merge revision(s) 59897:

lib/webrick/log.rb: sanitize any type of logs It had failed to sanitize some type of exception messages. Reported and patched by Yusuke Endoh (mame) at https://hackerone.com/reports/223363 git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_2_4@59898 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
2022-11-09 12:17:21 -05:00 · 2017-09-14 11:24:10 +00:00 · 2017-09-14 11:24:10 +00:00 · dead0efddb
commit dead0efddb
parent a59b02c6bc
4 changed files with 41 additions and 9 deletions
--- a/lib/webrick/httpstatus.rb
+++ b/lib/webrick/httpstatus.rb
@ -23,10 +23,6 @@ module WEBrick
    ##
    # Root of the HTTP status class hierarchy
    class Status < StandardError
-      def initialize(*args) # :nodoc:
-        args[0] = AccessLog.escape(args[0]) unless args.empty?
-        super(*args)
-      end
      class << self
        attr_reader :code, :reason_phrase # :nodoc:
      end
--- a/lib/webrick/log.rb
+++ b/lib/webrick/log.rb
@ -118,10 +118,10 @@ module WEBrick
    # * Otherwise it will return +arg+.inspect.
    def format(arg)
      if arg.is_a?(Exception)
-        "#{arg.class}: #{arg.message}\n\t" <<
+        "#{arg.class}: #{AccessLog.escape(arg.message)}\n\t" <<
        arg.backtrace.join("\n\t") << "\n"
      elsif arg.respond_to?(:to_str)
-        arg.to_str
+        AccessLog.escape(arg.to_str)
      else
        arg.inspect
      end
--- a/test/webrick/test_httpauth.rb
+++ b/test/webrick/test_httpauth.rb
@ -103,6 +103,42 @@ class TestWEBrickHTTPAuth < Test::Unit::TestCase
    }
  end

+  def test_bad_username_with_control_characters
+    log_tester = lambda {|log, access_log|
+      assert_equal(2, log.length)
+      assert_match(/ERROR Basic WEBrick's realm: foo\\ebar: the user is not allowed./, log[0])
+      assert_match(/ERROR WEBrick::HTTPStatus::Unauthorized/, log[1])
+    }
+    TestWEBrick.start_httpserver({}, log_tester) {|server, addr, port, log|
+      realm = "WEBrick's realm"
+      path = "/basic_auth"
+
+      Tempfile.create("test_webrick_auth") {|tmpfile|
+        tmpfile.close
+        tmp_pass = WEBrick::HTTPAuth::Htpasswd.new(tmpfile.path)
+        tmp_pass.set_passwd(realm, "webrick", "supersecretpassword")
+        tmp_pass.set_passwd(realm, "foo", "supersecretpassword")
+        tmp_pass.flush
+
+        htpasswd = WEBrick::HTTPAuth::Htpasswd.new(tmpfile.path)
+        users = []
+        htpasswd.each{|user, pass| users << user }
+        server.mount_proc(path){|req, res|
+          auth = WEBrick::HTTPAuth::BasicAuth.new(
+            :Realm => realm, :UserDB => htpasswd,
+            :Logger => server.logger
+          )
+          auth.authenticate(req, res)
+          res.body = "hoge"
+        }
+        http = Net::HTTP.new(addr, port)
+        g = Net::HTTP::Get.new(path)
+        g.basic_auth("foo\ebar", "passwd")
+        http.request(g){|res| assert_not_equal("hoge", res.body, log.call) }
+      }
+    }
+  end
+
  DIGESTRES_ = /
    ([a-zA-Z\-]+)
      [ \t]*(?:\r\n[ \t]*)*
--- a/version.h
+++ b/version.h
@ -1,10 +1,10 @@
 #define RUBY_VERSION "2.4.2"
-#define RUBY_RELEASE_DATE "2017-09-12"
-#define RUBY_PATCHLEVEL 197
+#define RUBY_RELEASE_DATE "2017-09-14"
+#define RUBY_PATCHLEVEL 198

 #define RUBY_RELEASE_YEAR 2017
 #define RUBY_RELEASE_MONTH 9
-#define RUBY_RELEASE_DAY 12
+#define RUBY_RELEASE_DAY 14

 #include "ruby/version.h"