summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--ChangeLog7
-rw-r--r--lib/webrick/httpstatus.rb4
-rw-r--r--lib/webrick/log.rb4
-rw-r--r--test/webrick/test_httpauth.rb36
-rw-r--r--version.h2
5 files changed, 46 insertions, 7 deletions
diff --git a/ChangeLog b/ChangeLog
index 67e70e4..21443c2 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,10 @@
+Thu Sep 14 20:25:55 2017 Yusuke Endoh <mame@ruby-lang.org>
+
+ lib/webrick/log.rb: sanitize any type of logs
+
+ It had failed to sanitize some type of exception messages. Reported and
+ patched by Yusuke Endoh (mame) at https://hackerone.com/reports/223363
+
Thu Sep 14 13:32:39 2017 Nobuyoshi Nakada <nobu@ruby-lang.org>
parse.y: empty hash in defined
diff --git a/lib/webrick/httpstatus.rb b/lib/webrick/httpstatus.rb
index 8664da2..ff9f182 100644
--- a/lib/webrick/httpstatus.rb
+++ b/lib/webrick/httpstatus.rb
@@ -23,10 +23,6 @@ module WEBrick
##
# Root of the HTTP status class hierarchy
class Status < StandardError
- def initialize(*args) # :nodoc:
- args[0] = AccessLog.escape(args[0]) unless args.empty?
- super(*args)
- end
class << self
attr_reader :code, :reason_phrase # :nodoc:
end
diff --git a/lib/webrick/log.rb b/lib/webrick/log.rb
index 7542d8f..41e907c 100644
--- a/lib/webrick/log.rb
+++ b/lib/webrick/log.rb
@@ -118,10 +118,10 @@ module WEBrick
# * Otherwise it will return +arg+.inspect.
def format(arg)
if arg.is_a?(Exception)
- "#{arg.class}: #{arg.message}\n\t" <<
+ "#{arg.class}: #{AccessLog.escape(arg.message)}\n\t" <<
arg.backtrace.join("\n\t") << "\n"
elsif arg.respond_to?(:to_str)
- arg.to_str
+ AccessLog.escape(arg.to_str)
else
arg.inspect
end
diff --git a/test/webrick/test_httpauth.rb b/test/webrick/test_httpauth.rb
index 4376b91..5560740 100644
--- a/test/webrick/test_httpauth.rb
+++ b/test/webrick/test_httpauth.rb
@@ -98,6 +98,42 @@ class TestWEBrickHTTPAuth < Test::Unit::TestCase
}
end
+ def test_bad_username_with_control_characters
+ log_tester = lambda {|log, access_log|
+ assert_equal(2, log.length)
+ assert_match(/ERROR Basic WEBrick's realm: foo\\ebar: the user is not allowed./, log[0])
+ assert_match(/ERROR WEBrick::HTTPStatus::Unauthorized/, log[1])
+ }
+ TestWEBrick.start_httpserver({}, log_tester) {|server, addr, port, log|
+ realm = "WEBrick's realm"
+ path = "/basic_auth"
+
+ Tempfile.create("test_webrick_auth") {|tmpfile|
+ tmpfile.close
+ tmp_pass = WEBrick::HTTPAuth::Htpasswd.new(tmpfile.path)
+ tmp_pass.set_passwd(realm, "webrick", "supersecretpassword")
+ tmp_pass.set_passwd(realm, "foo", "supersecretpassword")
+ tmp_pass.flush
+
+ htpasswd = WEBrick::HTTPAuth::Htpasswd.new(tmpfile.path)
+ users = []
+ htpasswd.each{|user, pass| users << user }
+ server.mount_proc(path){|req, res|
+ auth = WEBrick::HTTPAuth::BasicAuth.new(
+ :Realm => realm, :UserDB => htpasswd,
+ :Logger => server.logger
+ )
+ auth.authenticate(req, res)
+ res.body = "hoge"
+ }
+ http = Net::HTTP.new(addr, port)
+ g = Net::HTTP::Get.new(path)
+ g.basic_auth("foo\ebar", "passwd")
+ http.request(g){|res| assert_not_equal("hoge", res.body, log.call) }
+ }
+ }
+ end
+
DIGESTRES_ = /
([a-zA-Z\-]+)
[ \t]*(?:\r\n[ \t]*)*
diff --git a/version.h b/version.h
index 24cc9fe..02910fe 100644
--- a/version.h
+++ b/version.h
@@ -1,6 +1,6 @@
#define RUBY_VERSION "2.3.5"
#define RUBY_RELEASE_DATE "2017-09-14"
-#define RUBY_PATCHLEVEL 375
+#define RUBY_PATCHLEVEL 376
#define RUBY_RELEASE_YEAR 2017
#define RUBY_RELEASE_MONTH 9