1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
| | Fix CVE-2017-10784:
https://www.ruby-lang.org/en/news/2017/09/14/webrick-basic-auth-escape-sequence-injection-cve-2017-10784/
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10784
https://security-tracker.debian.org/tracker/CVE-2017-10784
Patch copied from snapshot.debian.org:
https://snapshot.debian.org/archive/debian-security/20180423T104456Z/pool/updates/main/r/ruby1.8/ruby1.8_1.8.7.358-7.1%2Bdeb7u6.debian.tar.gz
From 6617c41292b7d1e097abb8fdb0cab9ddd83c77e7 Mon Sep 17 00:00:00 2001
From: mame <mame@b2dd03c8-39d4-4d8f-98ff-823fe69b080e>
Date: Thu, 14 Sep 2017 11:16:23 +0000
Subject: [PATCH] lib/webrick/log.rb: sanitize any type of logs
It had failed to sanitize some type of exception messages. Reported and
patched by Yusuke Endoh (mame) at https://hackerone.com/reports/223363
Patch modified to backport to Ruby 1.8.7.358 for the Debian LTS
project by anarcat.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@59897 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
---
lib/webrick/httpstatus.rb | 4 ----
lib/webrick/log.rb | 4 ++--
test/webrick/test_httpauth.rb | 36 ++++++++++++++++++++++++++++++++++++
3 files changed, 38 insertions(+), 6 deletions(-)
--- a/lib/webrick/httpstatus.rb
+++ b/lib/webrick/httpstatus.rb
@@ -13,10 +13,6 @@ module WEBrick
module HTTPStatus
class Status < StandardError
- def initialize(*args)
- args[0] = AccessLog.escape(args[0]) unless args.empty?
- super(*args)
- end
class << self
attr_reader :code, :reason_phrase
end
--- a/lib/webrick/log.rb
+++ b/lib/webrick/log.rb
@@ -61,10 +61,10 @@ module WEBrick
def format(arg)
str = if arg.is_a?(Exception)
- "#{arg.class}: #{arg.message}\n\t" <<
+ "#{arg.class}: #{AccessLog.escape(arg.message)}\n\t" <<
arg.backtrace.join("\n\t") << "\n"
elsif arg.respond_to?(:to_str)
- arg.to_str
+ AccessLog.escape(arg.to_str)
else
arg.inspect
end
--- a/test/webrick/test_httpauth.rb
+++ b/test/webrick/test_httpauth.rb
@@ -79,4 +79,40 @@ class TestWEBrickHTTPAuth < Test::Unit::
}
tmpfile.close(true)
end
+
+ def test_bad_username_with_control_characters
+ log_tester = lambda {|log, access_log|
+ assert_equal(2, log.length)
+ assert_match(/ERROR Basic WEBrick's realm: foo\\ebar: the user is not allowed./, log[0])
+ assert_match(/ERROR WEBrick::HTTPStatus::Unauthorized/, log[1])
+ }
+ TestWEBrick.start_httpserver{|server, addr, port, log|
+ realm = "WEBrick's realm"
+ path = "/basic_auth"
+
+ Tempfile.open("test_webrick_auth") { |tmpfile|
+ tmpfile.close
+ tmp_pass = WEBrick::HTTPAuth::Htpasswd.new(tmpfile.path)
+ tmp_pass.set_passwd(realm, "webrick", "supersecretpassword")
+ tmp_pass.set_passwd(realm, "foo", "supersecretpassword")
+ tmp_pass.flush
+
+ htpasswd = WEBrick::HTTPAuth::Htpasswd.new(tmpfile.path)
+ users = []
+ htpasswd.each{|user, pass| users << user }
+ server.mount_proc(path){|req, res|
+ auth = WEBrick::HTTPAuth::BasicAuth.new(
+ :Realm => realm, :UserDB => htpasswd,
+ :Logger => server.logger
+ )
+ auth.authenticate(req, res)
+ res.body = "hoge"
+ }
+ http = Net::HTTP.new(addr, port)
+ g = Net::HTTP::Get.new(path)
+ g.basic_auth("foo\ebar", "passwd")
+ http.request(g){|res| assert_not_equal("hoge", res.body, log.call) }
+ }
+ }
+ end
end
|