-
Notifications
You must be signed in to change notification settings - Fork 22
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
cgi 0.34 or higher does not allow .example.com
as domain
#35
Comments
It also reproduces with cgi 0.3.5. I intentionally uses ruby 3.1.2 to compare the result using older versions of CGI. % ruby -v
ruby 3.1.2p20 (2022-04-12 revision 4491bb740a) [arm64-darwin22]
% gem install cgi -v 0.3.5
Fetching cgi-0.3.5.gem
Building native extensions. This could take a while...
Successfully installed cgi-0.3.5
Parsing documentation for cgi-0.3.5
Installing ri documentation for cgi-0.3.5
Done installing documentation for cgi after 0 seconds
1 gem installed
% irb
irb(main):001:0> require 'cgi'
irb(main):002:0> CGI::Cookie.new('domain'=>'.example.com', 'name'=>'name1')
/Users/yahonda/.rbenv/versions/3.1.2/lib/ruby/gems/3.1.0/gems/cgi-0.3.5/lib/cgi/cookie.rb:128:in `domain=': invalid domain: ".example.com" (ArgumentError)
from /Users/yahonda/.rbenv/versions/3.1.2/lib/ruby/gems/3.1.0/gems/cgi-0.3.5/lib/cgi/cookie.rb:95:in `initialize'
from (irb):2:in `new'
from (irb):2:in `<main>'
from /Users/yahonda/.rbenv/versions/3.1.2/lib/ruby/gems/3.1.0/gems/irb-1.4.2/exe/irb:11:in `<top (required)>'
from /Users/yahonda/.rbenv/versions/3.1.2/bin/irb:25:in `load'
from /Users/yahonda/.rbenv/versions/3.1.2/bin/irb:25:in `<main>'
irb(main):003:0> quit |
It's duplicate of #29 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Rails CI using Ruby 3.2.0-dev fails https://buildkite.com/rails/rails/builds/91200#0184aae9-a971-4423-8bb6-60e7a14ec3fb/1048-1057
Investigated this failure and it is likely due to
cgi
behavior change between 0.3.3 and 0.3.4 becausecgi
default gem version has bumped to 0.3.5 recently https://www.ruby-lang.org/en/news/2022/11/22/http-response-splitting-in-cgi-cve-2021-33621/Steps to reproduce
Expected behavior
It returns
[]
Actual behavior
It raises
ArgumentError
The text was updated successfully, but these errors were encountered: