diff options
| author | nagachika <nagachika@b2dd03c8-39d4-4d8f-98ff-823fe69b080e> | 2016-08-15 20:00:09 +0000 |
|---|---|---|
| committer | nagachika <nagachika@b2dd03c8-39d4-4d8f-98ff-823fe69b080e> | 2016-08-15 20:00:09 +0000 |
| commit | 55992aa430506f22cd421dc39929bbd9c0e40289 (patch) | |
| tree | 9e76627bf04073f767d2bdd923eb8b8ed74f4c78 | |
| parent | 94231bdf7966a47b94ba0df0d1725d661348d6d6 (diff) | |
merge revision(s) 55581,55582,55880: [Backport #12557]
* lib/net/http/generic_request.rb (write_header): A Request-Line must
not contain CR or LF.
* lib/net/http/generic_request.rb (write_header): A Request-Line must
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_2_3@55912 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
| -rw-r--r-- | ChangeLog | 5 | ||||
| -rw-r--r-- | lib/net/http/generic_request.rb | 7 | ||||
| -rw-r--r-- | test/net/http/test_http.rb | 11 | ||||
| -rw-r--r-- | version.h | 2 |
4 files changed, 23 insertions, 2 deletions
@@ -1,3 +1,8 @@ +Tue Aug 16 04:57:28 2016 Shugo Maeda <shugo@ruby-lang.org> + + * lib/net/http/generic_request.rb (write_header): A Request-Line must + not contain CR or LF. + Tue Aug 16 04:54:12 2016 Shugo Maeda <shugo@ruby-lang.org> * lib/net/ftp.rb (putline): raise an ArgumentError when diff --git a/lib/net/http/generic_request.rb b/lib/net/http/generic_request.rb index 19602da27c..6c5ceafe61 100644 --- a/lib/net/http/generic_request.rb +++ b/lib/net/http/generic_request.rb @@ -321,7 +321,12 @@ class Net::HTTPGenericRequest end def write_header(sock, ver, path) - buf = "#{@method} #{path} HTTP/#{ver}\r\n" + reqline = "#{@method} #{path} HTTP/#{ver}" + if /[\r\n]/ =~ reqline + raise ArgumentError, "A Request-Line must not contain CR or LF" + end + buf = "" + buf << reqline << "\r\n" each_capitalized do |k,v| buf << "#{k}: #{v}\r\n" end diff --git a/test/net/http/test_http.rb b/test/net/http/test_http.rb index f1d3ede53e..a7eaca4f74 100644 --- a/test/net/http/test_http.rb +++ b/test/net/http/test_http.rb @@ -315,6 +315,17 @@ module TestNetHTTP_version_1_1_methods assert_equal $test_net_http_data, res.body end + def test_get__crlf + start {|http| + assert_raise(ArgumentError) do + http.get("\r") + end + assert_raise(ArgumentError) do + http.get("\n") + end + } + end + def test_get2 start {|http| http.get2('/') {|res| @@ -1,6 +1,6 @@ #define RUBY_VERSION "2.3.2" #define RUBY_RELEASE_DATE "2016-08-16" -#define RUBY_PATCHLEVEL 162 +#define RUBY_PATCHLEVEL 163 #define RUBY_RELEASE_YEAR 2016 #define RUBY_RELEASE_MONTH 8 |