diff --git a/lib/webrick/httprequest.rb b/lib/webrick/httprequest.rb index 0cfc1c9..43e4e8a 100644 --- a/lib/webrick/httprequest.rb +++ b/lib/webrick/httprequest.rb @@ -475,6 +475,9 @@ def read_header(socket) if (@request_bytes += line.bytesize) > MAX_HEADER_LENGTH raise HTTPStatus::RequestEntityTooLarge, 'headers too large' end + if line.include?("\x00") + raise HTTPStatus::BadRequest, 'null byte in header' + end @raw_header << line end end diff --git a/test/webrick/test_httprequest.rb b/test/webrick/test_httprequest.rb index 471005c..c0fb2e9 100644 --- a/test/webrick/test_httprequest.rb +++ b/test/webrick/test_httprequest.rb @@ -312,6 +312,17 @@ def test_bad_chunked end end + def test_null_byte_in_header + msg = <<-_end_of_message_ + POST /path HTTP/1.1\r + Evil: evil\x00\r + \r + _end_of_message_ + msg.gsub!(/^ {6}/, "") + req = WEBrick::HTTPRequest.new(WEBrick::Config::HTTP) + assert_raise(WEBrick::HTTPStatus::BadRequest){ req.parse(StringIO.new(msg)) } + end + def test_forwarded msg = <<-_end_of_message_ GET /foo HTTP/1.1