ruby-changes:50815
From: usa <ko1@a...>
Date: Wed, 28 Mar 2018 23:50:32 +0900 (JST)
Subject: [ruby-changes:50815] usa:r63022 (ruby_2_2): merge revision(s) 62968:
usa 2018-03-28 23:50:27 +0900 (Wed, 28 Mar 2018) New Revision: 63022 https://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=revision&revision=63022 Log: merge revision(s) 62968: webrick: prevent response splitting and header injection Original patch by tenderlove (with minor style adjustments). * lib/webrick/httpresponse.rb (send_header): call check_header (check_header): raise on embedded CRLF in header value * test/webrick/test_httpresponse.rb (test_prevent_response_splitting_headers): new test * (test_prevent_response_splitting_cookie_headers): ditto Modified directories: branches/ruby_2_2/ Modified files: branches/ruby_2_2/ChangeLog branches/ruby_2_2/lib/webrick/httpresponse.rb branches/ruby_2_2/test/webrick/test_httpresponse.rb branches/ruby_2_2/version.h Index: ruby_2_2/test/webrick/test_httpresponse.rb =================================================================== --- ruby_2_2/test/webrick/test_httpresponse.rb (revision 63021) +++ ruby_2_2/test/webrick/test_httpresponse.rb (revision 63022) @@ -1,6 +1,7 @@ https://github.com/ruby/ruby/blob/trunk/ruby_2_2/test/webrick/test_httpresponse.rb#L1 require "webrick" require "minitest/autorun" require "stringio" +require "net/http" module WEBrick class TestHTTPResponse < MiniTest::Unit::TestCase @@ -27,6 +28,27 @@ module WEBrick https://github.com/ruby/ruby/blob/trunk/ruby_2_2/test/webrick/test_httpresponse.rb#L28 @res.keep_alive = true end + def test_prevent_response_splitting_headers + res['X-header'] = "malicious\r\nCookie: hack" + io = StringIO.new + res.send_response io + io.rewind + res = Net::HTTPResponse.read_new(Net::BufferedIO.new(io)) + assert_equal '500', res.code + refute_match 'hack', io.string + end + + def test_prevent_response_splitting_cookie_headers + user_input = "malicious\r\nCookie: hack" + res.cookies << WEBrick::Cookie.new('author', user_input) + io = StringIO.new + res.send_response io + io.rewind + res = Net::HTTPResponse.read_new(Net::BufferedIO.new(io)) + assert_equal '500', res.code + refute_match 'hack', io.string + end + def test_304_does_not_log_warning res.status = 304 res.setup_header Index: ruby_2_2/version.h =================================================================== --- ruby_2_2/version.h (revision 63021) +++ ruby_2_2/version.h (revision 63022) @@ -1,6 +1,6 @@ https://github.com/ruby/ruby/blob/trunk/ruby_2_2/version.h#L1 #define RUBY_VERSION "2.2.10" #define RUBY_RELEASE_DATE "2018-03-28" -#define RUBY_PATCHLEVEL 488 +#define RUBY_PATCHLEVEL 489 #define RUBY_RELEASE_YEAR 2018 #define RUBY_RELEASE_MONTH 3 Index: ruby_2_2/lib/webrick/httpresponse.rb =================================================================== --- ruby_2_2/lib/webrick/httpresponse.rb (revision 63021) +++ ruby_2_2/lib/webrick/httpresponse.rb (revision 63022) @@ -20,6 +20,8 @@ module WEBrick https://github.com/ruby/ruby/blob/trunk/ruby_2_2/lib/webrick/httpresponse.rb#L20 # WEBrick HTTP Servlet. class HTTPResponse + class InvalidHeader < StandardError + end ## # HTTP Response version @@ -286,14 +288,19 @@ module WEBrick https://github.com/ruby/ruby/blob/trunk/ruby_2_2/lib/webrick/httpresponse.rb#L288 data = status_line() @header.each{|key, value| tmp = key.gsub(/\bwww|^te$|\b\w/){ $&.upcase } - data << "#{tmp}: #{value}" << CRLF + data << "#{tmp}: #{check_header(value)}" << CRLF } @cookies.each{|cookie| - data << "Set-Cookie: " << cookie.to_s << CRLF + data << "Set-Cookie: " << check_header(cookie.to_s) << CRLF } data << CRLF _write_data(socket, data) end + rescue InvalidHeader => e + @header.clear + @cookies.clear + set_error e + retry end ## @@ -353,6 +360,22 @@ module WEBrick https://github.com/ruby/ruby/blob/trunk/ruby_2_2/lib/webrick/httpresponse.rb#L360 host, port = @config[:ServerName], @config[:Port] end + error_body(backtrace, ex, host, port) + end + + private + + def check_header(header_value) + if header_value =~ /\r\n/ + raise InvalidHeader + else + header_value + end + end + + # :stopdoc: + + def error_body(backtrace, ex, host, port) @body = '' @body << <<-_end_of_html_ <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0//EN"> Index: ruby_2_2/ChangeLog =================================================================== --- ruby_2_2/ChangeLog (revision 63021) +++ ruby_2_2/ChangeLog (revision 63022) @@ -1,3 +1,15 @@ https://github.com/ruby/ruby/blob/trunk/ruby_2_2/ChangeLog#L1 +Wed Mar 28 23:48:24 2018 Eric Wong <normalperson@y...> + + webrick: prevent response splitting and header injection + + Original patch by tenderlove (with minor style adjustments). + + * lib/webrick/httpresponse.rb (send_header): call check_header + (check_header): raise on embedded CRLF in header value + * test/webrick/test_httpresponse.rb + (test_prevent_response_splitting_headers): new test + * (test_prevent_response_splitting_cookie_headers): ditto + Wed Mar 28 23:45:36 2018 Eric Wong <normalperson@y...> webrick: use IO.copy_stream for multipart response Index: ruby_2_2 =================================================================== --- ruby_2_2 (revision 63021) +++ ruby_2_2 (revision 63022) Property changes on: ruby_2_2 ___________________________________________________________________ Modified: svn:mergeinfo ## -0,0 +0,1 ## Merged /trunk:r62968 -- ML: ruby-changes@q... Info: http://www.atdot.net/~ko1/quickml/