v3.3.7 with updated uri, cgi and net-imap

Author: andrykonchin

Diff for: doc/legal/bundled_gems

@@ -12,7 +12,7 @@ test-unit       3.6.1   https://github.com/test-unit/test-unit
 rexml           3.3.9   https://github.com/ruby/rexml
 rss             0.3.1   https://github.com/ruby/rss
 net-ftp         0.3.4   https://github.com/ruby/net-ftp
-net-imap        0.4.9.1   https://github.com/ruby/net-imap
+net-imap        0.4.19   https://github.com/ruby/net-imap
 net-pop         0.1.2   https://github.com/ruby/net-pop
 net-smtp        0.4.0.1   https://github.com/ruby/net-smtp
 matrix          0.4.2   https://github.com/ruby/matrix

Diff for: lib/mri/cgi.rb

@@ -288,7 +288,7 @@
 #
 
 class CGI
-  VERSION = "0.4.1"
+  VERSION = "0.4.2"
 end
 
 require 'cgi/core'

Diff for: lib/mri/cgi/cookie.rb

@@ -190,9 +190,10 @@ def self.parse(raw_cookie)
         values ||= ""
         values = values.split('&').collect{|v| CGI.unescape(v,@@accept_charset) }
         if cookies.has_key?(name)
-          values = cookies[name].value + values
+          cookies[name].concat(values)
+        else
+          cookies[name] = Cookie.new(name, *values)
         end
-        cookies[name] = Cookie.new(name, *values)
       end
 
       cookies

Diff for: lib/mri/cgi/session/pstore.rb

@@ -11,7 +11,10 @@
 # cgi/session.rb for more details on session storage managers.
 
 require_relative '../session'
-require 'pstore'
+begin
+  require 'pstore'
+rescue LoadError
+end
 
 class CGI
   class Session
@@ -82,7 +85,7 @@ def delete
         File::unlink path
       end
 
-    end
+    end if defined?(::PStore)
   end
 end
 # :enddoc:

Diff for: lib/mri/cgi/util.rb

@@ -184,7 +184,7 @@ def unescapeHTML(string)
   def escapeElement(string, *elements)
     elements = elements[0] if elements[0].kind_of?(Array)
     unless elements.empty?
-      string.gsub(/<\/?(?:#{elements.join("|")})(?!\w)(?:.|\n)*?>/i) do
+      string.gsub(/<\/?(?:#{elements.join("|")})\b[^<>]*+>?/im) do
         CGI.escapeHTML($&)
       end
     else
@@ -204,7 +204,7 @@ def escapeElement(string, *elements)
   def unescapeElement(string, *elements)
     elements = elements[0] if elements[0].kind_of?(Array)
     unless elements.empty?
-      string.gsub(/&lt;\/?(?:#{elements.join("|")})(?!\w)(?:.|\n)*?&gt;/i) do
+      string.gsub(/&lt;\/?(?:#{elements.join("|")})\b(?>[^&]+|&(?![gl]t;)\w+;)*(?:&gt;)?/im) do
         unescapeHTML($&)
       end
     else

Diff for: lib/mri/uri/generic.rb

@@ -1141,17 +1141,16 @@ def merge(oth)
       base.fragment=(nil)
 
       # RFC2396, Section 5.2, 4)
-      if !authority
-        base.set_path(merge_path(base.path, rel.path)) if base.path && rel.path
-      else
-        # RFC2396, Section 5.2, 4)
-        base.set_path(rel.path) if rel.path
+      if authority
+        base.set_userinfo(rel.userinfo)
+        base.set_host(rel.host)
+        base.set_port(rel.port || base.default_port)
+        base.set_path(rel.path)
+      elsif base.path && rel.path
+        base.set_path(merge_path(base.path, rel.path))
       end
 
       # RFC2396, Section 5.2, 7)
-      base.set_userinfo(rel.userinfo) if rel.userinfo
-      base.set_host(rel.host)         if rel.host
-      base.set_port(rel.port)         if rel.port
       base.query = rel.query       if rel.query
       base.fragment=(rel.fragment) if rel.fragment
 

Diff for: lib/mri/uri/version.rb

@@ -1,6 +1,6 @@
 module URI
   # :stopdoc:
-  VERSION_CODE = '001301'.freeze
+  VERSION_CODE = '001302'.freeze
   VERSION = VERSION_CODE.scan(/../).collect{|n| n.to_i}.join('.').freeze
   # :startdoc:
 end

Diff for: test/mri/tests/cgi/test_cgi_session.rb

@@ -91,7 +91,7 @@ def test_cgi_session_pstore
     assert_equal(value1,session["key1"])
     assert_equal(value2,session["key2"])
     session.close
-  end
+  end if defined?(::PStore)
   def test_cgi_session_specify_session_id
     update_env(
       'REQUEST_METHOD'  => 'GET',

