[前][次][番号順一覧][スレッド一覧]

ruby-changes:50815

From: usa <ko1@a...>
Date: Wed, 28 Mar 2018 23:50:32 +0900 (JST)
Subject: [ruby-changes:50815] usa:r63022 (ruby_2_2): merge revision(s) 62968:

usa	2018-03-28 23:50:27 +0900 (Wed, 28 Mar 2018)

  New Revision: 63022

  https://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=revision&revision=63022

  Log:
    merge revision(s) 62968:
    
    webrick: prevent response splitting and header injection
    
    Original patch by tenderlove (with minor style adjustments).
    
    * lib/webrick/httpresponse.rb (send_header): call check_header
      (check_header): raise on embedded CRLF in header value
    * test/webrick/test_httpresponse.rb
      (test_prevent_response_splitting_headers): new test
    * (test_prevent_response_splitting_cookie_headers): ditto

  Modified directories:
    branches/ruby_2_2/
  Modified files:
    branches/ruby_2_2/ChangeLog
    branches/ruby_2_2/lib/webrick/httpresponse.rb
    branches/ruby_2_2/test/webrick/test_httpresponse.rb
    branches/ruby_2_2/version.h
Index: ruby_2_2/test/webrick/test_httpresponse.rb
===================================================================
--- ruby_2_2/test/webrick/test_httpresponse.rb	(revision 63021)
+++ ruby_2_2/test/webrick/test_httpresponse.rb	(revision 63022)
@@ -1,6 +1,7 @@ https://github.com/ruby/ruby/blob/trunk/ruby_2_2/test/webrick/test_httpresponse.rb#L1
 require "webrick"
 require "minitest/autorun"
 require "stringio"
+require "net/http"
 
 module WEBrick
   class TestHTTPResponse < MiniTest::Unit::TestCase
@@ -27,6 +28,27 @@ module WEBrick https://github.com/ruby/ruby/blob/trunk/ruby_2_2/test/webrick/test_httpresponse.rb#L28
       @res.keep_alive  = true
     end
 
+    def test_prevent_response_splitting_headers
+      res['X-header'] = "malicious\r\nCookie: hack"
+      io = StringIO.new
+      res.send_response io
+      io.rewind
+      res = Net::HTTPResponse.read_new(Net::BufferedIO.new(io))
+      assert_equal '500', res.code
+      refute_match 'hack', io.string
+    end
+
+    def test_prevent_response_splitting_cookie_headers
+      user_input = "malicious\r\nCookie: hack"
+      res.cookies << WEBrick::Cookie.new('author', user_input)
+      io = StringIO.new
+      res.send_response io
+      io.rewind
+      res = Net::HTTPResponse.read_new(Net::BufferedIO.new(io))
+      assert_equal '500', res.code
+      refute_match 'hack', io.string
+    end
+
     def test_304_does_not_log_warning
       res.status      = 304
       res.setup_header
Index: ruby_2_2/version.h
===================================================================
--- ruby_2_2/version.h	(revision 63021)
+++ ruby_2_2/version.h	(revision 63022)
@@ -1,6 +1,6 @@ https://github.com/ruby/ruby/blob/trunk/ruby_2_2/version.h#L1
 #define RUBY_VERSION "2.2.10"
 #define RUBY_RELEASE_DATE "2018-03-28"
-#define RUBY_PATCHLEVEL 488
+#define RUBY_PATCHLEVEL 489
 
 #define RUBY_RELEASE_YEAR 2018
 #define RUBY_RELEASE_MONTH 3
Index: ruby_2_2/lib/webrick/httpresponse.rb
===================================================================
--- ruby_2_2/lib/webrick/httpresponse.rb	(revision 63021)
+++ ruby_2_2/lib/webrick/httpresponse.rb	(revision 63022)
@@ -20,6 +20,8 @@ module WEBrick https://github.com/ruby/ruby/blob/trunk/ruby_2_2/lib/webrick/httpresponse.rb#L20
   # WEBrick HTTP Servlet.
 
   class HTTPResponse
+    class InvalidHeader < StandardError
+    end
 
     ##
     # HTTP Response version
@@ -286,14 +288,19 @@ module WEBrick https://github.com/ruby/ruby/blob/trunk/ruby_2_2/lib/webrick/httpresponse.rb#L288
         data = status_line()
         @header.each{|key, value|
           tmp = key.gsub(/\bwww|^te$|\b\w/){ $&.upcase }
-          data << "#{tmp}: #{value}" << CRLF
+          data << "#{tmp}: #{check_header(value)}" << CRLF
         }
         @cookies.each{|cookie|
-          data << "Set-Cookie: " << cookie.to_s << CRLF
+          data << "Set-Cookie: " << check_header(cookie.to_s) << CRLF
         }
         data << CRLF
         _write_data(socket, data)
       end
+    rescue InvalidHeader => e
+      @header.clear
+      @cookies.clear
+      set_error e
+      retry
     end
 
     ##
@@ -353,6 +360,22 @@ module WEBrick https://github.com/ruby/ruby/blob/trunk/ruby_2_2/lib/webrick/httpresponse.rb#L360
         host, port = @config[:ServerName], @config[:Port]
       end
 
+      error_body(backtrace, ex, host, port)
+    end
+
+    private
+
+    def check_header(header_value)
+      if header_value =~ /\r\n/
+        raise InvalidHeader
+      else
+        header_value
+      end
+    end
+
+    # :stopdoc:
+
+    def error_body(backtrace, ex, host, port)
       @body = ''
       @body << <<-_end_of_html_
 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0//EN">
Index: ruby_2_2/ChangeLog
===================================================================
--- ruby_2_2/ChangeLog	(revision 63021)
+++ ruby_2_2/ChangeLog	(revision 63022)
@@ -1,3 +1,15 @@ https://github.com/ruby/ruby/blob/trunk/ruby_2_2/ChangeLog#L1
+Wed Mar 28 23:48:24 2018  Eric Wong  <normalperson@y...>
+
+	webrick: prevent response splitting and header injection
+
+	Original patch by tenderlove (with minor style adjustments).
+
+	* lib/webrick/httpresponse.rb (send_header): call check_header
+	  (check_header): raise on embedded CRLF in header value
+	* test/webrick/test_httpresponse.rb
+	  (test_prevent_response_splitting_headers): new test
+	* (test_prevent_response_splitting_cookie_headers): ditto
+
 Wed Mar 28 23:45:36 2018  Eric Wong  <normalperson@y...>
 
 	webrick: use IO.copy_stream for multipart response
Index: ruby_2_2
===================================================================
--- ruby_2_2	(revision 63021)
+++ ruby_2_2	(revision 63022)

Property changes on: ruby_2_2
___________________________________________________________________
Modified: svn:mergeinfo
## -0,0 +0,1 ##
   Merged /trunk:r62968

--
ML: ruby-changes@q...
Info: http://www.atdot.net/~ko1/quickml/

[前][次][番号順一覧][スレッド一覧]