Prevents response splitting and HTML injection attacks in
poorly-written applications which blindly pass along user input
in redirects.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@63964 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
* lib/webrick/httpresponse.rb (send_body_io): use seek if NotImplementedError
is raised in IO.copy_stream with offset.
* lib/webrick/httpservlet/filehandler.rb (multipart_body): ditto.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@63008 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
Original patch by tenderlove (with minor style adjustments).
* lib/webrick/httpresponse.rb (send_header): call check_header
(check_header): raise on embedded CRLF in header value
* test/webrick/test_httpresponse.rb
(test_prevent_response_splitting_headers): new test
* (test_prevent_response_splitting_cookie_headers): ditto
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@62968 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
The .write method needs to return the number of bytes written
to avoid confusing IO.copy_stream.
* lib/webrick/httpresponse.rb (ChunkedWrapper#write): return bytes written
(ChunkedWrapper#<<): return self
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@62958 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
This is also compatible with range responses generated
by Rack::File (tested with rack 2.0.3).
* lib/webrick/httpresponse.rb (send_body_io): use Content-Range
* lib/webrick/httpservlet/filehandler.rb (make_partial_content):
use File object for the single range case
* test/webrick/test_filehandler.rb (get_res_body): use send_body
to test result
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@62955 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
Remove the redundant _send_file method since its functionality
is unnecessary with IO.copy_stream. IO.copy_stream also allows
the use of sendfile under some OSes to speed up copies to
non-TLS sockets.
Testing with "curl >/dev/null" and "ruby -run -e httpd" to
read a 1G file over Linux loopback reveals a reduction from
around ~0.770 to ~0.490 seconds on the client side.
* lib/webrick/httpresponse.rb (send_body_io): use IO.copy_stream
(_send_file): remove
[Feature #14237]
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@62954 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
This will make the next change to use IO.copy_stream
easier-to-read. When we can drop Ruby 2.4 support in a few
years, this will allow us to use writev(2) with multiple
arguments for headers and chunked responses.
* lib/webrick/cgi.rb (write): new wrapper method
lib/webrick/httpresponse.rb: (send_header): use socket.write
(send_body_io): ditto
(send_body_string): ditto
(send_body_proc): ditto
(_write_data): ditto
(ChunkedWrapper#write): ditto
(_send_file): ditto
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@62953 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
I never knew "format" was a global method alias for "sprintf";
so it was confusing to me. Normally, one would use "sprintf"
since it's also available in many other languages, but
Integer#to_s avoids parsing a format string so it's less
bug-prone.
Furthermore, favor string interpolation over String#<< since it
is easier for the VM to optimize memory allocation (as in r60320).
Interpolation also reduces method calls and memory overhead
for inline method cache.
Finally, ensure we clear all short-lived buffers for body
responses. A similar change was made and measured for Net::*
in r58840 showing a large memory reduction on some workloads.
* webrick/httpresponse.rb (send_body_io): favor String#to_s,
reduce method calls for String#<<,
clear `buf' when done,
avoid extra String#bytesize calls
* (send_body_string): ditto
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@60586 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
* lib/webrick/httpresponse.rb (send_body): call send_body_proc
(send_body_proc): new method
(class ChunkedWrapper): new class
* test/webrick/test_httpresponse.rb (test_send_body_proc): new test
(test_send_body_proc_chunked): ditto
[Feature #855]
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@60584 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
override the body more easily. [fix GH-1307]
* test/webrick/test_httpresponse.rb: ditto.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@54346 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
When you change this to true, you may need to add more tests.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@53141 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
that responds to #readpartial and #read.
[ruby-trunk - Feature #8155]
* NEWS: NEWS for above
* test/webrick/test_httpresponse.rb: Tests for above.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@42427 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
use readpartial to get data even if the response is streaming data and
each data is smaller than @buffer_size.
patched by yu nobuoka. [ruby-dev:45471] [Bug #6230]
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@35253 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
are allowed to have Keep-Alive connections.
* test/webrick/test_httpresponse.rb: corresponding test.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@34024 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
are allowed to have a Keep-Alive connection. [ruby-core:41581]
* test/webrick/test_httpresponse.rb: corresponding test.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@34023 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
HTTP/1.1 connection when returning an IO object as response body
without setting HTTPResponse#chunked to true. See #855 no.1.
* test/webrick/test_httpserver.rb: Test it.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@32188 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
* lib/webrick/httpresponse.rb (WEBrick::HTTPResponse#set_error):
Fix for possible cross-site scripting (CVE-2010-0541).
Found by Apple, reported by Hideki Yamane.
Patch by Hirokazu Nishio <nishio.hirokazu AT gmail.com>.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@29002 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
:InputBufferSize and :OutputBufferSize.
* lib/webrick/utils.rb (WEBrick::Utils.timeout): add new timeout
method. this implementation is expected to be compatible with
timeout.rb and faster than timeout.rb.
* lib/webrick/httprequest.rb (WEBrick::HTTPRequest#_read_data):
Timeout.timeout is replaced by WEBrick::Utils.timeout.
* lib/webrick/httprequest.rb: WEBrick::HTTPRequest::BUFSIZE is
replaced by config[:InputBufferSize].
* lib/webrick/httpresposne.rb: WEBrick::HTTPResponse::BUFSIZE is
replaced by config[:OutputBufferSize].
* lib/webrick/server.rb: get rid of unnecessary require.
* test/webrick/test_utils.rb: test for WEBrick::Utils.timeout.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@10167 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
add WEBrick::Config::FileHandler[:AcceptableLanguages].
* lib/webrick/httpservlet/filehandler.rb
(WEBrick::HTTPServlet::FileHandler#set_filename): search files
having suffix of language-name which Accept-Language header field
includes if :AcceptableLanguages options is present.
* lib/webrick/httpservlet/filehandler.rb
(WEBrick::HTTPServlet::FileHandler#get_servlet): new method to
search servlet correspond to the suffix of filename.
* lib/webrick/httprequest.rb: add attributes access methods: accept,
accept_charset, accept_encoding, accept_language, content_length
and content_type.
* lib/webrick/httpresponse.rb: add attribute access methods:
content_length, content_length=, content_type and content_type=.
* lib/webrick/httputils.rb (WEBrick::HTTPUtils.mime_types):
use the second suffix to detect media type. (the first suffix
may be a language name.)
* lib/webrick/httputils.rb (WEBrick::HTTPUtils.parse_qvalues):
add method to parse Accept header field. it returns an Array of
values sorted by the qvalues.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@7033 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
* lib/webrick/cgi.rb (CGI::Socket): add check for existence of
OpenSSL module in all HTTPS related methods.
* lib/webrick/cgi.rb (CGI::Socket#cipher): should create similar
value to OpenSSL::SSLSocket#cipher.
* lib/webrick/httpresponse.rb (HTTPResponse#setup_header): should
set "connection: close" if @keep_alive is false.
* lib/webrick/https.rb (HTTPrequest#meta_vars): add supprt for
SSL_PROTOCOL, SSL_CIPHER_USEKEYSIZE and SSL_CIPHER_ALGKEYSIZE.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@5254 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
Exception to avoid unexpected aborting. [ruby-core:01853]
* lib/webrick/server.rb (GenericServer#start_thread): should check
that peeraddr isn't nil before printing.
* lib/webrick/httpresponse.rb (HTTPResponse#start_thread): should
rescue Exception to avoid unexpected aborting of thread.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@5098 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
* lib/webrick/httpserver.rb (HTTPServer#run): should pass the
request's keep_alive flag to the response.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@5031 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
