| Age | Commit message (Collapse) | Author |
|---|
|
This is a follow up to d9d4a28f1cdd05a0e8dabb36d747d40bbcc30f16.
The commit prevented CRLR, but did not address an isolated CR or an
isolated LF.
Co-Authored-By: NARUSE, Yui <naruse@airemix.jp>
|
|
Remove extraneous spaces after the status code that is
non-compliant with RFC, i.e `HTTP 200 OK `, to unnecessary
confusion for WEBrick users, by a risk that WEBrick instances in
the wild will have server responses flagged as suspicious or
malicious due to a similar bug in [Cobalt Strike
misconfiguration].
Reported by Matt Tennis <mtennis@paloaltonetworks.com>
[Cobalt Strike misconfiguration]: https://blog.fox-it.com/2019/02/26/identifying-cobalt-strike-team-servers-in-the-wild/
|
|
|
|
Prevents response splitting and HTML injection attacks in
poorly-written applications which blindly pass along user input
in redirects.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@63964 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
Original patch by tenderlove (with minor style adjustments).
* lib/webrick/httpresponse.rb (send_header): call check_header
(check_header): raise on embedded CRLF in header value
* test/webrick/test_httpresponse.rb
(test_prevent_response_splitting_headers): new test
* (test_prevent_response_splitting_cookie_headers): ditto
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@62968 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
* lib/webrick/httpresponse.rb (send_body): call send_body_proc
(send_body_proc): new method
(class ChunkedWrapper): new class
* test/webrick/test_httpresponse.rb (test_send_body_proc): new test
(test_send_body_proc_chunked): ditto
[Feature #855]
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@60584 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
override the body more easily. [fix GH-1307]
* test/webrick/test_httpresponse.rb: ditto.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@54346 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
When you change this to true, you may need to add more tests.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@53141 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@48318 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@46260 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
expectations assumes that the IOs are binmode. fixed test failures
introduced at r42427 on Windows.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@42433 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
that responds to #readpartial and #read.
[ruby-trunk - Feature #8155]
* NEWS: NEWS for above
* test/webrick/test_httpresponse.rb: Tests for above.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@42427 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
are allowed to have Keep-Alive connections.
* test/webrick/test_httpresponse.rb: corresponding test.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@34024 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
are allowed to have a Keep-Alive connection. [ruby-core:41581]
* test/webrick/test_httpresponse.rb: corresponding test.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@34023 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
