Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

WEBrick: prevent response splitting and header injection #32

Merged
merged 1 commit into from
Oct 2, 2019
Merged

WEBrick: prevent response splitting and header injection #32

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 2 additions & 1 deletion lib/webrick/httpresponse.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -394,7 +394,8 @@ def set_error(ex, backtrace=false)
private

def check_header(header_value)
if header_value =~ /\r\n/
header_value = header_value.to_s
if /[\r\n]/ =~ header_value
raise InvalidHeader
else
header_value
Expand Down
46 changes: 44 additions & 2 deletions test/webrick/test_httpresponse.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -29,7 +29,7 @@ def setup
@res.keep_alive = true
end

def test_prevent_response_splitting_headers
def test_prevent_response_splitting_headers_crlf
res['X-header'] = "malicious\r\nCookie: hack"
io = StringIO.new
res.send_response io
Expand All @@ -39,7 +39,7 @@ def test_prevent_response_splitting_headers
refute_match 'hack', io.string
end

def test_prevent_response_splitting_cookie_headers
def test_prevent_response_splitting_cookie_headers_crlf
user_input = "malicious\r\nCookie: hack"
res.cookies << WEBrick::Cookie.new('author', user_input)
io = StringIO.new
Expand All @@ -50,6 +50,48 @@ def test_prevent_response_splitting_cookie_headers
refute_match 'hack', io.string
end

def test_prevent_response_splitting_headers_cr
res['X-header'] = "malicious\rCookie: hack"
io = StringIO.new
res.send_response io
io.rewind
res = Net::HTTPResponse.read_new(Net::BufferedIO.new(io))
assert_equal '500', res.code
refute_match 'hack', io.string
end

def test_prevent_response_splitting_cookie_headers_cr
user_input = "malicious\rCookie: hack"
res.cookies << WEBrick::Cookie.new('author', user_input)
io = StringIO.new
res.send_response io
io.rewind
res = Net::HTTPResponse.read_new(Net::BufferedIO.new(io))
assert_equal '500', res.code
refute_match 'hack', io.string
end

def test_prevent_response_splitting_headers_lf
res['X-header'] = "malicious\nCookie: hack"
io = StringIO.new
res.send_response io
io.rewind
res = Net::HTTPResponse.read_new(Net::BufferedIO.new(io))
assert_equal '500', res.code
refute_match 'hack', io.string
end

def test_prevent_response_splitting_cookie_headers_lf
user_input = "malicious\nCookie: hack"
res.cookies << WEBrick::Cookie.new('author', user_input)
io = StringIO.new
res.send_response io
io.rewind
res = Net::HTTPResponse.read_new(Net::BufferedIO.new(io))
assert_equal '500', res.code
refute_match 'hack', io.string
end

def test_set_redirect_response_splitting
url = "malicious\r\nCookie: hack"
assert_raises(URI::InvalidURIError) do
Expand Down