Skip to content

Commit 8eff476

Browse files
unakunak
committed
merge revision(s) 3ce238b
WEBrick: prevent response splitting and header injection This is a follow up to d9d4a28. The commit prevented CRLR, but did not address an isolated CR or an isolated LF. Co-Authored-By: NARUSE, Yui <naruse@airemix.jp> git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_2_4@67819 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
1 parent 38d2d0d commit 8eff476

File tree

3 files changed

+47
-4
lines changed

3 files changed

+47
-4
lines changed

lib/webrick/httpresponse.rb

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -367,7 +367,8 @@ def set_error(ex, backtrace=false)
367367
private
368368

369369
def check_header(header_value)
370-
if header_value =~ /\r\n/
370+
header_value = header_value.to_s
371+
if /[\r\n]/ =~ header_value
371372
raise InvalidHeader
372373
else
373374
header_value

test/webrick/test_httpresponse.rb

Lines changed: 44 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -29,7 +29,7 @@ def setup
2929
@res.keep_alive = true
3030
end
3131

32-
def test_prevent_response_splitting_headers
32+
def test_prevent_response_splitting_headers_crlf
3333
res['X-header'] = "malicious\r\nCookie: hack"
3434
io = StringIO.new
3535
res.send_response io
@@ -39,7 +39,7 @@ def test_prevent_response_splitting_headers
3939
refute_match 'hack', io.string
4040
end
4141

42-
def test_prevent_response_splitting_cookie_headers
42+
def test_prevent_response_splitting_cookie_headers_crlf
4343
user_input = "malicious\r\nCookie: hack"
4444
res.cookies << WEBrick::Cookie.new('author', user_input)
4545
io = StringIO.new
@@ -50,6 +50,48 @@ def test_prevent_response_splitting_cookie_headers
5050
refute_match 'hack', io.string
5151
end
5252

53+
def test_prevent_response_splitting_headers_cr
54+
res['X-header'] = "malicious\rCookie: hack"
55+
io = StringIO.new
56+
res.send_response io
57+
io.rewind
58+
res = Net::HTTPResponse.read_new(Net::BufferedIO.new(io))
59+
assert_equal '500', res.code
60+
refute_match 'hack', io.string
61+
end
62+
63+
def test_prevent_response_splitting_cookie_headers_cr
64+
user_input = "malicious\rCookie: hack"
65+
res.cookies << WEBrick::Cookie.new('author', user_input)
66+
io = StringIO.new
67+
res.send_response io
68+
io.rewind
69+
res = Net::HTTPResponse.read_new(Net::BufferedIO.new(io))
70+
assert_equal '500', res.code
71+
refute_match 'hack', io.string
72+
end
73+
74+
def test_prevent_response_splitting_headers_lf
75+
res['X-header'] = "malicious\nCookie: hack"
76+
io = StringIO.new
77+
res.send_response io
78+
io.rewind
79+
res = Net::HTTPResponse.read_new(Net::BufferedIO.new(io))
80+
assert_equal '500', res.code
81+
refute_match 'hack', io.string
82+
end
83+
84+
def test_prevent_response_splitting_cookie_headers_lf
85+
user_input = "malicious\nCookie: hack"
86+
res.cookies << WEBrick::Cookie.new('author', user_input)
87+
io = StringIO.new
88+
res.send_response io
89+
io.rewind
90+
res = Net::HTTPResponse.read_new(Net::BufferedIO.new(io))
91+
assert_equal '500', res.code
92+
refute_match 'hack', io.string
93+
end
94+
5395
def test_304_does_not_log_warning
5496
res.status = 304
5597
res.setup_header

version.h

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,6 @@
11
#define RUBY_VERSION "2.4.8"
22
#define RUBY_RELEASE_DATE "2019-10-01"
3-
#define RUBY_PATCHLEVEL 359
3+
#define RUBY_PATCHLEVEL 360
44

55
#define RUBY_RELEASE_YEAR 2019
66
#define RUBY_RELEASE_MONTH 10

0 commit comments

Comments
 (0)