,9 @@
+Tue Sep 27 12:07:17 2016  NARUSE, Yui  <naruse@ruby-lang.org>
+
+	* lib/cgi/cookie.rb (parse): don't allow , as a separator. [Bug #12791]
+
+	* lib/webrick/cookie.rb (parse): ditto.
+
 Mon Sep 26 21:37:21 2016  Akinori MUSHA  <knu@iDaemons.org>

 	* man/erb.1, man/irb.1, man/ri.1, man/ruby.1: Remove Ns before
--- a/8
+++ b/8
@ -119,6 +119,10 @@ with all sufficient information, see the ChangeLog file or Redmine

 === Stdlib updates (outstanding ones only)

+* CGI
+
+  * Don't allow , as a separator [Bug #12791]
+
 * CSV

  * Add a liberal_parsing option. [Feature #11839]
@ -139,6 +143,10 @@ with all sufficient information, see the ChangeLog file or Redmine

  * Add an into option. [Feature #11191]

+* WEBrick
+
+  * Don't allow , as a separator [Bug #12791]
+
 === Compatibility issues (excluding feature bug fixes)

 * Array#sum and Enumerable#sum are implemented.  [Feature #12217]
--- a/lib/cgi/cookie.rb
+++ b/lib/cgi/cookie.rb
@ -162,7 +162,7 @@ class CGI
      cookies = Hash.new([])
      return cookies unless raw_cookie

-      raw_cookie.split(/[;,]\s?/).each do |pairs|
+      raw_cookie.split(/;\s?/).each do |pairs|
        name, values = pairs.split('=',2)
        next unless name and values
        name = CGI.unescape(name)
--- a/lib/webrick/cookie.rb
+++ b/lib/webrick/cookie.rb
@ -113,7 +113,7 @@ module WEBrick
        ret = []
        cookie = nil
        ver = 0
-        str.split(/[;,]\s+/).each{|x|
+        str.split(/;\s+/).each{|x|
          key, val = x.split(/=/,2)
          val = val ? HTTPUtils::dequote(val) : ""
          case key
--- a/test/cgi/test_cgi_cookie.rb
+++ b/test/cgi/test_cgi_cookie.rb
@ -88,9 +88,12 @@ class CGICookieTest < Test::Unit::TestCase
      assert_equal(name, cookie.name)
      assert_equal(value, cookie.value)
    end
-    ## ',' separator
-    cookie_str = 'name1=val1&val2, name2=val2&%26%3C%3E%22&%E3%82%86%E3%82%93%E3%82%86%E3%82%93,_session_id=12345'
+    ## don't allow ',' separator
+    cookie_str = 'name1=val1&val2, name2=val2'
    cookies = CGI::Cookie.parse(cookie_str)
+    list = [
+      ['name1', ['val1', 'val2, name2=val2']],
+    ]
    list.each do |name, value|
      cookie = cookies[name]
      assert_equal(name, cookie.name)
--- a/test/webrick/test_cookie.rb
+++ b/test/webrick/test_cookie.rb
@ -49,11 +49,20 @@ class TestWEBrickCookie < Test::Unit::TestCase

    data = "hoge=moge; __div__session=9865ecfd514be7f7"
    cookies = WEBrick::Cookie.parse(data)
+    assert_equal(2, cookies.size)
    assert_equal(0, cookies[0].version)
    assert_equal("hoge", cookies[0].name)
    assert_equal("moge", cookies[0].value)
    assert_equal("__div__session", cookies[1].name)
    assert_equal("9865ecfd514be7f7", cookies[1].value)
+
+    # don't allow ,-separator
+    data = "hoge=moge, __div__session=9865ecfd514be7f7"
+    cookies = WEBrick::Cookie.parse(data)
+    assert_equal(1, cookies.size)
+    assert_equal(0, cookies[0].version)
+    assert_equal("hoge", cookies[0].name)
+    assert_equal("moge, __div__session=9865ecfd514be7f7", cookies[0].value)
  end

  def test_parse_no_whitespace