webrick: fix non-ascii escape bugs

* lib/webrick/htmlutils.rb (WEBrick::HTMLUtils#escape): replace HTML meta chars even in non-ascii string. [Bug #8425] [ruby-core:55052] * lib/webrick/httputils.rb (WEBrick::HTTPUtils#{_escape,_unescape}): fix %-escape encodings. [Bug #8425] [ruby-core:55052] git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@40848 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
2022-11-09 12:17:21 -05:00 · 2013-05-20 01:40:30 +00:00 · 2013-05-20 01:40:30 +00:00 · 88bcccd433
commit 88bcccd433
parent bcddf03238
5 changed files with 31 additions and 6 deletions
--- a/8
+++ b/8
@ -1,4 +1,10 @@
-Mon May 20 09:53:31 2013  Nobuyoshi Nakada  <nobu@ruby-lang.org>
+Mon May 20 10:40:21 2013  Nobuyoshi Nakada  <nobu@ruby-lang.org>
+
+	* lib/webrick/htmlutils.rb (WEBrick::HTMLUtils#escape): replace HTML
+	  meta chars even in non-ascii string.  [Bug #8425] [ruby-core:55052]
+
+	* lib/webrick/httputils.rb (WEBrick::HTTPUtils#{_escape,_unescape}):
+	  fix %-escape encodings.  [Bug #8425] [ruby-core:55052]

 	* lib/webrick/httpservlet/filehandler.rb (set_dir_list): revert r20152
 	  partially and fix misuse of bytesize and regexp repetition operator.
--- a/lib/webrick/htmlutils.rb
+++ b/lib/webrick/htmlutils.rb
@ -15,12 +15,13 @@ module WEBrick
    # Escapes &, ", > and < in +string+

    def escape(string)
-      str = string ? string.dup : ""
+      return "" unless string
+      str = string.b
      str.gsub!(/&/n, '&amp;')
      str.gsub!(/\"/n, '&quot;')
      str.gsub!(/>/n, '&gt;')
      str.gsub!(/</n, '&lt;')
-      str
+      str.force_encoding(string.encoding)
    end
    module_function :escape

--- a/lib/webrick/httputils.rb
+++ b/lib/webrick/httputils.rb
@ -437,8 +437,18 @@ module WEBrick

    def _make_regex(str) /([#{Regexp.escape(str)}])/n end
    def _make_regex!(str) /([^#{Regexp.escape(str)}])/n end
-    def _escape(str, regex) str.gsub(regex){ "%%%02X" % $1.ord } end
-    def _unescape(str, regex) str.gsub(regex){ $1.hex.chr } end
+    def _escape(str, regex)
+      str = str.b
+      str.gsub!(regex) {"%%%02X" % $1.ord}
+      # %-escaped string should contain US-ASCII only
+      str.force_encoding(Encoding::US_ASCII)
+    end
+    def _unescape(str, regex)
+      str = str.b
+      str.gsub!(regex) {$1.hex.chr}
+      # encoding of %-unescaped string is unknown
+      str
+    end

    UNESCAPED = _make_regex(control+space+delims+unwise+nonascii)
    UNESCAPED_FORM = _make_regex(reserved+control+delims+unwise+nonascii)
--- a/test/webrick/test_htmlutils.rb
+++ b/test/webrick/test_htmlutils.rb
@ -11,6 +11,10 @@ class TestWEBrickHTMLUtils < Test::Unit::TestCase
    assert_equal("foo&quot;bar", escape("foo\"bar"))
    assert_equal("foo&gt;bar", escape("foo>bar"))
    assert_equal("foo&lt;bar", escape("foo<bar"))
-    assert_equal("こんにちは", escape("こんにちは"))
+    assert_equal("\u{3053 3093 306B 3061 306F}", escape("\u{3053 3093 306B 3061 306F}"))
+    bug8425 = '[Bug #8425] [ruby-core:55052]'
+    assert_nothing_raised(ArgumentError, Encoding::CompatibilityError, bug8425) {
+      assert_equal("\u{3053 3093 306B}\xff&lt;", escape("\u{3053 3093 306B}\xff<"))
+    }
  end
 end
--- a/test/webrick/test_httputils.rb
+++ b/test/webrick/test_httputils.rb
@ -66,6 +66,10 @@ class TestWEBrickHTTPUtils < Test::Unit::TestCase
    assert_equal("/~foo%20bar", escape("/~foo bar"))
    assert_equal("/~foo%09bar", escape("/~foo\tbar"))
    assert_equal("/~foo+bar", escape("/~foo+bar"))
+    bug8425 = '[Bug #8425] [ruby-core:55052]'
+    assert_nothing_raised(ArgumentError, Encoding::CompatibilityError, bug8425) {
+      assert_equal("%E3%83%AB%E3%83%93%E3%83%BC%E3%81%95%E3%82%93", escape("\u{30EB 30D3 30FC 3055 3093}"))
+    }
  end

  def test_escape_form