Diff for: test/mri/tests/cgi/test_cgi_util.rb

@@ -269,6 +269,14 @@ def test_cgi_escapeElement
     assert_equal("<BR>&lt;A HREF=&quot;url&quot;&gt;&lt;/A&gt;", escapeElement('<BR><A HREF="url"></A>', ["A", "IMG"]))
     assert_equal("<BR>&lt;A HREF=&quot;url&quot;&gt;&lt;/A&gt;", escape_element('<BR><A HREF="url"></A>', "A", "IMG"))
     assert_equal("<BR>&lt;A HREF=&quot;url&quot;&gt;&lt;/A&gt;", escape_element('<BR><A HREF="url"></A>', ["A", "IMG"]))
+
+    assert_equal("&lt;A &lt;A HREF=&quot;url&quot;&gt;&lt;/A&gt;", escapeElement('<A <A HREF="url"></A>', "A", "IMG"))
+    assert_equal("&lt;A &lt;A HREF=&quot;url&quot;&gt;&lt;/A&gt;", escapeElement('<A <A HREF="url"></A>', ["A", "IMG"]))
+    assert_equal("&lt;A &lt;A HREF=&quot;url&quot;&gt;&lt;/A&gt;", escape_element('<A <A HREF="url"></A>', "A", "IMG"))
+    assert_equal("&lt;A &lt;A HREF=&quot;url&quot;&gt;&lt;/A&gt;", escape_element('<A <A HREF="url"></A>', ["A", "IMG"]))
+
+    assert_equal("&lt;A &lt;A ", escapeElement('<A <A ', "A", "IMG"))
+    assert_equal("&lt;A &lt;A ", escapeElement('<A <A ', ["A", "IMG"]))
   end
 
 
@@ -277,6 +285,16 @@ def test_cgi_unescapeElement
     assert_equal('&lt;BR&gt;<A HREF="url"></A>', unescapeElement(escapeHTML('<BR><A HREF="url"></A>'), ["A", "IMG"]))
     assert_equal('&lt;BR&gt;<A HREF="url"></A>', unescape_element(escapeHTML('<BR><A HREF="url"></A>'), "A", "IMG"))
     assert_equal('&lt;BR&gt;<A HREF="url"></A>', unescape_element(escapeHTML('<BR><A HREF="url"></A>'), ["A", "IMG"]))
+
+    assert_equal('<A <A HREF="url"></A>', unescapeElement(escapeHTML('<A <A HREF="url"></A>'), "A", "IMG"))
+    assert_equal('<A <A HREF="url"></A>', unescapeElement(escapeHTML('<A <A HREF="url"></A>'), ["A", "IMG"]))
+    assert_equal('<A <A HREF="url"></A>', unescape_element(escapeHTML('<A <A HREF="url"></A>'), "A", "IMG"))
+    assert_equal('<A <A HREF="url"></A>', unescape_element(escapeHTML('<A <A HREF="url"></A>'), ["A", "IMG"]))
+
+    assert_equal('<A <A ', unescapeElement(escapeHTML('<A <A '), "A", "IMG"))
+    assert_equal('<A <A ', unescapeElement(escapeHTML('<A <A '), ["A", "IMG"]))
+    assert_equal('<A <A ', unescape_element(escapeHTML('<A <A '), "A", "IMG"))
+    assert_equal('<A <A ', unescape_element(escapeHTML('<A <A '), ["A", "IMG"]))
   end
 end
 

Diff for: test/mri/tests/uri/test_generic.rb

@@ -164,6 +164,17 @@ def test_parse
     # must be empty string to identify as path-abempty, not path-absolute
     assert_equal('', url.host)
     assert_equal('http:////example.com', url.to_s)
+
+    # sec-2957667
+    url = URI.parse('http://user:[email protected]').merge('//example.net')
+    assert_equal('http://example.net', url.to_s)
+    assert_nil(url.userinfo)
+    url = URI.join('http://user:[email protected]', '//example.net')
+    assert_equal('http://example.net', url.to_s)
+    assert_nil(url.userinfo)
+    url = URI.parse('http://user:[email protected]') + '//example.net'
+    assert_equal('http://example.net', url.to_s)
+    assert_nil(url.userinfo)
   end
 
   def test_parse_scheme_with_symbols
@@ -256,6 +267,13 @@ def test_merge
     assert_equal(u0, u1)
   end
 
+  def test_merge_authority
+    u = URI.parse('http://user:[email protected]:8080')
+    u0 = URI.parse('http://new.example.org/path')
+    u1 = u.merge('//new.example.org/path')
+    assert_equal(u0, u1)
+  end
+
   def test_route
     url = URI.parse('http://hoge/a.html').route_to('http://hoge/b.html')
     assert_equal('b.html', url.to_s)