ruby-changes:50796
From: nagachika <ko1@a...>
Date: Wed, 28 Mar 2018 20:49:05 +0900 (JST)
Subject: [ruby-changes:50796] nagachika:r63002 (ruby_2_4): merge revision(s) 62968:
nagachika 2018-03-28 20:49:00 +0900 (Wed, 28 Mar 2018) New Revision: 63002 https://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=revision&revision=63002 Log: merge revision(s) 62968: webrick: prevent response splitting and header injection Original patch by tenderlove (with minor style adjustments). * lib/webrick/httpresponse.rb (send_header): call check_header (check_header): raise on embedded CRLF in header value * test/webrick/test_httpresponse.rb (test_prevent_response_splitting_headers): new test * (test_prevent_response_splitting_cookie_headers): ditto Modified directories: branches/ruby_2_4/ Modified files: branches/ruby_2_4/lib/webrick/httpresponse.rb branches/ruby_2_4/test/webrick/test_httpresponse.rb branches/ruby_2_4/version.h Index: ruby_2_4/lib/webrick/httpresponse.rb =================================================================== --- ruby_2_4/lib/webrick/httpresponse.rb (revision 63001) +++ ruby_2_4/lib/webrick/httpresponse.rb (revision 63002) @@ -21,6 +21,8 @@ module WEBrick https://github.com/ruby/ruby/blob/trunk/ruby_2_4/lib/webrick/httpresponse.rb#L21 # WEBrick HTTP Servlet. class HTTPResponse + class InvalidHeader < StandardError + end ## # HTTP Response version @@ -287,14 +289,19 @@ module WEBrick https://github.com/ruby/ruby/blob/trunk/ruby_2_4/lib/webrick/httpresponse.rb#L289 data = status_line() @header.each{|key, value| tmp = key.gsub(/\bwww|^te$|\b\w/){ $&.upcase } - data << "#{tmp}: #{value}" << CRLF + data << "#{tmp}: #{check_header(value)}" << CRLF } @cookies.each{|cookie| - data << "Set-Cookie: " << cookie.to_s << CRLF + data << "Set-Cookie: " << check_header(cookie.to_s) << CRLF } data << CRLF socket.write(data) end + rescue InvalidHeader => e + @header.clear + @cookies.clear + set_error e + retry end ## @@ -357,6 +364,14 @@ module WEBrick https://github.com/ruby/ruby/blob/trunk/ruby_2_4/lib/webrick/httpresponse.rb#L364 private + def check_header(header_value) + if header_value =~ /\r\n/ + raise InvalidHeader + else + header_value + end + end + # :stopdoc: def error_body(backtrace, ex, host, port) Index: ruby_2_4/version.h =================================================================== --- ruby_2_4/version.h (revision 63001) +++ ruby_2_4/version.h (revision 63002) @@ -1,6 +1,6 @@ https://github.com/ruby/ruby/blob/trunk/ruby_2_4/version.h#L1 #define RUBY_VERSION "2.4.4" #define RUBY_RELEASE_DATE "2018-03-28" -#define RUBY_PATCHLEVEL 292 +#define RUBY_PATCHLEVEL 293 #define RUBY_RELEASE_YEAR 2018 #define RUBY_RELEASE_MONTH 3 Index: ruby_2_4/test/webrick/test_httpresponse.rb =================================================================== --- ruby_2_4/test/webrick/test_httpresponse.rb (revision 63001) +++ ruby_2_4/test/webrick/test_httpresponse.rb (revision 63002) @@ -2,6 +2,7 @@ https://github.com/ruby/ruby/blob/trunk/ruby_2_4/test/webrick/test_httpresponse.rb#L2 require "webrick" require "minitest/autorun" require "stringio" +require "net/http" module WEBrick class TestHTTPResponse < MiniTest::Unit::TestCase @@ -28,6 +29,27 @@ module WEBrick https://github.com/ruby/ruby/blob/trunk/ruby_2_4/test/webrick/test_httpresponse.rb#L29 @res.keep_alive = true end + def test_prevent_response_splitting_headers + res['X-header'] = "malicious\r\nCookie: hack" + io = StringIO.new + res.send_response io + io.rewind + res = Net::HTTPResponse.read_new(Net::BufferedIO.new(io)) + assert_equal '500', res.code + refute_match 'hack', io.string + end + + def test_prevent_response_splitting_cookie_headers + user_input = "malicious\r\nCookie: hack" + res.cookies << WEBrick::Cookie.new('author', user_input) + io = StringIO.new + res.send_response io + io.rewind + res = Net::HTTPResponse.read_new(Net::BufferedIO.new(io)) + assert_equal '500', res.code + refute_match 'hack', io.string + end + def test_304_does_not_log_warning res.status = 304 res.setup_header Index: ruby_2_4 =================================================================== --- ruby_2_4 (revision 63001) +++ ruby_2_4 (revision 63002) Property changes on: ruby_2_4 ___________________________________________________________________ Modified: svn:mergeinfo ## -0,0 +0,1 ## Merged /trunk:r62968 -- ML: ruby-changes@q... Info: http://www.atdot.net/~ko1/quickml/