From 88bcccd4333fee37e90dc524ccb7cc20745e0332 Mon Sep 17 00:00:00 2001
From: nobu <nobu@b2dd03c8-39d4-4d8f-98ff-823fe69b080e>
Date: Mon, 20 May 2013 01:40:30 +0000
Subject: [PATCH] webrick: fix non-ascii escape bugs

* lib/webrick/htmlutils.rb (WEBrick::HTMLUtils#escape): replace HTML
  meta chars even in non-ascii string.  [Bug #8425] [ruby-core:55052]
* lib/webrick/httputils.rb (WEBrick::HTTPUtils#{_escape,_unescape}):
  fix %-escape encodings.  [Bug #8425] [ruby-core:55052]

git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@40848 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
---
 ChangeLog                      |  8 +++++++-
 lib/webrick/htmlutils.rb       |  5 +++--
 lib/webrick/httputils.rb       | 14 ++++++++++++--
 test/webrick/test_htmlutils.rb |  6 +++++-
 test/webrick/test_httputils.rb |  4 ++++
 5 files changed, 31 insertions(+), 6 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index 49a8463756..31dc431223 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,4 +1,10 @@
-Mon May 20 09:53:31 2013  Nobuyoshi Nakada  <nobu@ruby-lang.org>
+Mon May 20 10:40:21 2013  Nobuyoshi Nakada  <nobu@ruby-lang.org>
+
+	* lib/webrick/htmlutils.rb (WEBrick::HTMLUtils#escape): replace HTML
+	  meta chars even in non-ascii string.  [Bug #8425] [ruby-core:55052]
+
+	* lib/webrick/httputils.rb (WEBrick::HTTPUtils#{_escape,_unescape}):
+	  fix %-escape encodings.  [Bug #8425] [ruby-core:55052]
 
 	* lib/webrick/httpservlet/filehandler.rb (set_dir_list): revert r20152
 	  partially and fix misuse of bytesize and regexp repetition operator.
diff --git a/lib/webrick/htmlutils.rb b/lib/webrick/htmlutils.rb
index ed901f1ce2..4cb3d0d7f6 100644
--- a/lib/webrick/htmlutils.rb
+++ b/lib/webrick/htmlutils.rb
@@ -15,12 +15,13 @@ module WEBrick
     # Escapes &, ", > and < in +string+
 
     def escape(string)
-      str = string ? string.dup : ""
+      return "" unless string
+      str = string.b
       str.gsub!(/&/n, '&amp;')
       str.gsub!(/\"/n, '&quot;')
       str.gsub!(/>/n, '&gt;')
       str.gsub!(/</n, '&lt;')
-      str
+      str.force_encoding(string.encoding)
     end
     module_function :escape
 
diff --git a/lib/webrick/httputils.rb b/lib/webrick/httputils.rb
index a0ca3a48c7..a5f0632b86 100644
--- a/lib/webrick/httputils.rb
+++ b/lib/webrick/httputils.rb
@@ -437,8 +437,18 @@ module WEBrick
 
     def _make_regex(str) /([#{Regexp.escape(str)}])/n end
     def _make_regex!(str) /([^#{Regexp.escape(str)}])/n end
-    def _escape(str, regex) str.gsub(regex){ "%%%02X" % $1.ord } end
-    def _unescape(str, regex) str.gsub(regex){ $1.hex.chr } end
+    def _escape(str, regex)
+      str = str.b
+      str.gsub!(regex) {"%%%02X" % $1.ord}
+      # %-escaped string should contain US-ASCII only
+      str.force_encoding(Encoding::US_ASCII)
+    end
+    def _unescape(str, regex)
+      str = str.b
+      str.gsub!(regex) {$1.hex.chr}
+      # encoding of %-unescaped string is unknown
+      str
+    end
 
     UNESCAPED = _make_regex(control+space+delims+unwise+nonascii)
     UNESCAPED_FORM = _make_regex(reserved+control+delims+unwise+nonascii)
diff --git a/test/webrick/test_htmlutils.rb b/test/webrick/test_htmlutils.rb
index 987bc229c9..1fe49ee226 100644
--- a/test/webrick/test_htmlutils.rb
+++ b/test/webrick/test_htmlutils.rb
@@ -11,6 +11,10 @@ class TestWEBrickHTMLUtils < Test::Unit::TestCase
     assert_equal("foo&quot;bar", escape("foo\"bar"))
     assert_equal("foo&gt;bar", escape("foo>bar"))
     assert_equal("foo&lt;bar", escape("foo<bar"))
-    assert_equal("こんにちは", escape("こんにちは"))
+    assert_equal("\u{3053 3093 306B 3061 306F}", escape("\u{3053 3093 306B 3061 306F}"))
+    bug8425 = '[Bug #8425] [ruby-core:55052]'
+    assert_nothing_raised(ArgumentError, Encoding::CompatibilityError, bug8425) {
+      assert_equal("\u{3053 3093 306B}\xff&lt;", escape("\u{3053 3093 306B}\xff<"))
+    }
   end
 end
diff --git a/test/webrick/test_httputils.rb b/test/webrick/test_httputils.rb
index ebe8a2b8a5..2753cbe6c9 100644
--- a/test/webrick/test_httputils.rb
+++ b/test/webrick/test_httputils.rb
@@ -66,6 +66,10 @@ class TestWEBrickHTTPUtils < Test::Unit::TestCase
     assert_equal("/~foo%20bar", escape("/~foo bar"))
     assert_equal("/~foo%09bar", escape("/~foo\tbar"))
     assert_equal("/~foo+bar", escape("/~foo+bar"))
+    bug8425 = '[Bug #8425] [ruby-core:55052]'
+    assert_nothing_raised(ArgumentError, Encoding::CompatibilityError, bug8425) {
+      assert_equal("%E3%83%AB%E3%83%93%E3%83%BC%E3%81%95%E3%82%93", escape("\u{30EB 30D3 30FC 3055 3093}"))
+    }
   end
 
   def test_escape_form