merge revision(s) 62968:

	webrick: prevent response splitting and header injection

	Original patch by tenderlove (with minor style adjustments).

	* lib/webrick/httpresponse.rb (send_header): call check_header
	  (check_header): raise on embedded CRLF in header value
	* test/webrick/test_httpresponse.rb
	  (test_prevent_response_splitting_headers): new test
	* (test_prevent_response_splitting_cookie_headers): ditto

git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_2_4@63002 b2dd03c8-39d4-4d8f-98ff-823fe69b080e

1 files changed, 22 insertions, 0 deletions

diff --git a/test/webrick/test_httpresponse.rb b/test/webrick/test_httpresponse.rb
index d97a65b5db..3a98a53b71 100644
--- a/test/webrick/test_httpresponse.rb
+++ b/test/webrick/test_httpresponse.rb
@@ -2,6 +2,7 @@
 require "webrick"
 require "minitest/autorun"
 require "stringio"
+require "net/http"
 
 module WEBrick
   class TestHTTPResponse < MiniTest::Unit::TestCase
@@ -28,6 +29,27 @@ module WEBrick
       @res.keep_alive  = true
     end
 
+    def test_prevent_response_splitting_headers
+      res['X-header'] = "malicious\r\nCookie: hack"
+      io = StringIO.new
+      res.send_response io
+      io.rewind
+      res = Net::HTTPResponse.read_new(Net::BufferedIO.new(io))
+      assert_equal '500', res.code
+      refute_match 'hack', io.string
+    end
+
+    def test_prevent_response_splitting_cookie_headers
+      user_input = "malicious\r\nCookie: hack"
+      res.cookies << WEBrick::Cookie.new('author', user_input)
+      io = StringIO.new
+      res.send_response io
+      io.rewind
+      res = Net::HTTPResponse.read_new(Net::BufferedIO.new(io))
+      assert_equal '500', res.code
+      refute_match 'hack', io.string
+    end
+
     def test_304_does_not_log_warning
       res.status      = 304
       res.setup_header