Permalink
Browse files

* lib/webrick/accesslog.rb : Escape needed.

	* lib/webrick/httpstatus.rb : ditto.

	* lib/webrick/httprequest.rb : ditto.

	* lib/webrick/httputils.rb : ditto.

	* test/webrick/test_cgi.rb (TestWEBrickCGI::test_bad_): Test for it.


git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@26267 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
  • Loading branch information...
shyouhei committed Jan 10, 2010
1 parent 9982c92 commit 73cd7b6697849b563a0154907b8a61c43e4ba209
Showing with 75 additions and 22 deletions.
  1. +12 −0 ChangeLog
  2. +10 −2 lib/webrick/accesslog.rb
  3. +1 −5 lib/webrick/httprequest.rb
  4. +18 −13 lib/webrick/httpstatus.rb
  5. +2 −2 lib/webrick/httputils.rb
  6. +32 −0 test/webrick/test_cgi.rb
View
@@ -1,3 +1,15 @@
Sun Jan 10 17:25:24 2010 Nobuyoshi Nakada <nobu@ruby-lang.org>
* lib/webrick/accesslog.rb : Escape needed.
* lib/webrick/httpstatus.rb : ditto.
* lib/webrick/httprequest.rb : ditto.
* lib/webrick/httputils.rb : ditto.
* test/webrick/test_cgi.rb (TestWEBrickCGI::test_bad_): Test for it.
Sun Jan 10 04:54:36 2010 Nobuyoshi Nakada <nobu@ruby-lang.org>
* class.c (rb_define_class): raise TypeError same as class
View
@@ -53,15 +53,23 @@ def format(format_string, params)
when ?e, ?i, ?n, ?o
raise AccessLogError,
"parameter is required for \"#{spec}\"" unless param
params[spec][param] || "-"
param = params[spec][param] ? escape(param) : "-"
when ?t
params[spec].strftime(param || CLF_TIME_FORMAT)
when ?%
"%"
else
params[spec]
escape(params[spec].to_s)
end
}
end
def escape(data)
if data.tainted?
data.gsub(/[[:cntrl:]\\]+/) {$&.dump[1...-1]}.untaint
else
data
end
end
end
end
@@ -266,11 +266,7 @@ def read_header(socket)
@raw_header << line
end
end
begin
@header = HTTPUtils::parse_header(@raw_header.join)
rescue => ex
raise HTTPStatus::BadRequest, ex.message
end
@header = HTTPUtils::parse_header(@raw_header.join)
end
def parse_uri(str, scheme="http")
View
@@ -12,7 +12,17 @@ module WEBrick
module HTTPStatus
class Status < StandardError; end
class Status < StandardError
def initialize(message, *rest)
super(AccessLog.escape(message), *rest)
end
class << self
attr_reader :code, :reason_phrase
end
def code() self::class::code end
def reason_phrase() self::class::reason_phrase end
alias to_i code
end
class Info < Status; end
class Success < Status; end
class Redirect < Status; end
@@ -68,6 +78,7 @@ class EOFError < StandardError; end
CodeToError = {}
StatusMessage.each{|code, message|
message.freeze
var_name = message.gsub(/[ \-]/,'_').upcase
err_name = message.gsub(/[ \-]/,'')
@@ -79,18 +90,12 @@ class EOFError < StandardError; end
when 500...600; parent = ServerError
end
eval %-
RC_#{var_name} = #{code}
class #{err_name} < #{parent}
def self.code() RC_#{var_name} end
def self.reason_phrase() StatusMessage[code] end
def code() self::class::code end
def reason_phrase() self::class::reason_phrase end
alias to_i code
end
-
CodeToError[code] = const_get(err_name)
const_set("RC_#{var_name}", code)
err_class = Class.new(parent)
err_class.instance_variable_set(:@code, code)
err_class.instance_variable_set(:@reason_phrase, message)
const_set(err_name, err_class)
CodeToError[code] = err_class
}
def reason_phrase(code)
View
@@ -129,11 +129,11 @@ def parse_header(raw)
when /^\s+(.*?)\s*\z/om
value = $1
unless field
raise "bad header '#{line.inspect}'."
raise HTTPStatus::BadRequest, "bad header '#{line}'."
end
header[field][-1] << " " << value
else
raise "bad header '#{line.inspect}'."
raise HTTPStatus::BadRequest, "bad header '#{line}'."
end
}
header.each{|key, values|
View
@@ -98,4 +98,36 @@ def test_bad_request
end
}
end
CtrlSeq = [0x7f, *(1..31)].pack("C*").gsub(/\s+/, '')
CtrlPat = /#{Regexp.quote(CtrlSeq)}/o
DumpPat = /#{Regexp.quote(CtrlSeq.dump[1...-1])}/o
def test_bad_uri
start_cgi_server{|server, addr, port, log|
res = TCPSocket.open(addr, port) {|sock|
sock << "GET /#{CtrlSeq}#{CRLF}#{CRLF}"
sock.close_write
sock.read
}
assert_match(%r{\AHTTP/\d.\d 400 Bad Request}, res)
s = log.call.each_line.grep(/ERROR bad URI/)[0]
assert_match(DumpPat, s)
assert_not_match(CtrlPat, s)
}
end
def test_bad_header
start_cgi_server{|server, addr, port, log|
res = TCPSocket.open(addr, port) {|sock|
sock << "GET / HTTP/1.0#{CRLF}#{CtrlSeq}#{CRLF}#{CRLF}"
sock.close_write
sock.read
}
assert_match(%r{\AHTTP/\d.\d 400 Bad Request}, res)
s = log.call.each_line.grep(/ERROR bad header/)[0]
assert_match(DumpPat, s)
assert_not_match(CtrlPat, s)
}
end
end

0 comments on commit 73cd7b6

Please sign in to comment.