* lib/cgi/cookie.rb (parse): don't allow , as a separator. [Bug #12791]

* lib/webrick/cookie.rb (parse): ditto.

git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@56262 b2dd03c8-39d4-4d8f-98ff-823fe69b080e

2 files changed, 14 insertions, 2 deletions

diff --git a/test/cgi/test_cgi_cookie.rb b/test/cgi/test_cgi_cookie.rb
index ae7b14a4dd..ca81e41133 100644
--- a/test/cgi/test_cgi_cookie.rb
+++ b/test/cgi/test_cgi_cookie.rb
@@ -88,9 +88,12 @@ class CGICookieTest < Test::Unit::TestCase
       assert_equal(name, cookie.name)
       assert_equal(value, cookie.value)
     end
-    ## ',' separator
-    cookie_str = 'name1=val1&val2, name2=val2&%26%3C%3E%22&%E3%82%86%E3%82%93%E3%82%86%E3%82%93,_session_id=12345'
+    ## don't allow ',' separator
+    cookie_str = 'name1=val1&val2, name2=val2'
     cookies = CGI::Cookie.parse(cookie_str)
+    list = [
+      ['name1', ['val1', 'val2, name2=val2']],
+    ]
     list.each do |name, value|
       cookie = cookies[name]
       assert_equal(name, cookie.name)
diff --git a/test/webrick/test_cookie.rb b/test/webrick/test_cookie.rb
index ebbc5939dc..e46185f127 100644
--- a/test/webrick/test_cookie.rb
+++ b/test/webrick/test_cookie.rb
@@ -49,11 +49,20 @@ class TestWEBrickCookie < Test::Unit::TestCase
 
     data = "hoge=moge; __div__session=9865ecfd514be7f7"
     cookies = WEBrick::Cookie.parse(data)
+    assert_equal(2, cookies.size)
     assert_equal(0, cookies[0].version)
     assert_equal("hoge", cookies[0].name)
     assert_equal("moge", cookies[0].value)
     assert_equal("__div__session", cookies[1].name)
     assert_equal("9865ecfd514be7f7", cookies[1].value)
+
+    # don't allow ,-separator
+    data = "hoge=moge, __div__session=9865ecfd514be7f7"
+    cookies = WEBrick::Cookie.parse(data)
+    assert_equal(1, cookies.size)
+    assert_equal(0, cookies[0].version)
+    assert_equal("hoge", cookies[0].name)
+    assert_equal("moge, __div__session=9865ecfd514be7f7", cookies[0].value)
   end
 
   def test_parse_no_whitespace