From dcd07242f0e7682072415b1adfe04f3ab12e0da5 Mon Sep 17 00:00:00 2001 From: nagachika Date: Wed, 28 Mar 2018 11:49:00 +0000 Subject: merge revision(s) 62968: webrick: prevent response splitting and header injection Original patch by tenderlove (with minor style adjustments). * lib/webrick/httpresponse.rb (send_header): call check_header (check_header): raise on embedded CRLF in header value * test/webrick/test_httpresponse.rb (test_prevent_response_splitting_headers): new test * (test_prevent_response_splitting_cookie_headers): ditto git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_2_4@63002 b2dd03c8-39d4-4d8f-98ff-823fe69b080e --- lib/webrick/httpresponse.rb | 19 +++++++++++++++++-- 1 file changed, 17 insertions(+), 2 deletions(-) (limited to 'lib') diff --git a/lib/webrick/httpresponse.rb b/lib/webrick/httpresponse.rb index ae71e20ed1..2551ead8ed 100644 --- a/lib/webrick/httpresponse.rb +++ b/lib/webrick/httpresponse.rb @@ -21,6 +21,8 @@ module WEBrick # WEBrick HTTP Servlet. class HTTPResponse + class InvalidHeader < StandardError + end ## # HTTP Response version @@ -287,14 +289,19 @@ module WEBrick data = status_line() @header.each{|key, value| tmp = key.gsub(/\bwww|^te$|\b\w/){ $&.upcase } - data << "#{tmp}: #{value}" << CRLF + data << "#{tmp}: #{check_header(value)}" << CRLF } @cookies.each{|cookie| - data << "Set-Cookie: " << cookie.to_s << CRLF + data << "Set-Cookie: " << check_header(cookie.to_s) << CRLF } data << CRLF socket.write(data) end + rescue InvalidHeader => e + @header.clear + @cookies.clear + set_error e + retry end ## @@ -357,6 +364,14 @@ module WEBrick private + def check_header(header_value) + if header_value =~ /\r\n/ + raise InvalidHeader + else + header_value + end + end + # :stopdoc: def error_body(backtrace, ex, host, port) -- cgit v1.2.3