2017-02-18 08:52:16 +03:00
|
|
|
# frozen_string_literal: true
|
2008-08-27 05:38:23 +04:00
|
|
|
require 'test/unit'
|
|
|
|
require 'cgi'
|
|
|
|
require 'stringio'
|
2015-03-12 17:57:33 +03:00
|
|
|
require_relative 'update_env'
|
2008-08-27 05:38:23 +04:00
|
|
|
|
|
|
|
|
|
|
|
class CGICookieTest < Test::Unit::TestCase
|
2015-03-12 17:57:33 +03:00
|
|
|
include UpdateEnv
|
2008-08-27 05:38:23 +04:00
|
|
|
|
|
|
|
|
|
|
|
def setup
|
2015-03-12 17:57:33 +03:00
|
|
|
@environ = {}
|
|
|
|
update_env(
|
|
|
|
'REQUEST_METHOD' => 'GET',
|
|
|
|
'SCRIPT_NAME' => nil,
|
|
|
|
)
|
2017-02-18 08:52:16 +03:00
|
|
|
@str1="\xE3\x82\x86\xE3\x82\x93\xE3\x82\x86\xE3\x82\x93".dup
|
2009-12-23 03:14:48 +03:00
|
|
|
@str1.force_encoding("UTF-8") if defined?(::Encoding)
|
2008-08-27 05:38:23 +04:00
|
|
|
end
|
|
|
|
|
|
|
|
def teardown
|
2015-03-12 17:57:33 +03:00
|
|
|
ENV.update(@environ)
|
2008-08-27 05:38:23 +04:00
|
|
|
end
|
|
|
|
|
|
|
|
|
|
|
|
def test_cgi_cookie_new_simple
|
2009-07-30 09:34:02 +04:00
|
|
|
cookie = CGI::Cookie.new('name1', 'val1', '&<>"', @str1)
|
2008-08-27 05:38:23 +04:00
|
|
|
assert_equal('name1', cookie.name)
|
2009-07-30 09:34:02 +04:00
|
|
|
assert_equal(['val1', '&<>"', @str1], cookie.value)
|
2008-08-27 05:38:23 +04:00
|
|
|
assert_nil(cookie.domain)
|
|
|
|
assert_nil(cookie.expires)
|
|
|
|
assert_equal('', cookie.path)
|
|
|
|
assert_equal(false, cookie.secure)
|
2015-05-15 02:27:01 +03:00
|
|
|
assert_equal(false, cookie.httponly)
|
2009-07-30 09:34:02 +04:00
|
|
|
assert_equal("name1=val1&%26%3C%3E%22&%E3%82%86%E3%82%93%E3%82%86%E3%82%93; path=", cookie.to_s)
|
2008-08-27 05:38:23 +04:00
|
|
|
end
|
|
|
|
|
|
|
|
|
|
|
|
def test_cgi_cookie_new_complex
|
|
|
|
t = Time.gm(2030, 12, 31, 23, 59, 59)
|
2017-02-18 08:52:16 +03:00
|
|
|
value = ['val1', '&<>"', "\xA5\xE0\xA5\xB9\xA5\xAB".dup]
|
2009-12-23 03:14:48 +03:00
|
|
|
value[2].force_encoding("EUC-JP") if defined?(::Encoding)
|
2008-08-27 05:38:23 +04:00
|
|
|
cookie = CGI::Cookie.new('name'=>'name1',
|
|
|
|
'value'=>value,
|
|
|
|
'path'=>'/cgi-bin/myapp/',
|
|
|
|
'domain'=>'www.example.com',
|
|
|
|
'expires'=>t,
|
2015-04-29 16:22:34 +03:00
|
|
|
'secure'=>true,
|
2015-05-15 02:27:01 +03:00
|
|
|
'httponly'=>true
|
2008-08-27 05:38:23 +04:00
|
|
|
)
|
|
|
|
assert_equal('name1', cookie.name)
|
|
|
|
assert_equal(value, cookie.value)
|
|
|
|
assert_equal('www.example.com', cookie.domain)
|
|
|
|
assert_equal(t, cookie.expires)
|
|
|
|
assert_equal('/cgi-bin/myapp/', cookie.path)
|
|
|
|
assert_equal(true, cookie.secure)
|
2015-05-15 02:27:01 +03:00
|
|
|
assert_equal(true, cookie.httponly)
|
|
|
|
assert_equal('name1=val1&%26%3C%3E%22&%A5%E0%A5%B9%A5%AB; domain=www.example.com; path=/cgi-bin/myapp/; expires=Tue, 31 Dec 2030 23:59:59 GMT; secure; HttpOnly', cookie.to_s)
|
2008-08-27 05:38:23 +04:00
|
|
|
end
|
|
|
|
|
|
|
|
|
|
|
|
def test_cgi_cookie_scriptname
|
|
|
|
cookie = CGI::Cookie.new('name1', 'value1')
|
|
|
|
assert_equal('', cookie.path)
|
|
|
|
cookie = CGI::Cookie.new('name'=>'name1', 'value'=>'value1')
|
|
|
|
assert_equal('', cookie.path)
|
|
|
|
## when ENV['SCRIPT_NAME'] is set, cookie.path is set automatically
|
|
|
|
ENV['SCRIPT_NAME'] = '/cgi-bin/app/example.cgi'
|
|
|
|
cookie = CGI::Cookie.new('name1', 'value1')
|
|
|
|
assert_equal('/cgi-bin/app/', cookie.path)
|
|
|
|
cookie = CGI::Cookie.new('name'=>'name1', 'value'=>'value1')
|
|
|
|
assert_equal('/cgi-bin/app/', cookie.path)
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
|
|
def test_cgi_cookie_parse
|
|
|
|
## ';' separator
|
2009-07-30 09:34:02 +04:00
|
|
|
