Open Build Service

Changes of Revision 20

_service:tar_scm_kernel_repo:ruby.spec Changed

_service:tar_scm_kernel_repo:CVE-2021-41819.patch Added

@@ -0,0 +1,38 @@
+From 052eb3a828b0f99bca39cfd800f6c2b91307dbd5 Mon Sep 17 00:00:00 2001
+From: Nobuyoshi Nakada <nobu@ruby-lang.org>
+Date: Mon, 29 Jun 2020 10:29:25 +0900
+Subject: [PATCH] When parsing cookies, only decode the values
+
+---
+ lib/cgi/cookie.rb           | 1 -
+ test/cgi/test_cgi_cookie.rb | 5 +++++
+ 2 files changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/lib/cgi/cookie.rb b/lib/cgi/cookie.rb
+index ae9ab58..6b0d89c 100644
+--- a/lib/cgi/cookie.rb
++++ b/lib/cgi/cookie.rb
+@@ -165,7 +165,6 @@ def self.parse(raw_cookie)
+       raw_cookie.split(/;\s?/).each do |pairs|
+         name, values = pairs.split('=',2)
+         next unless name and values
+-        name = CGI.unescape(name)
+         values ||= ""
+         values = values.split('&').collect{|v| CGI.unescape(v,@@accept_charset) }
+         if cookies.has_key?(name)
+diff --git a/test/cgi/test_cgi_cookie.rb b/test/cgi/test_cgi_cookie.rb
+index 115a57e..985cc0d 100644
+--- a/test/cgi/test_cgi_cookie.rb
++++ b/test/cgi/test_cgi_cookie.rb
+@@ -101,6 +101,11 @@ def test_cgi_cookie_parse
+     end
+   end
+ 
++  def test_cgi_cookie_parse_not_decode_name
++    cookie_str = "%66oo=baz;foo=bar"
++    cookies = CGI::Cookie.parse(cookie_str)
++    assert_equal({"%66oo" => ["baz"], "foo" => ["bar"]}, cookies)
++  end
+ 
+   def test_cgi_cookie_arrayinterface
+     cookie = CGI::Cookie.new('name1', 'a', 'b', 'c')