Fix to escape logs in order to avoid escape sequence injection bug. Also inserted an old comment into ChangeLog for a change that got missed last year.

git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_1_8_6@26274 b2dd03c8-39d4-4d8f-98ff-823fe69b080e

6 files changed, 49 insertions, 24 deletions

diff --git a/ChangeLog b/ChangeLog
index 62638f9793..1691e7c167 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,6 +1,16 @@
+Sun Jan 10 8:00:00 2010  Kirk Haines  <khaines@ruby-lang.org>
+
+	* lib/webrick/accesslog.rb : Added escape fixes for logs to fix a log injection attack.
+
+	* lib/webrick/httpstatus.rb : Added escape fixes for logs to fix a log injection attack.
+
+	* lib/webrick/httprequest.rb : Added escape fixes for logs to fix a log injection attack.
+
+	* lib/webrick/httputils.rb : Added escape fixes for logs to fix a log injection attack.
+
 Thu Nov 19 2:44:00 2009 Kirk Haines <khaines@ruby-lang.org>
 
-	* gc.c: backport r24713 which adds a check for freelist exhaustion in gc_sweep; this prevents segfaults from certain tight loops. An example test case: Time.now while true
+	* gc.c: backport r24713 which adds a check for freelist exhaustion in gc_sweep; this prevents segfaults from certain tight loops. An example test case: Time.now while true. r25871
 
 Fri Aug 28 12:54:00 2009 Kirk Haines <khaines@ruby-lang.org>
 
@@ -70,6 +80,12 @@ Thu Jul  9 11:22:00 2009 Kirk Haines <khaines@ruby-lang.org>
 
 	* test/ostruct/test_ostruct.rb: Modified tests to fit the #inspect fix.
 
+Thu Jul 7 12:31:58 2009 Kirk Haines <khaines@ruby-lang.org>
+
+	* gc.c: Fix method scoping bug. r24030
+
+	* eval.c: Fix method scoping bug. r24030
+
 Mon Jun  8 12:46:00 2009  Kirk Haines <khaines@ruby-lang.org>
 
 	* lib/soap/mimemessage.rb: Fixed a typo -- conent -> content
diff --git a/lib/webrick/accesslog.rb b/lib/webrick/accesslog.rb
index f97769545e..75a3a3e694 100644
--- a/lib/webrick/accesslog.rb
+++ b/lib/webrick/accesslog.rb
@@ -53,15 +53,23 @@ module WEBrick
          when ?e, ?i, ?n, ?o
            raise AccessLogError,
              "parameter is required for \"#{spec}\"" unless param
-           params[spec][param] || "-"
+           param = params[spec][param] ? escape(param) : "-"
          when ?t
            params[spec].strftime(param || CLF_TIME_FORMAT)
          when ?%
            "%"
          else
-           params[spec]
+           escape(params[spec].to_s)
          end
       }
     end
+
+    def escape(data)
+      if data.tainted?
+        data.gsub(/[[:cntrl:]\\]+/) {$&.dump[1...-1]}.untaint
+      else
+        data
+      end
+    end
   end
 end
diff --git a/lib/webrick/httprequest.rb b/lib/webrick/httprequest.rb
index 4021259072..5bb470285f 100644
--- a/lib/webrick/httprequest.rb
+++ b/lib/webrick/httprequest.rb
@@ -242,11 +242,7 @@ module WEBrick
           @raw_header << line
         end
       end
-      begin
-        @header = HTTPUtils::parse_header(@raw_header)
-      rescue => ex
-        raise  HTTPStatus::BadRequest, ex.message
-      end
+      @header = HTTPUtils::parse_header(@raw_header.join)
     end
 
     def parse_uri(str, scheme="http")
diff --git a/lib/webrick/httpresponse.rb b/lib/webrick/httpresponse.rb
index d0f232d1e1..62156b1abd 100644
--- a/lib/webrick/httpresponse.rb
+++ b/lib/webrick/httpresponse.rb
@@ -132,7 +132,7 @@ module WEBrick
         end
       end
 
-      # Determin the message length (RFC2616 -- 4.4 Message Length)
+      # Determine the message length (RFC2616 -- 4.4 Message Length)
       if @status == 304 || @status == 204 || HTTPStatus::info?(@status)
         @header.delete('content-length')
         @body = ""
diff --git a/lib/webrick/httpstatus.rb b/lib/webrick/httpstatus.rb
index 0b22c992b3..032d14b8a3 100644
--- a/lib/webrick/httpstatus.rb
+++ b/lib/webrick/httpstatus.rb
@@ -12,7 +12,17 @@ module WEBrick
 
   module HTTPStatus
 
-    class Status      < StandardError; end
+    class Status      < StandardError
+      def initialize(message=self.class, *rest)
+        super(AccessLog.escape(message), *rest)
+      end
+      class << self
+        attr_reader :code, :reason_phrase
+      end
+      def code() self::class::code end
+      def reason_phrase() self::class::reason_phrase end
+      alias to_i code
+    end
     class Info        < Status; end
     class Success     < Status; end
     class Redirect    < Status; end
@@ -68,6 +78,7 @@ module WEBrick
     CodeToError = {}
 
     StatusMessage.each{|code, message|
+      message.freeze
       var_name = message.gsub(/[ \-]/,'_').upcase
       err_name = message.gsub(/[ \-]/,'')
 
@@ -79,18 +90,12 @@ module WEBrick
       when 500...600; parent = ServerError
       end
 
-      eval %-
-        RC_#{var_name} = #{code}
-        class #{err_name} < #{parent}
-          def self.code() RC_#{var_name} end
-          def self.reason_phrase() StatusMessage[code] end
-          def code() self::class::code end 
-          def reason_phrase() self::class::reason_phrase end
-          alias to_i code
-        end
-      -
-
-      CodeToError[code] = const_get(err_name)
+      const_set("RC_#{var_name}", code)
+      err_class = Class.new(parent)
+      err_class.instance_variable_set(:@code, code)
+      err_class.instance_variable_set(:@reason_phrase, message)
+      const_set(err_name, err_class)
+      CodeToError[code] = err_class
     }
 
     def reason_phrase(code)
diff --git a/lib/webrick/httputils.rb b/lib/webrick/httputils.rb
index 976d3e915e..a0cf4c8ff8 100644
--- a/lib/webrick/httputils.rb
+++ b/lib/webrick/httputils.rb
@@ -128,11 +128,11 @@ module WEBrick
         when /^\s+(.*?)\s*\z/om
           value = $1
           unless field
-            raise "bad header '#{line.inspect}'."
+            raise HTTPStatus::BadRequest, "bad header '#{line}'."
           end
           header[field][-1] << " " << value
         else
-          raise "bad header '#{line.inspect}'."
+          raise HTTPStatus::BadRequest, "bad header '#{line}'."
         end
       }
       header.each{|key, values|