* lib/cgi.rb (CGI::Cookie): should handle multiple values for a

  cookie name.  [ruby-talk:156140]

* string.c (rb_str_substr): should propagate taintness even for
  empty strings.  [ruby-dev:27121]

* string.c (rb_str_aref): should infect result if range argument
  is tainted.  [ruby-dev:27121]


git-svn-id: http://svn.ruby-lang.org/repos/ruby/branches/ruby_1_8@9200 b2dd03c8-39d4-4d8f-98ff-823fe69b080e

1 files changed, 4 insertions, 3 deletions

diff --git a/lib/cgi.rb b/lib/cgi.rb
index 7c84f6464..b18a03524 100644
--- a/lib/cgi.rb
+++ b/lib/cgi.rb
@@ -870,15 +870,16 @@ class CGI
     cookies = Hash.new([])
     return cookies unless raw_cookie
 
-    raw_cookie.split(/; /).each do |pairs|
+    raw_cookie.split(/[;,] /).each do |pairs|
       name, values = pairs.split('=',2)
       next unless name and values
       name = CGI::unescape(name)
       values ||= ""
       values = values.split('&').collect{|v| CGI::unescape(v) }
-      unless cookies.has_key?(name)
-        cookies[name] = Cookie::new({ "name" => name, "value" => values })
+      if cookies.has_key?(name)
+        values = cookies[name].value + values
       end
+      cookies[name] = Cookie::new({ "name" => name, "value" => values })
     end
 
     cookies