Class: HTTP::Cookie::Scanner

Inherits:
StringScanner
  • Object
show all
Defined in:
lib/http/cookie/scanner.rb

Constant Summary collapse

RE_WSP =

Whitespace.

/[ \t]+/
RE_NAME =

A pattern that matches a cookie name or attribute name which may be empty, capturing trailing whitespace.

/(?!#{RE_WSP})[^,;\\"=]*/
RE_BAD_CHAR =
/([\x00-\x20\x7F",;\\])/
/,(?=#{RE_WSP}?#{RE_NAME}=)/

Class Method Summary collapse

Instance Method Summary collapse

Constructor Details

#initialize(string, logger = nil) ⇒ Scanner

Returns a new instance of Scanner.



19
20
21
22
# File 'lib/http/cookie/scanner.rb', line 19

def initialize(string, logger = nil)
  @logger = logger
  super(string)
end

Class Method Details

.quote(s) ⇒ Object



25
26
27
28
# File 'lib/http/cookie/scanner.rb', line 25

def quote(s)
  return s unless s.match(RE_BAD_CHAR)
  (+'"') << s.gsub(/([\\"])/, "\\\\\\1") << '"'
end

Instance Method Details



105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
# File 'lib/http/cookie/scanner.rb', line 105

def parse_cookie_date(s)
  # RFC 6265 5.1.1
  time = day_of_month = month = year = nil

  s.split(/[\x09\x20-\x2F\x3B-\x40\x5B-\x60\x7B-\x7E]+/).each { |token|
    case
    when time.nil? && token.match(/\A(\d{1,2}):(\d{1,2})(?::(\d{1,2}))?(?=\D|\z)/)
      sec =
        if $3
          $3.to_i
        else
          # violation of the RFC
          @logger.warn("Time lacks the second part: #{token}") if @logger
          0
        end
      time = [$1.to_i, $2.to_i, sec]
    when day_of_month.nil? && token.match(/\A(\d{1,2})(?=\D|\z)/)
      day_of_month = $1.to_i
    when month.nil? && token.match(/\A(jan|feb|mar|apr|may|jun|jul|aug|sep|oct|nov|dec)/i)
      month = $1.capitalize
    when year.nil? && token.match(/\A(\d{2,4})(?=\D|\z)/)
      year = $1.to_i
    end
  }

  if day_of_month.nil? || month.nil? || year.nil? || time.nil?
    return nil
  end

  case day_of_month
  when 1..31
  else
    return nil
  end

  case year
  when 100..1600
    return nil
  when 70..99
    year += 1900
  when 0..69
    year += 2000
  end

  hh, mm, ss = time
  if hh > 23 || mm > 59 || ss > 59
    return nil
  end

  tuple_to_time(day_of_month, month, year, time)
end


219
220
221
222
223
224
225
226
227
228
229
230
231
# File 'lib/http/cookie/scanner.rb', line 219

def scan_cookie
  # RFC 6265 4.1.1 & 5.4
  until eos?
    skip_wsp

    # Do not treat comma in a Cookie header value as separator; see CVE-2016-7401
    name, value = scan_name_value(false)

    yield name, value if value

    skip(/;/)
  end
end

#scan_dquotedObject



35
36
37
38
39
40
41
42
43
44
45
46
# File 'lib/http/cookie/scanner.rb', line 35

def scan_dquoted
  (+'').tap { |s|
    case
    when skip(/"/)
      break
    when skip(/\\/)
      s << getch
    when scan(/[^"\\]+/)
      s << matched
    end until eos?
  }
end

#scan_nameObject



48
49
50
51
52
# File 'lib/http/cookie/scanner.rb', line 48

def scan_name
  scan(RE_NAME).tap { |s|
    s.rstrip! if s
  }
end

#scan_name_value(comma_as_separator = false) ⇒ Object



74
75
76
77
78
79
80
81
82
83
# File 'lib/http/cookie/scanner.rb', line 74

def scan_name_value(comma_as_separator = false)
  name = scan_name
  if skip(/\=/)
    value = scan_value(comma_as_separator)
  else
    scan_value(comma_as_separator)
    value = nil
  end
  [name, value]
end


157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
# File 'lib/http/cookie/scanner.rb', line 157

def scan_set_cookie
  # RFC 6265 4.1.1 & 5.2
  until eos?
    start = pos
    len = nil

    skip_wsp

    name, value = scan_name_value(true)
    if value.nil?
      @logger.warn("Cookie definition lacks a name-value pair.") if @logger
    elsif name.empty?
      @logger.warn("Cookie definition has an empty name.") if @logger
      value = nil
    end
    attrs = {}

    case
    when skip(/,/)
      # The comma is used as separator for concatenating multiple
      # values of a header.
      len = (pos - 1) - start
      break
    when skip(/;/)
      skip_wsp
      aname, avalue = scan_name_value(true)
      next if aname.empty? || value.nil?
      aname.downcase!
      case aname
      when 'expires'
        # RFC 6265 5.2.1
        avalue &&= parse_cookie_date(avalue) or next
      when 'max-age'
        # RFC 6265 5.2.2
        next unless /\A-?\d+\z/.match(avalue)
      when 'domain'
        # RFC 6265 5.2.3
        # An empty value SHOULD be ignored.
        next if avalue.nil? || avalue.empty?
      when 'path'
        # RFC 6265 5.2.4
        # A relative path must be ignored rather than normalizing it
        # to "/".
        next unless /\A\//.match(avalue)
      when 'secure', 'httponly'
        # RFC 6265 5.2.5, 5.2.6
        avalue = true
      end
      attrs[aname] = avalue
    end until eos?

    len ||= pos - start

    if len > HTTP::Cookie::MAX_LENGTH
      @logger.warn("Cookie definition too long: #{name}") if @logger
      next
    end

    yield name, value, attrs if value
  end
end

#scan_value(comma_as_separator = false) ⇒ Object



54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
# File 'lib/http/cookie/scanner.rb', line 54

def scan_value(comma_as_separator = false)
  (+'').tap { |s|
    case
    when scan(/[^,;"]+/)
      s << matched
    when skip(/"/)
      # RFC 6265 2.2
      # A cookie-value may be DQUOTE'd.
      s << scan_dquoted
    when check(/;/)
      break
    when comma_as_separator && check(RE_COOKIE_COMMA)
      break
    else
      s << getch
    end until eos?
    s.rstrip!
  }
end

#skip_wspObject



31
32
33
# File 'lib/http/cookie/scanner.rb', line 31

def skip_wsp
  skip(RE_WSP)
end