From b86690cb21539e23fe33de43d8ec484ef2bacd4d Mon Sep 17 00:00:00 2001 From: Akinori MUSHA Date: Fri, 15 Mar 2013 11:21:57 +0900 Subject: [PATCH] Check if the scheme is http(s) and the host is non-nil in URI. --- lib/http/cookie.rb | 5 +++-- test/test_http_cookie.rb | 5 +++++ test/test_http_cookie_jar.rb | 8 ++++++++ 3 files changed, 16 insertions(+), 2 deletions(-) diff --git a/lib/http/cookie.rb b/lib/http/cookie.rb index 36e607a..a8c1e87 100644 --- a/lib/http/cookie.rb +++ b/lib/http/cookie.rb @@ -342,6 +342,7 @@ class HTTP::Cookie def acceptable_from_uri?(uri) uri = URI(uri) + return false unless URI::HTTP === uri && uri.host host = DomainName.new(uri.host) # RFC 6265 5.3 @@ -359,11 +360,11 @@ class HTTP::Cookie end def valid_for_uri?(uri) - uri = URI(uri) if @domain.nil? raise "cannot tell if this cookie is valid because the domain is unknown" end - return false if secure? && uri.scheme != 'https' + uri = URI(uri) + return false if secure? && !(URI::HTTPS === uri) acceptable_from_uri?(uri) && HTTP::Cookie.normalize_path(uri.path).start_with?(@path) end diff --git a/test/test_http_cookie.rb b/test/test_http_cookie.rb index 13e79a0..0779063 100644 --- a/test/test_http_cookie.rb +++ b/test/test_http_cookie.rb @@ -576,6 +576,7 @@ class TestHTTPCookie < Test::Unit::TestCase assert_equal false, cookie.valid_for_uri?(URI('http://www.example.com/dir/test.html')) assert_equal false, cookie.valid_for_uri?(URI('https://www.example.com/dir2/test.html')) assert_equal false, cookie.valid_for_uri?(URI('http://www.example.com/dir2/test.html')) + assert_equal false, cookie.valid_for_uri?(URI('file:///dir/test.html')) cookie = HTTP::Cookie.parse('a=b; path=/dir2/', :origin => URI('http://example.com/dir/file.html')).first assert_equal false, cookie.valid_for_uri?(URI('https://example.com/dir/test.html')) @@ -586,6 +587,7 @@ class TestHTTPCookie < Test::Unit::TestCase assert_equal false, cookie.valid_for_uri?(URI('http://www.example.com/dir/test.html')) assert_equal false, cookie.valid_for_uri?(URI('https://www.example.com/dir2/test.html')) assert_equal false, cookie.valid_for_uri?(URI('http://www.example.com/dir2/test.html')) + assert_equal false, cookie.valid_for_uri?(URI('file:///dir/test.html')) cookie = HTTP::Cookie.parse('a=b; domain=example.com; path=/dir2/', :origin => URI('http://example.com/dir/file.html')).first assert_equal false, cookie.valid_for_uri?(URI('https://example.com/dir/test.html')) @@ -596,15 +598,18 @@ class TestHTTPCookie < Test::Unit::TestCase assert_equal false, cookie.valid_for_uri?(URI('http://www.example.com/dir/test.html')) assert_equal true, cookie.valid_for_uri?(URI('https://www.example.com/dir2/test.html')) assert_equal true, cookie.valid_for_uri?(URI('http://www.example.com/dir2/test.html')) + assert_equal false, cookie.valid_for_uri?(URI('file:///dir2/test.html')) cookie = HTTP::Cookie.parse('a=b; secure', :origin => URI('https://example.com/dir/file.html')).first assert_equal true, cookie.valid_for_uri?(URI('https://example.com/dir/test.html')) assert_equal false, cookie.valid_for_uri?(URI('http://example.com/dir/test.html')) assert_equal false, cookie.valid_for_uri?(URI('https://example.com/dir2/test.html')) assert_equal false, cookie.valid_for_uri?(URI('http://example.com/dir2/test.html')) + assert_equal false, cookie.valid_for_uri?(URI('file:///dir2/test.html')) cookie = HTTP::Cookie.parse('a=b', :origin => URI('https://example.com/')).first assert_equal true, cookie.valid_for_uri?(URI('https://example.com')) + assert_equal false, cookie.valid_for_uri?(URI('file:///')) end def test_migration diff --git a/test/test_http_cookie_jar.rb b/test/test_http_cookie_jar.rb index 674f23b..250072d 100644 --- a/test/test_http_cookie_jar.rb +++ b/test/test_http_cookie_jar.rb @@ -270,6 +270,14 @@ class TestHTTPCookieJar < Test::Unit::TestCase assert_equal(0, @jar.cookies(url).length) end + def test_cookies_no_host + url = URI 'file:///path/' + + assert_raises(ArgumentError) { + @jar.add(HTTP::Cookie.new(cookie_values(:origin => url))) + } + end + def test_clear url = URI 'http://rubyforge.org/'