kotovalexarian-likes-github/ruby--ruby
1
0
Fork 0
mirror of https://github.com/ruby/ruby.git synced 2022-11-09 12:17:21 -05:00
Code Releases Activity

webrick: prevent response splitting and header injection

Browse source 
Original patch by tenderlove (with minor style adjustments).

* lib/webrick/httpresponse.rb (send_header): call check_header
  (check_header): raise on embedded CRLF in header value
* test/webrick/test_httpresponse.rb
  (test_prevent_response_splitting_headers): new test
* (test_prevent_response_splitting_cookie_headers): ditto

git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@62968 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
This commit is contained in:
normal 2018-03-28 08:38:26 +00:00
parent 7292569d3f
commit d9d4a28f1c
2 changed files with 39 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

19
lib/webrick/httpresponse.rb
View file

@ -21,6 +21,8 @@ module WEBrick
# WEBrick HTTP Servlet. # WEBrick HTTP Servlet.
class HTTPResponse class HTTPResponse
class InvalidHeader < StandardError
end
## ##
# HTTP Response version # HTTP Response version
@ -287,14 +289,19 @@ module WEBrick
data = status_line() data = status_line()
@header.each{|key, value| @header.each{|key, value|
tmp = key.gsub(/\bwww|^te$|\b\w/){ $&.upcase } tmp = key.gsub(/\bwww|^te$|\b\w/){ $&.upcase }
data << "#{tmp}: #{value}" << CRLF data << "#{tmp}: #{check_header(value)}" << CRLF
} }
@cookies.each{|cookie| @cookies.each{|cookie|
data << "Set-Cookie: " << cookie.to_s << CRLF data << "Set-Cookie: " << check_header(cookie.to_s) << CRLF
} }
data << CRLF data << CRLF
socket.write(data) socket.write(data)
end end
rescue InvalidHeader => e
@header.clear
@cookies.clear
set_error e
retry
end end
## ##
@ -359,6 +366,14 @@ module WEBrick
private private
def check_header(header_value)
if header_value =~ /\r\n/
raise InvalidHeader
else
header_value
end
end
# :stopdoc: # :stopdoc:
def error_body(backtrace, ex, host, port) def error_body(backtrace, ex, host, port)

22
test/webrick/test_httpresponse.rb
View file

@ -2,6 +2,7 @@
require "webrick" require "webrick"
require "minitest/autorun" require "minitest/autorun"
require "stringio" require "stringio"
require "net/http"
module WEBrick module WEBrick
class TestHTTPResponse < MiniTest::Unit::TestCase class TestHTTPResponse < MiniTest::Unit::TestCase
@ -28,6 +29,27 @@ module WEBrick
@res.keep_alive = true @res.keep_alive = true
end end
def test_prevent_response_splitting_headers
res['X-header'] = "malicious\r\nCookie: hack"
io = StringIO.new
res.send_response io
io.rewind
res = Net::HTTPResponse.read_new(Net::BufferedIO.new(io))
assert_equal '500', res.code
refute_match 'hack', io.string
end
def test_prevent_response_splitting_cookie_headers
user_input = "malicious\r\nCookie: hack"
res.cookies << WEBrick::Cookie.new('author', user_input)
io = StringIO.new
res.send_response io
io.rewind
res = Net::HTTPResponse.read_new(Net::BufferedIO.new(io))
assert_equal '500', res.code
refute_match 'hack', io.string
end
def test_304_does_not_log_warning def test_304_does_not_log_warning
res.status = 304 res.status = 304
res.setup_header res.setup_header