From a47a849387c4604a081aa32a6ef2df9eed0073a0 Mon Sep 17 00:00:00 2001
From: Akinori MUSHA <knu@idaemons.org>
Date: Mon, 22 Oct 2012 03:52:25 +0900
Subject: [PATCH] Define HTTP::Cookie#name= with validation.

---
 lib/http/cookie.rb       | 25 +++++++++++++++----------
 test/test_http_cookie.rb |  6 ++++++
 2 files changed, 21 insertions(+), 10 deletions(-)

diff --git a/lib/http/cookie.rb b/lib/http/cookie.rb
index 71f9b2f..f3ba8c7 100644
--- a/lib/http/cookie.rb
+++ b/lib/http/cookie.rb
@@ -47,8 +47,7 @@ class HTTP::Cookie
 
   include URIFix if defined?(URIFix)
 
-  attr_reader :name
-  attr_accessor :value, :version
+  attr_accessor :name, :value, :version
   attr_accessor :domain, :path, :secure
   attr_reader :domain_name
   attr_accessor :comment, :max_age
@@ -84,11 +83,11 @@ class HTTP::Cookie
     @created_at = @accessed_at = Time.now
     case args.size
     when 2
-      @name, @value = *args
+      self.name, self.value = *args
       @for_domain = false
       return
     when 3
-      @name, @value, attr_hash = *args
+      self.name, self.value, attr_hash = *args
     when 1
       attr_hash = args.first
     else
@@ -104,10 +103,6 @@ class HTTP::Cookie
       case skey
       when 'for_domain'
         for_domain = !!val
-      when 'name'
-        @name = val
-      when 'value'
-        @value = val
       when 'origin'
         origin = val
       else
@@ -115,6 +110,9 @@ class HTTP::Cookie
         send(setter, val) if respond_to?(setter)
       end
     }
+    if @name.nil? || @value.nil?
+      raise ArgumentError, "at least name and value must be specified"
+    end
     @for_domain = for_domain
     if origin
       self.origin = origin
@@ -259,6 +257,15 @@ class HTTP::Cookie
     end
   end
 
+  def name=(name)
+    if name.nil? || name.empty?
+      raise ArgumentError, "cookie name cannot be empty"
+    elsif name.match(/[\x00-\x1F=\x7F]/)
+      raise ArgumentError, "cookie name cannot contain a control character or an equal sign"
+    end
+    @name = name
+  end
+
   # Sets the domain attribute.  A leading dot in +domain+ implies
   # turning the +for_domain?+ flag on.
   def domain=(domain)
@@ -382,8 +389,6 @@ class HTTP::Cookie
   def yaml_initialize(tag, map)
     map.each { |key, value|
       case key
-      when 'name'
-        @name = value
       when *PERSISTENT_PROPERTIES
         send(:"#{key}=", value)
       end
diff --git a/test/test_http_cookie.rb b/test/test_http_cookie.rb
index 3e6511e..e497067 100644
--- a/test/test_http_cookie.rb
+++ b/test/test_http_cookie.rb
@@ -463,6 +463,12 @@ class TestHTTPCookie < Test::Unit::TestCase
     assert_equal expires, cookie.expires
     assert_equal 'example.org', cookie.domain
     assert_equal true, cookie.for_domain?
+
+    assert_raises(ArgumentError) { HTTP::Cookie.new(:name => 'name') }
+    assert_raises(ArgumentError) { HTTP::Cookie.new(:value => 'value') }
+    assert_raises(ArgumentError) { HTTP::Cookie.new('', 'value') }
+    assert_raises(ArgumentError) { HTTP::Cookie.new('key=key', 'value') }
+    assert_raises(ArgumentError) { HTTP::Cookie.new("key\tkey", 'value') }
   end
 
   def cookie_values(options = {})