| Age | Commit message (Collapse) | Author |
|---|
|
WEBrick: prevent response splitting and header injection
This is a follow up to d9d4a28.
The commit prevented CRLR, but did not address an isolated CR or an
isolated LF.
Co-Authored-By: NARUSE, Yui <naruse@airemix.jp>
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_2_5@67813 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
Loop with String#scan without creating substrings
Create the substrings necessary parts only, instead of cutting the
rest of the buffer. Also removed a useless, probable typo, regexp.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_2_5@67811 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
It breaks test-all
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_2_5@63025 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
win32/file.c: relative path with drive letter
* win32/file.c (IS_ABSOLUTE_PATH_P): home directory should not be
a relative path regardless a drive letter. PathIsRelativeW
returns FALSE on such path. [ruby-core:86356] [Bug #14638]
------------------------------------------------------------------------
r62953 | normal | 2018-03-28 17:05:46 +0900 (Wed, 28 Mar 2018) | 15 lines
webrick: favor .write over << method
This will make the next change to use IO.copy_stream
easier-to-read. When we can drop Ruby 2.4 support in a few
years, this will allow us to use writev(2) with multiple
arguments for headers and chunked responses.
* lib/webrick/cgi.rb (write): new wrapper method
lib/webrick/httpresponse.rb: (send_header): use socket.write
(send_body_io): ditto
(send_body_string): ditto
(send_body_proc): ditto
(_write_data): ditto
(ChunkedWrapper#write): ditto
(_send_file): ditto
------------------------------------------------------------------------
r62954 | normal | 2018-03-28 17:05:52 +0900 (Wed, 28 Mar 2018) | 14 lines
webrick/httpresponse: IO.copy_stream for regular files
Remove the redundant _send_file method since its functionality
is unnecessary with IO.copy_stream. IO.copy_stream also allows
the use of sendfile under some OSes to speed up copies to
non-TLS sockets.
Testing with "curl >/dev/null" and "ruby -run -e httpd" to
read a 1G file over Linux loopback reveals a reduction from
around ~0.770 to ~0.490 seconds on the client side.
* lib/webrick/httpresponse.rb (send_body_io): use IO.copy_stream
(_send_file): remove
[Feature #14237]
------------------------------------------------------------------------
r62955 | normal | 2018-03-28 17:05:57 +0900 (Wed, 28 Mar 2018) | 10 lines
webrick: use IO.copy_stream for single range response
This is also compatible with range responses generated
by Rack::File (tested with rack 2.0.3).
* lib/webrick/httpresponse.rb (send_body_io): use Content-Range
* lib/webrick/httpservlet/filehandler.rb (make_partial_content):
use File object for the single range case
* test/webrick/test_filehandler.rb (get_res_body): use send_body
to test result
------------------------------------------------------------------------
r62956 | normal | 2018-03-28 17:06:02 +0900 (Wed, 28 Mar 2018) | 7 lines
test/webrick/test_filehandler.rb: stricter multipart range test
We need to ensure we generate compatibile output in
the face of future changes
* test/webrick/test_filehandler.rb (test_make_partial_content):
check response body
------------------------------------------------------------------------
r62957 | normal | 2018-03-28 17:06:08 +0900 (Wed, 28 Mar 2018) | 8 lines
webrick: quiet warning for multi-part ranges
Content-Length is ignored by WEBrick::HTTPResponse even if we
calculate it, so instead we chunk responses to HTTP/1.1 clients
and terminate HTTP/1.0 connections.
* lib/webrick/httpservlet/filehandler.rb (make_partial_content):
quiet warning
------------------------------------------------------------------------
r62958 | normal | 2018-03-28 17:06:13 +0900 (Wed, 28 Mar 2018) | 7 lines
webrick/httpresponse: make ChunkedWrapper copy_stream-compatible
The .write method needs to return the number of bytes written
to avoid confusing IO.copy_stream.
* lib/webrick/httpresponse.rb (ChunkedWrapper#write): return bytes written
(ChunkedWrapper#<<): return self
------------------------------------------------------------------------
r62959 | normal | 2018-03-28 17:06:18 +0900 (Wed, 28 Mar 2018) | 9 lines
webrick: use IO.copy_stream for multipart response
Use the new Proc response body feature to generate a multipart
range response dynamically. We use a flat array to minimize
object overhead as much as possible; as many ranges may fit
into an HTTP request header.
* lib/webrick/httpservlet/filehandler.rb (multipart_body): new method
(make_partial_content): use multipart_body
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_2_5@63006 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
Original patch by tenderlove (with minor style adjustments).
* lib/webrick/httpresponse.rb (send_header): call check_header
(check_header): raise on embedded CRLF in header value
* test/webrick/test_httpresponse.rb
(test_prevent_response_splitting_headers): new test
* (test_prevent_response_splitting_cookie_headers): ditto
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_2_5@62986 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
Reading entire request or response bodies into memory can lead
to trivial denial-of-service attacks. Introduce Fibers in both
cases to allow streaming.
