From dd3ca9a0f1d2d5afecdaf8869bc3b4cd74541f65 Mon Sep 17 00:00:00 2001
From: Akinori MUSHA <knu@idaemons.org>
Date: Thu, 18 Oct 2012 19:00:33 +0900
Subject: [PATCH] Inhibit a domain-less cookie from being used for checking
 validity.

---
 lib/http/cookie.rb       | 5 ++++-
 test/test_http_cookie.rb | 7 +++++++
 2 files changed, 11 insertions(+), 1 deletion(-)

diff --git a/lib/http/cookie.rb b/lib/http/cookie.rb
index 17045f3..f003a91 100644
--- a/lib/http/cookie.rb
+++ b/lib/http/cookie.rb
@@ -265,8 +265,11 @@ class HTTP::Cookie
 
   def valid_for_uri?(uri)
     uri = URI(uri)
+    if @domain.nil?
+      raise "cannot tell if this cookie is valid because the domain is unknown"
+    end
     return false if secure? && uri.scheme != 'https'
-    acceptable_from_uri?(uri) && (@path.nil? || uri.path.start_with?(@path))
+    acceptable_from_uri?(uri) && uri.path.start_with?(@path)
   end
 
   def to_s
diff --git a/test/test_http_cookie.rb b/test/test_http_cookie.rb
index 03f4161..0c5308e 100644
--- a/test/test_http_cookie.rb
+++ b/test/test_http_cookie.rb
@@ -465,6 +465,13 @@ class TestHTTPCookie < Test::Unit::TestCase
     assert_equal true, cookie.for_domain?
   end
 
+  def test_domain_nil
+    cookie = HTTP::Cookie.parse('a=b').first
+    assert_raises(RuntimeError) {
+      cookie.valid_for_uri?('http://example.com/')
+    }
+  end
+
   def test_domain=
     url = URI.parse('http://host.dom.example.com:8080/')