cookie_str = 'name1=val1&val2; name2=val2&%26%3C%3E%22&%E3%82%86%E3%82%93%E3%82%86%E3%82%93;_session_id=12345'
|
2008-08-27 05:38:23 +04:00
|
|
|
cookies = CGI::Cookie.parse(cookie_str)
|
|
|
|
list = [
|
|
|
|
['name1', ['val1', 'val2']],
|
2009-07-30 09:34:02 +04:00
|
|
|
['name2', ['val2', '&<>"',@str1]],
|
2008-08-27 05:38:23 +04:00
|
|
|
['_session_id', ['12345']],
|
|
|
|
]
|
|
|
|
list.each do |name, value|
|
|
|
|
cookie = cookies[name]
|
|
|
|
assert_equal(name, cookie.name)
|
|
|
|
assert_equal(value, cookie.value)
|
|
|
|
end
|
2016-09-27 06:17:47 +03:00
|
|
|
## don't allow ',' separator
|
|
|
|
cookie_str = 'name1=val1&val2, name2=val2'
|
2008-08-27 05:38:23 +04:00
|
|
|
cookies = CGI::Cookie.parse(cookie_str)
|
2016-09-27 06:17:47 +03:00
|
|
|
list = [
|
|
|
|
['name1', ['val1', 'val2, name2=val2']],
|
|
|
|
]
|
2008-08-27 05:38:23 +04:00
|
|
|
list.each do |name, value|
|
|
|
|
cookie = cookies[name]
|
|
|
|
assert_equal(name, cookie.name)
|
|
|
|
assert_equal(value, cookie.value)
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
2020-06-29 04:29:25 +03:00
|
|
|
def test_cgi_cookie_parse_not_decode_name
|
|
|
|
cookie_str = "%66oo=baz;foo=bar"
|
|
|
|
cookies = CGI::Cookie.parse(cookie_str)
|
|
|
|
assert_equal({"%66oo" => ["baz"], "foo" => ["bar"]}, cookies)
|
|
|
|
end
|
2008-08-27 05:38:23 +04:00
|
|
|
|
|
|
|
def test_cgi_cookie_arrayinterface
|
|
|
|
cookie = CGI::Cookie.new('name1', 'a', 'b', 'c')
|
|
|
|
assert_equal('a', cookie[0])
|
|
|
|
assert_equal('c', cookie[2])
|
|
|
|
assert_nil(cookie[3])
|
|
|
|
assert_equal('a', cookie.first)
|
|
|
|
assert_equal('c', cookie.last)
|
|
|
|
assert_equal(['A', 'B', 'C'], cookie.collect{|e| e.upcase})
|
|
|
|
end
|
|
|
|
|
|
|
|
|
2022-08-16 12:36:12 +03:00
|
|
|
def test_cgi_cookie_domain_injection_into_name
|
|
|
|
name = "a=b; domain=example.com;"
|
|
|
|
path = "/"
|
|
|
|
domain = "example.jp"
|
|
|
|
assert_raise(ArgumentError) do
|
|
|
|
CGI::Cookie.new('name' => name,
|
|
|
|
'value' => "value",
|
|
|
|
'domain' => domain,
|
|
|
|
'path' => path)
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
|
|
def test_cgi_cookie_newline_injection_into_name
|
|
|
|
name = "a=b;\r\nLocation: http://example.com#"
|
|
|
|
path = "/"
|
|
|
|
domain = "example.jp"
|
|
|
|
assert_raise(ArgumentError) do
|
|
|
|
CGI::Cookie.new('name' => name,
|
|
|
|
'value' => "value",
|
|
|
|
'domain' => domain,
|
|
|
|
'path' => path)
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
|
|
def test_cgi_cookie_multibyte_injection_into_name
|
|
|
|
name = "a=b;\u3042"
|
|
|
|
path = "/"
|
|
|
|
domain = "example.jp"
|
|
|
|
assert_raise(ArgumentError) do
|
|
|
|
CGI::Cookie.new('name' => name,
|
|
|
|
'value' => "value",
|
|
|
|
'domain' => domain,
|
|
|
|
'path' => path)
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
|
|
def test_cgi_cookie_injection_into_path
|
|
|
|
name = "name"
|
|
|
|
path = "/; samesite=none"
|
|
|
|
domain = "example.jp"
|
|
|
|
assert_raise(ArgumentError) do
|
|
|
|
CGI::Cookie.new('name' => name,
|
|
|
|
'value' => "value",
|
|
|
|
'domain' => domain,
|
|
|
|
'path' => path)
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
|
|
def test_cgi_cookie_injection_into_domain
|
|
|
|
name = "name"
|
|
|
|
path = "/"
|
|
|
|
domain = "example.jp; samesite=none"
|
|
|
|
assert_raise(ArgumentError) do
|
|
|
|
CGI::Cookie.new('name' => name,
|
|
|
|
'value' => "value",
|
|
|
|
'domain' => domain,
|
|
|
|
'path' => path)
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
2008-08-27 05:38:23 +04:00
|
|
|
|
|
|
|
instance_methods.each do |method|
|
|
|
|
private method if method =~ /^test_(.*)/ && $1 != ENV['TEST']
|
|
|
|
end if ENV['TEST']
|
|
|
|
|
|
|
|
end
|