WEBrick::HTTPRequest gains a new body_reader method to prepare
itself as a source for IO.copy_stream. This allows the
WEBrick::HTTPRequest object to be used as the
Net::HTTPGenericRequest#body_stream= arg for Net::HTTP.
For HTTP proxy response bodies, we also use a Fiber to
to make the HTTP request and read the response body.
* lib/webrick/httprequest.rb (body_reader): new method
(readpartial): ditto
* lib/webrick/httpproxy.rb (perform_proxy_request): use Fiber
to stream response body
(do_GET, do_HEAD): adjust call
(do_POST): adjust call and supply body_reader
* test/webrick/test_httprequest.rb (test_chunked): test
for IO.copy_stream compatibility
* test/webrick/test_httpproxy.rb (test_big_bodies): new test
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_2_5@62985 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
No changes to the actual code, this is a new test for
a feature for which no tests existed. I don't understand
the Digest authentication code well at all, but this is
necessary for the subsequent change.
* test/webrick/test_httpauth.rb (test_digest_auth_int): new test
(credentials_for_request): support bodies with POST
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_2_5@62983 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
While WEBrick::HTTPRequest#body provides a Proc interface
for streaming large request bodies, clients must not force
the server to use an excessively large chunk size.
* lib/webrick/httprequest.rb (read_chunk_size): limit each
read and block.call to :InputBufferSize in config.
* test/webrick/test_httpserver.rb (test_big_chunks): new test
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_2_5@62982 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
"BadRequest" alone does not resolve correctly, it is in the
HTTPStatus namespace.
* lib/webrick/httprequest.rb (read_chunked): use correct exception
* test/webrick/test_httpserver.rb (test_eof_in_chunk): new test
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_2_5@62981 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
We use the same 112 KB limit started (AFAIK) by Mongrel, Thin,
and Puma to prevent malicious users from using up all the memory
with a single request. This also limits the damage done by
excessive ranges in multipart Range: requests.
Due to the way we rely on IO#gets and the desire to keep
the code simple, the actual maximum header may be 4093 bytes
larger than 112 KB, but we're splitting hairs at that point.
* lib/webrick/httprequest.rb: define MAX_HEADER_LENGTH
(read_header): raise when headers exceed max length
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_2_5@62979 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
This previously had no coverage.
* test/webrick/test_filehandler.rb (test_erbhandler): new test
* test/webrick/webrick.rhtml: new file for test
[Misc #14216]
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@61399 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
Using ^ and $ in regexps means we can accidentally get fooled
by "%0a" in HTTP request paths being decoded to newline
characters. Use \A and \z to match beginning and end-of-string
respectively, instead.
Thanks to mame and hsbt for reporting.
* lib/webrick/httpserver.rb (MountTable#compile):
use \A and \z instead of ^ and $
* lib/webrick/httpserver.rb (MountTable#normalize): use \z instead of $
* test/webrick/test_httpserver.rb (test_cntrl_in_path): new test
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@61197 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
* lib/webrick/httpresponse.rb (send_body): call send_body_proc
(send_body_proc): new method
(class ChunkedWrapper): new class
* test/webrick/test_httpresponse.rb (test_send_body_proc): new test
(test_send_body_proc_chunked): ditto
[Feature #855]
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@60584 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
OpenSSL::SSL::SSLSocket#accept may block indefinitely on clients
which negotiate the TCP connection, but fail (or are slow) to
negotiate the subsequent TLS handshake. This prevents the
multi-threaded WEBrick server from accepting other connections.
Since the TLS handshake (via OpenSSL::SSL::SSLSocket#accept)
consists of normal read/write traffic over TCP, handle it in the
per-client thread, instead.
Furthermore, using non-blocking accept() is useful for non-TLS
sockets anyways because spurious wakeups are possible from
select(2).
* lib/webrick/server.rb (accept_client): use TCPServer#accept_nonblock
and remove OpenSSL::SSL::SSLSocket#accept call
* lib/webrick/server.rb (start_thread): call OpenSSL::SSL::SSLSocket#accept
* test/webrick/test_ssl_server.rb (test_slow_connect): new test
[ruby-core:83221] [Bug #14005]
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@60172 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
It had failed to sanitize some type of exception messages. Reported and
patched by Yusuke Endoh (mame) at https://hackerone.com/reports/223363
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@59897 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@59862 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
* lib/webrick/https.rb: check ssl context of virtual host.
* lib/webrick/ssl.rb: ensure to return ssl context.
* test/webrick/test_https.rb: test returned cert is correct.
[Feature #13729][ruby-dev:50173]
Author: Tietew <tietew@gmail.com>
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@59351 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
* lib/webrick/https.rb: servername_cb implementation.
* lib/webrick/ssl.rb: abstract servername_cb.
* test/webrick/test_https.rb: test.
