Class: HTTP::Cookie::Scanner
- Inherits:
-
StringScanner
- Object
- StringScanner
- HTTP::Cookie::Scanner
- Defined in:
- lib/http/cookie/scanner.rb
Constant Summary collapse
- RE_WSP =
Whitespace.
/[ \t]+/
- RE_NAME =
A pattern that matches a cookie name or attribute name which may be empty, capturing trailing whitespace.
/(?!#{RE_WSP})[^,;\\"=]*/
- RE_BAD_CHAR =
/([\x00-\x20\x7F",;\\])/
- RE_COOKIE_COMMA =
A pattern that matches the comma in a (typically date) value.
/,(?=#{RE_WSP}?#{RE_NAME}=)/
Class Method Summary collapse
Instance Method Summary collapse
-
#initialize(string, logger = nil) ⇒ Scanner
constructor
A new instance of Scanner.
- #parse_cookie_date(s) ⇒ Object
- #scan_cookie ⇒ Object
- #scan_dquoted ⇒ Object
- #scan_name ⇒ Object
- #scan_name_value(comma_as_separator = false) ⇒ Object
- #scan_set_cookie ⇒ Object
- #scan_value(comma_as_separator = false) ⇒ Object
- #skip_wsp ⇒ Object
Constructor Details
#initialize(string, logger = nil) ⇒ Scanner
Returns a new instance of Scanner.
18 19 20 21 |
# File 'lib/http/cookie/scanner.rb', line 18 def initialize(string, logger = nil) @logger = logger super(string) end |
Class Method Details
.quote(s) ⇒ Object
24 25 26 27 |
# File 'lib/http/cookie/scanner.rb', line 24 def quote(s) return s unless s.match(RE_BAD_CHAR) '"' << s.gsub(/([\\"])/, "\\\\\\1") << '"' end |
Instance Method Details
#parse_cookie_date(s) ⇒ Object
104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 |
# File 'lib/http/cookie/scanner.rb', line 104 def (s) # RFC 6265 5.1.1 time = day_of_month = month = year = nil s.split(/[\x09\x20-\x2F\x3B-\x40\x5B-\x60\x7B-\x7E]+/).each { |token| case when time.nil? && token.match(/\A(\d{1,2}):(\d{1,2})(?::(\d{1,2}))?(?=\D|\z)/) sec = if $3 $3.to_i else # violation of the RFC @logger.warn("Time lacks the second part: #{token}") if @logger 0 end time = [$1.to_i, $2.to_i, sec] when day_of_month.nil? && token.match(/\A(\d{1,2})(?=\D|\z)/) day_of_month = $1.to_i when month.nil? && token.match(/\A(jan|feb|mar|apr|may|jun|jul|aug|sep|oct|nov|dec)/i) month = $1.capitalize when year.nil? && token.match(/\A(\d{2,4})(?=\D|\z)/) year = $1.to_i end } if day_of_month.nil? || month.nil? || year.nil? || time.nil? return nil end case day_of_month when 1..31 else return nil end case year when 100..1600 return nil when 70..99 year += 1900 when 0..69 year += 2000 end hh, mm, ss = time if hh > 23 || mm > 59 || ss > 59 return nil end tuple_to_time(day_of_month, month, year, time) end |
#scan_cookie ⇒ Object
218 219 220 221 222 223 224 225 226 227 228 229 230 |
# File 'lib/http/cookie/scanner.rb', line 218 def # RFC 6265 4.1.1 & 5.4 until eos? skip_wsp # Do not treat comma in a Cookie header value as separator; see CVE-2016-7401 name, value = scan_name_value(false) yield name, value if value skip(/;/) end end |
#scan_dquoted ⇒ Object
34 35 36 37 38 39 40 41 42 43 44 45 |
# File 'lib/http/cookie/scanner.rb', line 34 def scan_dquoted ''.tap { |s| case when skip(/"/) break when skip(/\\/) s << getch when scan(/[^"\\]+/) s << matched end until eos? } end |
#scan_name ⇒ Object
47 48 49 50 51 |
# File 'lib/http/cookie/scanner.rb', line 47 def scan_name scan(RE_NAME).tap { |s| s.rstrip! if s } end |
#scan_name_value(comma_as_separator = false) ⇒ Object
73 74 75 76 77 78 79 80 81 82 |
# File 'lib/http/cookie/scanner.rb', line 73 def scan_name_value(comma_as_separator = false) name = scan_name if skip(/\=/) value = scan_value(comma_as_separator) else scan_value(comma_as_separator) value = nil end [name, value] end |
#scan_set_cookie ⇒ Object
156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 |
# File 'lib/http/cookie/scanner.rb', line 156 def # RFC 6265 4.1.1 & 5.2 until eos? start = pos len = nil skip_wsp name, value = scan_name_value(true) if value.nil? @logger.warn("Cookie definition lacks a name-value pair.") if @logger elsif name.empty? @logger.warn("Cookie definition has an empty name.") if @logger value = nil end attrs = {} case when skip(/,/) # The comma is used as separator for concatenating multiple # values of a header. len = (pos - 1) - start break when skip(/;/) skip_wsp aname, avalue = scan_name_value(true) next if aname.empty? || value.nil? aname.downcase! case aname when 'expires' # RFC 6265 5.2.1 avalue &&= (avalue) or next when 'max-age' # RFC 6265 5.2.2 next unless /\A-?\d+\z/.match(avalue) when 'domain' # RFC 6265 5.2.3 # An empty value SHOULD be ignored. next if avalue.nil? || avalue.empty? when 'path' # RFC 6265 5.2.4 # A relative path must be ignored rather than normalizing it # to "/". next unless /\A\//.match(avalue) when 'secure', 'httponly' # RFC 6265 5.2.5, 5.2.6 avalue = true end attrs[aname] = avalue end until eos? len ||= pos - start if len > HTTP::Cookie::MAX_LENGTH @logger.warn("Cookie definition too long: #{name}") if @logger next end yield name, value, attrs if value end end |
#scan_value(comma_as_separator = false) ⇒ Object
53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 |
# File 'lib/http/cookie/scanner.rb', line 53 def scan_value(comma_as_separator = false) ''.tap { |s| case when scan(/[^,;"]+/) s << matched when skip(/"/) # RFC 6265 2.2 # A cookie-value may be DQUOTE'd. s << scan_dquoted when check(/;/) break when comma_as_separator && check(RE_COOKIE_COMMA) break else s << getch end until eos? s.rstrip! } end |
#skip_wsp ⇒ Object
30 31 32 |
# File 'lib/http/cookie/scanner.rb', line 30 def skip_wsp skip(RE_WSP) end |