From 3f591af1e74ec511e38bd40afc9ebbceacdc9fef Mon Sep 17 00:00:00 2001

From: usa <usa@b2dd03c8-39d4-4d8f-98ff-823fe69b080e>

Date: Wed, 28 Mar 2018 14:50:27 +0000

Subject: [PATCH] webrick: prevent response splitting and header injection

Original patch by tenderlove (with minor style adjustments).

* lib/webrick/httpresponse.rb (send_header): call check_header

  (check_header): raise on embedded CRLF in header value

* test/webrick/test_httpresponse.rb

  (test_prevent_response_splitting_headers): new test

* (test_prevent_response_splitting_cookie_headers): ditto

git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_2_2@63022 b2dd03c8-39d4-4d8f-98ff-823fe69b080e

---

 lib/webrick/httpresponse.rb       | 27 +++++++++++++++++++++++++--

 test/webrick/test_httpresponse.rb | 23 +++++++++++++++++++++++

 2 files changed, 48 insertions(+), 2 deletions(-)

diff --git a/lib/webrick/httpresponse.rb b/lib/webrick/httpresponse.rb

index 8e3eb39a31..11cc78d845 100644

--- a/lib/webrick/httpresponse.rb

+++ b/lib/webrick/httpresponse.rb

@@ -20,6 +20,8 @@ module WEBrick

   # WEBrick HTTP Servlet.

   class HTTPResponse

+    class InvalidHeader < StandardError

+    end

     ##

     # HTTP Response version

@@ -285,14 +287,19 @@ module WEBrick

         data = status_line()

         @header.each{|key, value|

           tmp = key.gsub(/\bwww|^te$|\b\w/){ $&.upcase }

-          data << "#{tmp}: #{value}" << CRLF

+          data << "#{tmp}: #{check_header(value)}" << CRLF

         }

         @cookies.each{|cookie|

-          data << "Set-Cookie: " << cookie.to_s << CRLF

+          data << "Set-Cookie: " << check_header(cookie.to_s) << CRLF

         }

         data << CRLF

         _write_data(socket, data)

       end

+    rescue InvalidHeader => e

+      @header.clear

+      @cookies.clear

+      set_error e

+      retry

     end

     ##

@@ -349,6 +356,22 @@ module WEBrick

         host, port = @config[:ServerName], @config[:Port]

       end

+      error_body(backtrace, ex, host, port)

+    end

+

+    private

+

+    def check_header(header_value)

+      if header_value =~ /\r\n/

+        raise InvalidHeader

+      else

+        header_value

+      end

+    end

+

+    # :stopdoc:

+

+    def error_body(backtrace, ex, host, port)

       @body = ''

       @body << <<-_end_of_html_

diff --git a/test/webrick/test_httpresponse.rb b/test/webrick/test_httpresponse.rb

index d5d5552796..bdf38e6b5c 100644

--- a/test/webrick/test_httpresponse.rb

+++ b/test/webrick/test_httpresponse.rb

@@ -1,5 +1,7 @@

 require "webrick"

 require "minitest/autorun"

+require "stringio"

+require "net/http"

 module WEBrick

   class TestHTTPResponse < MiniTest::Unit::TestCase

@@ -26,6 +28,27 @@ module WEBrick

       @res.keep_alive  = true

     end

+    def test_prevent_response_splitting_headers

+      res['X-header'] = "malicious\r\nCookie: hack"

+      io = StringIO.new

+      res.send_response io

+      io.rewind

+      res = Net::HTTPResponse.read_new(Net::BufferedIO.new(io))

+      assert_equal '500', res.code

+      refute_match 'hack', io.string

+    end

+

+    def test_prevent_response_splitting_cookie_headers

+      user_input = "malicious\r\nCookie: hack"

+      res.cookies << WEBrick::Cookie.new('author', user_input)

+      io = StringIO.new

+      res.send_response io

+      io.rewind

+      res = Net::HTTPResponse.read_new(Net::BufferedIO.new(io))

+      assert_equal '500', res.code

+      refute_match 'hack', io.string

+    end

+

     def test_304_does_not_log_warning

       res.status      = 304

       res.setup_header

-- 

2.17.1