Fix possible HTTP Response Splitting

Ignore any response header with \r or \n in their value See GHSA-84j7-475p-hp8v
macournoyer · May 17, 2021 · dd24bf5 · dd24bf5
1 parent 026285b
commit dd24bf5
Show file tree

Hide file tree

Showing 2 changed files with 22 additions and 1 deletion.
diff --git a/lib/thin/headers.rb b/lib/thin/headers.rb
@@ -4,6 +4,7 @@ module Thin
   class Headers
     HEADER_FORMAT      = "%s: %s\r\n".freeze
     ALLOWED_DUPLICATES = %w(set-cookie set-cookie2 warning www-authenticate).freeze
+    CR_OR_LF           = /[\r\n]/.freeze
 
     def initialize
       @sent = {}
@@ -20,7 +21,7 @@ def []=(key, value)
         value = case value
                 when Time
                   value.httpdate
-                when NilClass
+                when NilClass, CR_OR_LF
                   return
                 else
                   value.to_s

diff --git a/spec/headers_spec.rb b/spec/headers_spec.rb
@@ -37,4 +37,24 @@
     @headers['Modified-At'] = time
     expect(@headers.to_s).to include("Modified-At: #{time.httpdate}")
   end
+
+  it 'should format Integer values correctly' do
+    @headers['X-Number'] = 32
+    expect(@headers.to_s).to include("X-Number: 32")
+  end
+
+  it 'should not allow CRLF' do
+    @headers['Bad'] = "a\r\nSet-Cookie: injected=value"
+    expect(@headers.to_s).to be_empty
+  end
+
+  it 'should not allow CR' do
+    @headers['Bad'] = "a\rSet-Cookie: injected=value"
+    expect(@headers.to_s).to be_empty
+  end
+
+  it 'should not allow LF' do
+    @headers['Bad'] = "a\nSet-Cookie: injected=value"
+    expect(@headers.to_s).to be_empty
+  end
 end