[ruby-dev:50165] [Feature #13729]
Author: Tietew <tietew@gmail.com>
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@59281 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
Import gemspec and test file from ruby/webrick.
* webrick.gemspec: Update files and dependency for standalone gem.
* test/webrick/utils.rb: Added explicitly loading of EnvUtil for
test suite without ruby core test suite.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@58473 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
There is no need to call Utils.getservername when the :ServerName option is
specified, so delay Utils.getservername until needed to avoid unnecessary
DNS lookups. [ruby-core:78492] [Bug #13007]
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@57014 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
Follow net/http and open-uri. Don't rely on the constants/methods from
OpenSSL::TestUtils.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@56936 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
* lib/webrick/cookie.rb (parse): ditto.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@56262 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
* test/webrick/test_ssl_server.rb (assert_self_signed_cert): close
underlying TCP socket to fix FD leak.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@55992 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
* lib/webrick/httpservlet/cgihandler.rb (do_GET): delete HTTP_PROXY
* test/webrick/test_cgi.rb (test_cgi_env): new test
* test/webrick/webrick.cgi (do_GET): new endpoint to dump env
[ruby-core:76511] [Bug #12610]
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@55731 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
* lib/webrick/httprequest.rb (setup_forwarded_info): Use the first
value in X-Forwarded-Proto, if header contains multiple comma
separated values. Some middlewares may add these values to the
list, not replacing. [Fix GH-1386]
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@55484 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
* test/webrick/utils.rb (TestWEBrick#start_server): suppress
progress messages from WEBrick::Utils#create_self_signed_cert.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@54958 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
* test/webrick/test_ssl_server.rb (assert_self_signed_cert):
extract common assertion.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@54957 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
to invoke ssl server with command line.
[fix GH-1329] Patch by @kerlin
* test/webrick/test_ssl_server.rb: Added test for GH-1329
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@54941 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@54939 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
override the body more easily. [fix GH-1307]
* test/webrick/test_httpresponse.rb: ditto.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@54346 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
* lib/webrick/utils.rb (WEBrick::Utils::TimeoutHandler#watcher):
make watcher thread restartable.
* lib/webrick/utils.rb (WEBrick::Utils::TimeoutHandler#terminate):
new method to terminate watcher thread.
* test/lib/leakchecker.rb (LeakChecker#find_threads): revert
r46941.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@53439 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
* compile.c, cont.c, doc, man: fix common misspelling.
[ruby-core:72466] [Bug #11870]
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@53299 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
When you change this to true, you may need to add more tests.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@53141 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
of binary path info test on Windows because the test had passed
occasionally as the comment said.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@52905 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
to be too short for mswin CI. fixed occasional failure introduced at r51235.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@51338 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
* test/webrick/test_filehandler.rb (test_short_filename): pass
document root path to cmd.exe instead of chdir there, as cmd.exe
does not start on UNC path.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@51238 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
* test/webrick/test_utils.rb (assert_expired): separate negated
assertion and block timeout excecptions.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@51237 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
* lib/webrick/utils.rb (WEBrick::Utils::TimeoutHandler#register):
notify the handler thread of new timeout registration.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@51235 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
* test/webrick/test_utils.rb (TestWEBrickUtils#do_tet_timeout):
split into tests.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@51232 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
* lib/webrick/server.rb (WEBrick::GenericServer#start): flush
shutdown pipe.
* lib/webrick/server.rb (WEBrick::GenericServer#stop): request the
server to stop immediately by sending data via shutdown pipe.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@51231 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
* time: Object#timeout has been deprecated a long time ago, use
Timeout.timeout.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@51225 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@50727 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
:DoNotReverseLookup config option implementation.
[fix GH-731] Patch by @vais
* test/webrick/test_do_not_reverse_lookup.rb: ditto.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@49980 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
instead of listen method.
[ruby-core:68476] [Bug #10956] Reported by Shintaro Kojima.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@49917 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
on Windows 7), file name and permissions are strange (can access
by short file name and so on).
Simply skip on such tests on such FS. To detect strange FS, this
patch use a part of code `File.executable?(__FILE__)`.
Please correct them if there are better ways.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@49871 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
* test/webrick/test_utils.rb (test_create_listeners): use
dynamically chosen port number, not hardcoded port number.
[ruby-core:67508]
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@49211 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
[fix GH-356] Patch by @vipulnsward
* lib/webrick/server.rb: ditto.
* lib/webrick/ssl.rb: ditto.
* test/webrick/test_utils.rb: added test for WEBrick::Utils#create_listeners.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@49101 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
* test/open-uri/test_ssl.rb, test/webrick/test_httpproxy.rb: also
depends on test/openssl/utils.rb.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@48825 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
* test/lib/find_executable.rb: Ditto.
* test/lib/memory_status.rb: Ditto.
* test/lib/test/unit.rb: require envutil.
* test/: Don't require envutil in test files.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@48409 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@48362 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
