From 7721545ff2a24b92d2985b92996be985df5e967c Mon Sep 17 00:00:00 2001 From: Pieter van de Bruggen Date: Mon, 28 Jan 2013 17:30:03 -0800 Subject: [PATCH] Ensuring that generated Content-Type headers properly escape params. --- lib/sinatra/base.rb | 5 ++++- test/helpers_test.rb | 23 +++++++++++++++++++++++ 2 files changed, 27 insertions(+), 1 deletion(-) diff --git a/lib/sinatra/base.rb b/lib/sinatra/base.rb index c5b6e7be..a8dcb5a1 100644 --- a/lib/sinatra/base.rb +++ b/lib/sinatra/base.rb @@ -275,7 +275,10 @@ module Sinatra params.delete :charset if mime_type.include? 'charset' unless params.empty? mime_type << (mime_type.include?(';') ? ', ' : ';') - mime_type << params.map { |kv| kv.join('=') }.join(', ') + mime_type << params.map do |key, val| + val = val.inspect if val =~ /[";,]/ + "#{key}=#{val}" + end.join(', ') end response['Content-Type'] = mime_type end diff --git a/test/helpers_test.rb b/test/helpers_test.rb index 9199c596..98dacbee 100644 --- a/test/helpers_test.rb +++ b/test/helpers_test.rb @@ -586,6 +586,29 @@ class HelpersTest < Test::Unit::TestCase get '/' assert_equal 'text/plain;charset=utf-16', response['Content-Type'] end + + it 'properly encodes parameters with delimiter characters' do + mock_app do + before '/comma' do + content_type 'image/png', :comment => 'Hello, world!' + end + before '/semicolon' do + content_type 'image/png', :comment => 'semi;colon' + end + before '/quote' do + content_type 'image/png', :comment => '"Whatever."' + end + + get('*') { 'ok' } + end + + get '/comma' + assert_equal 'image/png;comment="Hello, world!"', response['Content-Type'] + get '/semicolon' + assert_equal 'image/png;comment="semi;colon"', response['Content-Type'] + get '/quote' + assert_equal 'image/png;comment="\"Whatever.\""', response['Content-Type'] + end end describe 'attachment' do