diff options
Diffstat (limited to 'spec/ruby/security/cve_2017_17742_spec.rb')
-rw-r--r-- | spec/ruby/security/cve_2017_17742_spec.rb | 37 |
1 files changed, 0 insertions, 37 deletions
diff --git a/spec/ruby/security/cve_2017_17742_spec.rb b/spec/ruby/security/cve_2017_17742_spec.rb deleted file mode 100644 index b0d93e42b8..0000000000 --- a/spec/ruby/security/cve_2017_17742_spec.rb +++ /dev/null @@ -1,37 +0,0 @@ -require_relative '../spec_helper' - -# webrick is no longer in stdlib in Ruby 3+ -ruby_version_is ""..."3.0" do - require "webrick" - require "stringio" - require "net/http" - - describe "WEBrick" do - describe "resists CVE-2017-17742" do - it "for a response splitting headers" do - config = WEBrick::Config::HTTP - res = WEBrick::HTTPResponse.new config - res['X-header'] = "malicious\r\nCookie: hack" - io = StringIO.new - res.send_response io - io.rewind - res = Net::HTTPResponse.read_new(Net::BufferedIO.new(io)) - res.code.should == '500' - io.string.should_not =~ /hack/ - end - - it "for a response splitting cookie headers" do - user_input = "malicious\r\nCookie: hack" - config = WEBrick::Config::HTTP - res = WEBrick::HTTPResponse.new config - res.cookies << WEBrick::Cookie.new('author', user_input) - io = StringIO.new - res.send_response io - io.rewind - res = Net::HTTPResponse.read_new(Net::BufferedIO.new(io)) - res.code.should == '500' - io.string.should_not =~ /hack/ - end - end - end -end |