ruby-changes:47784
From: usa <ko1@a...>
Date: Thu, 14 Sep 2017 20:37:53 +0900 (JST)
Subject: [ruby-changes:47784] usa:r59902 (ruby_2_2): merge revision(s) 59897:
usa 2017-09-14 20:37:47 +0900 (Thu, 14 Sep 2017) New Revision: 59902 https://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=revision&revision=59902 Log: merge revision(s) 59897: lib/webrick/log.rb: sanitize any type of logs It had failed to sanitize some type of exception messages. Reported and patched by Yusuke Endoh (mame) at https://hackerone.com/reports/223363 Modified directories: branches/ruby_2_2/ Modified files: branches/ruby_2_2/ChangeLog branches/ruby_2_2/lib/webrick/httpstatus.rb branches/ruby_2_2/lib/webrick/log.rb branches/ruby_2_2/test/webrick/test_httpauth.rb branches/ruby_2_2/version.h Index: ruby_2_2/lib/webrick/log.rb =================================================================== --- ruby_2_2/lib/webrick/log.rb (revision 59901) +++ ruby_2_2/lib/webrick/log.rb (revision 59902) @@ -117,10 +117,10 @@ module WEBrick https://github.com/ruby/ruby/blob/trunk/ruby_2_2/lib/webrick/log.rb#L117 # * Otherwise it will return +arg+.inspect. def format(arg) if arg.is_a?(Exception) - "#{arg.class}: #{arg.message}\n\t" << + "#{arg.class}: #{AccessLog.escape(arg.message)}\n\t" << arg.backtrace.join("\n\t") << "\n" elsif arg.respond_to?(:to_str) - arg.to_str + AccessLog.escape(arg.to_str) else arg.inspect end Index: ruby_2_2/lib/webrick/httpstatus.rb =================================================================== --- ruby_2_2/lib/webrick/httpstatus.rb (revision 59901) +++ ruby_2_2/lib/webrick/httpstatus.rb (revision 59902) @@ -22,10 +22,6 @@ module WEBrick https://github.com/ruby/ruby/blob/trunk/ruby_2_2/lib/webrick/httpstatus.rb#L22 ## # Root of the HTTP status class hierarchy class Status < StandardError - def initialize(*args) # :nodoc: - args[0] = AccessLog.escape(args[0]) unless args.empty? - super(*args) - end class << self attr_reader :code, :reason_phrase # :nodoc: end Index: ruby_2_2/version.h =================================================================== --- ruby_2_2/version.h (revision 59901) +++ ruby_2_2/version.h (revision 59902) @@ -1,6 +1,6 @@ https://github.com/ruby/ruby/blob/trunk/ruby_2_2/version.h#L1 #define RUBY_VERSION "2.2.8" #define RUBY_RELEASE_DATE "2017-09-14" -#define RUBY_PATCHLEVEL 474 +#define RUBY_PATCHLEVEL 475 #define RUBY_RELEASE_YEAR 2017 #define RUBY_RELEASE_MONTH 9 Index: ruby_2_2/ChangeLog =================================================================== --- ruby_2_2/ChangeLog (revision 59901) +++ ruby_2_2/ChangeLog (revision 59902) @@ -1,3 +1,10 @@ https://github.com/ruby/ruby/blob/trunk/ruby_2_2/ChangeLog#L1 +Thu Sep 14 20:36:54 2017 Yusuke Endoh <mame@r...> + + lib/webrick/log.rb: sanitize any type of logs + + It had failed to sanitize some type of exception messages. Reported and + patched by Yusuke Endoh (mame) at https://hackerone.com/reports/223363 + Thu Sep 14 20:33:52 2017 Nobuyoshi Nakada <nobu@r...> Fix space flag when Inf/NaN and width==3 Index: ruby_2_2/test/webrick/test_httpauth.rb =================================================================== --- ruby_2_2/test/webrick/test_httpauth.rb (revision 59901) +++ ruby_2_2/test/webrick/test_httpauth.rb (revision 59902) @@ -97,6 +97,42 @@ class TestWEBrickHTTPAuth < Test::Unit:: https://github.com/ruby/ruby/blob/trunk/ruby_2_2/test/webrick/test_httpauth.rb#L97 } end + def test_bad_username_with_control_characters + log_tester = lambda {|log, access_log| + assert_equal(2, log.length) + assert_match(/ERROR Basic WEBrick's realm: foo\\ebar: the user is not allowed./, log[0]) + assert_match(/ERROR WEBrick::HTTPStatus::Unauthorized/, log[1]) + } + TestWEBrick.start_httpserver({}, log_tester) {|server, addr, port, log| + realm = "WEBrick's realm" + path = "/basic_auth" + + Tempfile.create("test_webrick_auth") {|tmpfile| + tmpfile.close + tmp_pass = WEBrick::HTTPAuth::Htpasswd.new(tmpfile.path) + tmp_pass.set_passwd(realm, "webrick", "supersecretpassword") + tmp_pass.set_passwd(realm, "foo", "supersecretpassword") + tmp_pass.flush + + htpasswd = WEBrick::HTTPAuth::Htpasswd.new(tmpfile.path) + users = [] + htpasswd.each{|user, pass| users << user } + server.mount_proc(path){|req, res| + auth = WEBrick::HTTPAuth::BasicAuth.new( + :Realm => realm, :UserDB => htpasswd, + :Logger => server.logger + ) + auth.authenticate(req, res) + res.body = "hoge" + } + http = Net::HTTP.new(addr, port) + g = Net::HTTP::Get.new(path) + g.basic_auth("foo\ebar", "passwd") + http.request(g){|res| assert_not_equal("hoge", res.body, log.call) } + } + } + end + DIGESTRES_ = / ([a-zA-Z\-]+) [ \t]*(?:\r\n[ \t]*)* Index: ruby_2_2 =================================================================== --- ruby_2_2 (revision 59901) +++ ruby_2_2 (revision 59902) Property changes on: ruby_2_2 ___________________________________________________________________ Modified: svn:mergeinfo ## -0,0 +0,1 ## Merged /trunk:r59897 -- ML: ruby-changes@q... Info: http://www.atdot.net/~ko1/quickml/