fix(http): use non-locale-sensitive string methods for comparison (#6029)

2024-11-21 20:50:22 +00:00 · 2024-09-20 16:28:06 +08:00 · 2024-09-20 16:28:06 +08:00 · a1f50b4cba
commit a1f50b4cba
parent 4830d4d4ac
4 changed files with 67 additions and 2 deletions
--- a/http/_negotiation/encoding.ts
+++ b/http/_negotiation/encoding.ts
@ -71,7 +71,7 @@ function specify(
    return;
  }
  let s = 0;
-  if (spec.encoding.toLocaleLowerCase() === encoding.toLocaleLowerCase()) {
+  if (spec.encoding.toLowerCase() === encoding.toLowerCase()) {
    s = 1;
  } else if (spec.encoding !== "*") {
    return;
--- a/http/cookie.ts
+++ b/http/cookie.ts
@ -358,7 +358,7 @@ function parseSetCookie(value: string): Cookie | null {
  };

  for (const [key, value] of attrs.slice(1)) {
-    switch (key.toLocaleLowerCase()) {
+    switch (key.toLowerCase()) {
      case "expires":
        cookie.expires = new Date(value);
        break;
--- a/http/cookie_test.ts
+++ b/http/cookie_test.ts
@ -1,4 +1,5 @@
 // Copyright 2018-2024 the Deno authors. All rights reserved. MIT license.
+import { stub } from "@std/testing/mock";
 import {
  deleteCookie,
  getCookies,
@ -615,3 +616,36 @@ Deno.test({
    assertEquals(getSetCookies(headers), []);
  },
 });
+
+Deno.test({
+  name: "getSetCookies() is locale independent",
+  fn() {
+    const setCookie = "a=b; EXPIRES=Thu, 19 Sep 2024 07:47:28 GMT";
+    const headers = new Headers({ "set-cookie": setCookie });
+    const expected = [{
+      "name": "a",
+      "value": "b",
+      "expires": new Date("2024-09-19T07:47:28.000Z"),
+    }];
+
+    assertEquals(getSetCookies(headers), expected);
+
+    {
+      /**
+       * Use of locale-sensitive methods with undefined locale may cause
+       * environment-sensitive bugs -
+       * [issue](https://github.com/denoland/std/issues/6016)
+       */
+      const toLocaleLowerCase = String.prototype.toLocaleLowerCase;
+      using _ = stub(
+        String.prototype,
+        "toLocaleLowerCase",
+        function (locale) {
+          return toLocaleLowerCase.call(this, locale ?? "tr-TR");
+        },
+      );
+
+      assertEquals(getSetCookies(headers), expected);
+    }
+  },
+});
--- a/http/negotiation_test.ts
+++ b/http/negotiation_test.ts
@ -2,6 +2,7 @@

 import { assertEquals } from "@std/assert";
 import { accepts, acceptsEncodings, acceptsLanguages } from "./negotiation.ts";
+import { stub } from "@std/testing/mock";

 Deno.test({
  name: "accepts() handles no args",
@ -109,6 +110,36 @@ Deno.test({
  },
 });

+Deno.test({
+  name: "acceptsEncodings() is locale independent",
+  fn() {
+    const req = new Request("https://example.com/", {
+      headers: { "accept-encoding": "GZIP" },
+    });
+    const encoding = "gzip";
+
+    assertEquals(acceptsEncodings(req, encoding), encoding);
+
+    {
+      /**
+       * Use of locale-sensitive methods with undefined locale may cause
+       * environment-sensitive bugs -
+       * [issue](https://github.com/denoland/std/issues/6016)
+       */
+      const toLocaleLowerCase = String.prototype.toLocaleLowerCase;
+      using _ = stub(
+        String.prototype,
+        "toLocaleLowerCase",
+        function (locale) {
+          return toLocaleLowerCase.call(this, locale ?? "tr-TR");
+        },
+      );
+
+      assertEquals(acceptsEncodings(req, encoding), encoding);
+    }
+  },
+});
+
 Deno.test({
  name: "acceptsLanguages() handles no args",
  fn() {