Skip to content

Commit

Permalink
Reject null bytes in header lines
Browse files Browse the repository at this point in the history
Fixes ruby#126
  • Loading branch information
jeremyevans committed Dec 1, 2023
1 parent cb6d636 commit dcaeea6
Show file tree
Hide file tree
Showing 2 changed files with 14 additions and 0 deletions.
3 changes: 3 additions & 0 deletions lib/webrick/httprequest.rb
Original file line number Diff line number Diff line change
Expand Up @@ -475,6 +475,9 @@ def read_header(socket)
if (@request_bytes += line.bytesize) > MAX_HEADER_LENGTH
raise HTTPStatus::RequestEntityTooLarge, 'headers too large'
end
if line.include?("\x00")

This comment has been minimized.

Copy link
@ioquatix

ioquatix Dec 2, 2023

Rather than just checking for this one character, shouldn't we only allow the characters as defined by the specification? Or am I misunderstanding the scope of this fix?

This comment has been minimized.

Copy link
@jeremyevans

jeremyevans Dec 2, 2023

Author Owner

This fixes a specific issue (see ruby#126). Expanding it to only allow characters specified in the RFCs would be fine with me.

raise HTTPStatus::BadRequest, 'null byte in header'
end
@raw_header << line
end
end
Expand Down
11 changes: 11 additions & 0 deletions test/webrick/test_httprequest.rb
Original file line number Diff line number Diff line change
Expand Up @@ -312,6 +312,17 @@ def test_bad_chunked
end
end

def test_null_byte_in_header
msg = <<-_end_of_message_
POST /path HTTP/1.1\r
Evil: evil\x00\r
\r
_end_of_message_
msg.gsub!(/^ {6}/, "")
req = WEBrick::HTTPRequest.new(WEBrick::Config::HTTP)
assert_raise(WEBrick::HTTPStatus::BadRequest){ req.parse(StringIO.new(msg)) }
end

def test_forwarded
msg = <<-_end_of_message_
GET /foo HTTP/1.1
Expand Down

0 comments on commit dcaeea6

Please sign in to comment.