diff options
author | nagachika <nagachika@b2dd03c8-39d4-4d8f-98ff-823fe69b080e> | 2018-03-28 11:49:00 +0000 |
---|---|---|
committer | nagachika <nagachika@b2dd03c8-39d4-4d8f-98ff-823fe69b080e> | 2018-03-28 11:49:00 +0000 |
commit | dcd07242f0e7682072415b1adfe04f3ab12e0da5 (patch) | |
tree | eccb9a42eed10b557bb1ae4c7a4d9138dd54f222 /test | |
parent | 70ad5986df7972d8f7cc5240990f2c348ae30842 (diff) |
merge revision(s) 62968:
webrick: prevent response splitting and header injection
Original patch by tenderlove (with minor style adjustments).
* lib/webrick/httpresponse.rb (send_header): call check_header
(check_header): raise on embedded CRLF in header value
* test/webrick/test_httpresponse.rb
(test_prevent_response_splitting_headers): new test
* (test_prevent_response_splitting_cookie_headers): ditto
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_2_4@63002 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
Diffstat (limited to 'test')
-rw-r--r-- | test/webrick/test_httpresponse.rb | 22 |
1 files changed, 22 insertions, 0 deletions
diff --git a/test/webrick/test_httpresponse.rb b/test/webrick/test_httpresponse.rb index d97a65b5db..3a98a53b71 100644 --- a/test/webrick/test_httpresponse.rb +++ b/test/webrick/test_httpresponse.rb @@ -2,6 +2,7 @@ require "webrick" require "minitest/autorun" require "stringio" +require "net/http" module WEBrick class TestHTTPResponse < MiniTest::Unit::TestCase @@ -28,6 +29,27 @@ module WEBrick @res.keep_alive = true end + def test_prevent_response_splitting_headers + res['X-header'] = "malicious\r\nCookie: hack" + io = StringIO.new + res.send_response io + io.rewind + res = Net::HTTPResponse.read_new(Net::BufferedIO.new(io)) + assert_equal '500', res.code + refute_match 'hack', io.string + end + + def test_prevent_response_splitting_cookie_headers + user_input = "malicious\r\nCookie: hack" + res.cookies << WEBrick::Cookie.new('author', user_input) + io = StringIO.new + res.send_response io + io.rewind + res = Net::HTTPResponse.read_new(Net::BufferedIO.new(io)) + assert_equal '500', res.code + refute_match 'hack', io.string + end + def test_304_does_not_log_warning res.status = 304 res.setup_header |