Home
Reading
Searching
Subscribe
Sponsors
Statistics
Posting
Contact
Spam
Lists
Links
About
Hosting
Filtering
Features Download
Marketing
Archives
FAQ
Blog
 
Gmane
From: Shugo Maeda <shugo <at> ruby-lang.org>
Subject: [ruby-core:19399] Response Splitting Risk
Newsgroups: gmane.comp.lang.ruby.core
Date: Monday 20th October 2008 08:52:20 UTC (over 8 years ago)
Hi,

The potential risk of cgi.rb has been notified at
http://weblog.rubyonrails.com/2008/10/19/response-splitting-risk>.

Patches for Rails are available, but I think it's better to also fix
cgi.rb.  The following patch fixes this problem.

Index: lib/cgi.rb
===================================================================
--- lib/cgi.rb	(revision 19665)
+++ lib/cgi.rb	(working copy)
@@ -546,6 +546,11 @@
     when Hash
       options = options.dup
     end
+    options.each_value do |value|
+      if /\n(?![ \t])/ === value
+        raise ArgumentError, "potential HTTP header injection detected"
+      end
+    end
 
     unless options.has_key?("type")
       options["type"] = "text/html"


The patch above allow a newline character with following spaces
because HTTP/1.1(RFC2616) supports continuation lines.  (CGI/1.1
doesn't support continuation lines, but NPH scripts can output
continuation lines.)

But Michael Koziarski suggested raising a exception if there's a
newline character in there at all, because there's no reason to
support continuation lines in the generation code.

I think the only reasons to support continuation lines are
compatibility and conformity to the standard.  Compatibility is
important especialily on ruby_1_8_x branches.

What do you think?

Shugo
 
CD: 4ms