diff options
author | Aaron Patterson <aaron.patterson@gmail.com> | 2015-06-18 14:50:16 -0700 |
---|---|---|
committer | Aaron Patterson <aaron.patterson@gmail.com> | 2015-06-18 14:50:16 -0700 |
commit | a853058100191edabac5d73c9713aa5d0dce5530 (patch) | |
tree | cd7a607e36c6a883e3087c69cf69f775e4740363 | |
parent | cb9a68493b5a17a35c31b2c8cbacd81d5b0e4fae (diff) | |
parent | 62d54eada90158033ba47f804d06adfc75940dc5 (diff) | |
download | rack-a853058100191edabac5d73c9713aa5d0dce5530.tar.gz |
Merge pull request #899 from matthewd/1-6-semicolon
[1-6-stable] Fix GET semicolons without breaking API compatibility
-rw-r--r-- | HISTORY.md | 4 | ||||
-rw-r--r-- | lib/rack/request.rb | 8 | ||||
-rw-r--r-- | test/spec_request.rb | 21 |
3 files changed, 25 insertions, 8 deletions
@@ -1,3 +1,7 @@ +Fri Jun 19 07:14:50 2015 Matthew Draper <matthew@trebex.net> + + * Work around a Rails incompatibility in our private API + Fri Jun 12 11:37:41 2015 Aaron Patterson <tenderlove@ruby-lang.org> * Prevent extremely deep parameters from being parsed. CVE-2015-3225 diff --git a/lib/rack/request.rb b/lib/rack/request.rb index e6e46e9d..ac95b1ca 100644 --- a/lib/rack/request.rb +++ b/lib/rack/request.rb @@ -188,7 +188,7 @@ module Rack if @env["rack.request.query_string"] == query_string @env["rack.request.query_hash"] else - p = parse_query(query_string) + p = parse_query({ :query => query_string, :separator => '&;' }) @env["rack.request.query_string"] = query_string @env["rack.request.query_hash"] = p end @@ -212,7 +212,7 @@ module Rack form_vars.slice!(-1) if form_vars[-1] == ?\0 @env["rack.request.form_vars"] = form_vars - @env["rack.request.form_hash"] = parse_query(form_vars) + @env["rack.request.form_hash"] = parse_query({ :query => form_vars, :separator => '&' }) @env["rack.input"].rewind end @@ -366,7 +366,9 @@ module Rack end def parse_query(qs) - Utils.parse_nested_query(qs, '&') + d = '&' + qs, d = qs[:query], qs[:separator] if Hash === qs + Utils.parse_nested_query(qs, d) end def parse_multipart(env) diff --git a/test/spec_request.rb b/test/spec_request.rb index 6f379a0b..a44e0a71 100644 --- a/test/spec_request.rb +++ b/test/spec_request.rb @@ -134,12 +134,23 @@ describe Rack::Request do req.params.should.equal "foo" => "bar", "quux" => "bla" end - should "not truncate query strings containing semi-colons #543" do - req = Rack::Request.new(Rack::MockRequest.env_for("/?foo=bar&quux=b;la")) - req.query_string.should.equal "foo=bar&quux=b;la" - req.GET.should.equal "foo" => "bar", "quux" => "b;la" + should "not truncate query strings containing semi-colons #543 only in POST" do + mr = Rack::MockRequest.env_for("/", + "REQUEST_METHOD" => 'POST', + :input => "foo=bar&quux=b;la") + req = Rack::Request.new mr + req.query_string.should.equal "" + req.GET.should.be.empty + req.POST.should.equal "foo" => "bar", "quux" => "b;la" + req.params.should.equal req.GET.merge(req.POST) + end + + should "use semi-colons as separators for query strings in GET" do + req = Rack::Request.new(Rack::MockRequest.env_for("/?foo=bar&quux=b;la;wun=duh")) + req.query_string.should.equal "foo=bar&quux=b;la;wun=duh" + req.GET.should.equal "foo" => "bar", "quux" => "b", "la" => nil, "wun" => "duh" req.POST.should.be.empty - req.params.should.equal "foo" => "bar", "quux" => "b;la" + req.params.should.equal "foo" => "bar", "quux" => "b", "la" => nil, "wun" => "duh" end should "limit the keys from the GET query string" do |