From 8fc4b4792919c627183f4ddb6dc256aae49eb738 Mon Sep 17 00:00:00 2001 From: Hiroshi SHIBATA Date: Tue, 22 Nov 2022 13:48:18 +0900 Subject: [PATCH] Fix CVE-2021-33621 HTTP response splitting in CGI. Backported from upstream Ruby, commit: https://github.com/ruby/ruby/commit/7cf697179dab52b0d024543304f4d3ab5fa5e847 Test "CGICookieTest#test_cgi_cookie_new_with_domain" was adjusted to deal with Ruby 2.5 not allowing String with double splat operator. ==== Original commit message Merge CGI-0.1.0.2 --- lib/cgi/cookie.rb | 51 ++++++++++++++++------- lib/cgi/core.rb | 45 ++++++++++++-------- test/cgi/test_cgi_cookie.rb | 82 +++++++++++++++++++++++++++++++++++++ test/cgi/test_cgi_header.rb | 8 ++++ 4 files changed, 154 insertions(+), 32 deletions(-) diff --git a/lib/cgi/cookie.rb b/lib/cgi/cookie.rb index 009566b..f26f015 100644 --- a/lib/cgi/cookie.rb +++ b/lib/cgi/cookie.rb @@ -40,6 +40,10 @@ class CGI class Cookie < Array @@accept_charset="UTF-8" unless defined?(@@accept_charset) + TOKEN_RE = %r"\A[[!-~]&&[^()<>@,;:\\\"/?=\[\]{}]]+\z" + PATH_VALUE_RE = %r"\A[[ -~]&&[^;]]*\z" + DOMAIN_VALUE_RE = %r"\A(?