summaryrefslogtreecommitdiff
path: root/spec/ruby/security/cve_2017_17742_spec.rb
diff options
context:
space:
mode:
Diffstat (limited to 'spec/ruby/security/cve_2017_17742_spec.rb')
-rw-r--r--spec/ruby/security/cve_2017_17742_spec.rb54
1 files changed, 24 insertions, 30 deletions
diff --git a/spec/ruby/security/cve_2017_17742_spec.rb b/spec/ruby/security/cve_2017_17742_spec.rb
index f1205412c6..72776cb497 100644
--- a/spec/ruby/security/cve_2017_17742_spec.rb
+++ b/spec/ruby/security/cve_2017_17742_spec.rb
@@ -4,37 +4,31 @@ require "webrick"
require "stringio"
require "net/http"
-guard -> {
- ruby_version_is "2.3.7"..."2.4" or
- ruby_version_is "2.4.4"..."2.5" or
- ruby_version_is "2.5.1"
-} do
- describe "WEBrick" do
- describe "resists CVE-2017-17742" do
- it "for a response splitting headers" do
- config = WEBrick::Config::HTTP
- res = WEBrick::HTTPResponse.new config
- res['X-header'] = "malicious\r\nCookie: hack"
- io = StringIO.new
- res.send_response io
- io.rewind
- res = Net::HTTPResponse.read_new(Net::BufferedIO.new(io))
- res.code.should == '500'
- io.string.should_not =~ /hack/
- end
+describe "WEBrick" do
+ describe "resists CVE-2017-17742" do
+ it "for a response splitting headers" do
+ config = WEBrick::Config::HTTP
+ res = WEBrick::HTTPResponse.new config
+ res['X-header'] = "malicious\r\nCookie: hack"
+ io = StringIO.new
+ res.send_response io
+ io.rewind
+ res = Net::HTTPResponse.read_new(Net::BufferedIO.new(io))
+ res.code.should == '500'
+ io.string.should_not =~ /hack/
+ end
- it "for a response splitting cookie headers" do
- user_input = "malicious\r\nCookie: hack"
- config = WEBrick::Config::HTTP
- res = WEBrick::HTTPResponse.new config
- res.cookies << WEBrick::Cookie.new('author', user_input)
- io = StringIO.new
- res.send_response io
- io.rewind
- res = Net::HTTPResponse.read_new(Net::BufferedIO.new(io))
- res.code.should == '500'
- io.string.should_not =~ /hack/
- end
+ it "for a response splitting cookie headers" do
+ user_input = "malicious\r\nCookie: hack"
+ config = WEBrick::Config::HTTP
+ res = WEBrick::HTTPResponse.new config
+ res.cookies << WEBrick::Cookie.new('author', user_input)
+ io = StringIO.new
+ res.send_response io
+ io.rewind
+ res = Net::HTTPResponse.read_new(Net::BufferedIO.new(io))
+ res.code.should == '500'
+ io.string.should_not =~ /hack/
end
end
end