Permalink
Browse files

lib/webrick/log.rb: sanitize any type of logs

It had failed to sanitize some type of exception messages.  Reported and
patched by Yusuke Endoh (mame) at https://hackerone.com/reports/223363

git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@59897 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
  • Loading branch information...
mame committed Sep 14, 2017
1 parent 7df1e45 commit 6617c41292b7d1e097abb8fdb0cab9ddd83c77e7
Showing with 38 additions and 6 deletions.
  1. +0 −4 lib/webrick/httpstatus.rb
  2. +2 −2 lib/webrick/log.rb
  3. +36 −0 test/webrick/test_httpauth.rb
@@ -23,10 +23,6 @@ module HTTPStatus
##
# Root of the HTTP status class hierarchy
class Status < StandardError
def initialize(*args) # :nodoc:
args[0] = AccessLog.escape(args[0]) unless args.empty?
super(*args)
end
class << self
attr_reader :code, :reason_phrase # :nodoc:
end
View
@@ -118,10 +118,10 @@ def debug?; @level >= DEBUG; end
# * Otherwise it will return +arg+.inspect.
def format(arg)
if arg.is_a?(Exception)
"#{arg.class}: #{arg.message}\n\t" <<
"#{arg.class}: #{AccessLog.escape(arg.message)}\n\t" <<
arg.backtrace.join("\n\t") << "\n"
elsif arg.respond_to?(:to_str)
arg.to_str
AccessLog.escape(arg.to_str)
else
arg.inspect
end
@@ -103,6 +103,42 @@ def test_basic_auth3
}
end
def test_bad_username_with_control_characters
log_tester = lambda {|log, access_log|
assert_equal(2, log.length)
assert_match(/ERROR Basic WEBrick's realm: foo\\ebar: the user is not allowed./, log[0])
assert_match(/ERROR WEBrick::HTTPStatus::Unauthorized/, log[1])
}
TestWEBrick.start_httpserver({}, log_tester) {|server, addr, port, log|
realm = "WEBrick's realm"
path = "/basic_auth"
Tempfile.create("test_webrick_auth") {|tmpfile|
tmpfile.close
tmp_pass = WEBrick::HTTPAuth::Htpasswd.new(tmpfile.path)
tmp_pass.set_passwd(realm, "webrick", "supersecretpassword")
tmp_pass.set_passwd(realm, "foo", "supersecretpassword")
tmp_pass.flush
htpasswd = WEBrick::HTTPAuth::Htpasswd.new(tmpfile.path)
users = []
htpasswd.each{|user, pass| users << user }
server.mount_proc(path){|req, res|
auth = WEBrick::HTTPAuth::BasicAuth.new(
:Realm => realm, :UserDB => htpasswd,
:Logger => server.logger
)
auth.authenticate(req, res)
res.body = "hoge"
}
http = Net::HTTP.new(addr, port)
g = Net::HTTP::Get.new(path)
g.basic_auth("foo\ebar", "passwd")
http.request(g){|res| assert_not_equal("hoge", res.body, log.call) }
}
}
end
DIGESTRES_ = /
([a-zA-Z\-]+)
[ \t]*(?:\r\n[ \t]*)*

0 comments on commit 6617c41

Please sign in to comment.