From 11a60f9bdb486b5173946a7eb11b41e5f75a28cd Mon Sep 17 00:00:00 2001
From: Nobuyoshi Nakada <nobu@ruby-lang.org>
Date: Sat, 9 Mar 2019 19:53:51 +0900
Subject: Remove extraneous spaces at the end of status line

Remove extraneous spaces after the status code that is
non-compliant with RFC, i.e `HTTP 200 OK `, to unnecessary
confusion for WEBrick users, by a risk that WEBrick instances in
the wild will have server responses flagged as suspicious or
malicious due to a similar bug in [Cobalt Strike
misconfiguration].

Reported by Matt Tennis <mtennis@paloaltonetworks.com>

[Cobalt Strike misconfiguration]: https://blog.fox-it.com/2019/02/26/identifying-cobalt-strike-team-servers-in-the-wild/
---
 test/webrick/test_httpresponse.rb | 7 +++++++
 1 file changed, 7 insertions(+)

(limited to 'test/webrick')

diff --git a/test/webrick/test_httpresponse.rb b/test/webrick/test_httpresponse.rb
index 468c60582d..a1d7712be0 100644
--- a/test/webrick/test_httpresponse.rb
+++ b/test/webrick/test_httpresponse.rb
@@ -222,5 +222,12 @@ module WEBrick
       assert_match(/#{@res.reason_phrase}/, body)
       assert_match(/#{message}/, body)
     end
+
+    def test_no_extraneous_space
+      [200, 300, 400, 500].each do |status|
+        @res.status = status
+        assert_match(/\S\r\n/, @res.status_line)
+      end
+    end
   end
 end
-- 
cgit v1.2.3