1
0
Fork 0
mirror of https://github.com/ruby/ruby.git synced 2022-11-09 12:17:21 -05:00
ruby--ruby/spec/ruby/security/cve_2017_17742_spec.rb

38 lines
1.1 KiB
Ruby
Raw Normal View History

require_relative '../spec_helper'
2021-08-13 12:09:14 -04:00
# webrick is no longer in stdlib in Ruby 3+
ruby_version_is ""..."3.0" do
require "webrick"
require "stringio"
require "net/http"
2021-08-13 12:09:14 -04:00
describe "WEBrick" do
describe "resists CVE-2017-17742" do
it "for a response splitting headers" do
config = WEBrick::Config::HTTP
res = WEBrick::HTTPResponse.new config
res['X-header'] = "malicious\r\nCookie: hack"
io = StringIO.new
res.send_response io
io.rewind
res = Net::HTTPResponse.read_new(Net::BufferedIO.new(io))
res.code.should == '500'
io.string.should_not =~ /hack/
end
2021-08-13 12:09:14 -04:00
it "for a response splitting cookie headers" do
user_input = "malicious\r\nCookie: hack"
config = WEBrick::Config::HTTP
res = WEBrick::HTTPResponse.new config
res.cookies << WEBrick::Cookie.new('author', user_input)
io = StringIO.new
res.send_response io
io.rewind
res = Net::HTTPResponse.read_new(Net::BufferedIO.new(io))
res.code.should == '500'
io.string.should_not =~ /hack/
end
end
end
end