[ruby/cgi] Prevent CRLF injection

Throw a RuntimeError if the HTTP response header contains CR or LF to prevent HTTP response splitting. https://hackerone.com/reports/1204695 https://github.com/ruby/cgi/commit/64c5045c0a
author: Yusuke Endoh <[email protected]> 2022-11-22 10:49:27 +0900
committer: git <[email protected]> 2022-11-22 02:00:11 +0000
commit: 0e75b2f2e633ac9579e63e1d4b3bad02e915889c (patch)
tree: 576e58cd001bd47738e6b53869737c8a5432d1ef /test/cgi/test_cgi_header.rb
parent: c05f85f373ed48594d9bf08e11ae0c84c06062f7 (diff)
1 files changed, 8 insertions, 0 deletions
diff --git a/test/cgi/test_cgi_header.rb b/test/cgi/test_cgi_header.rb
index bab2d0348a..ec2f4deb72 100644
--- a/test/cgi/test_cgi_header.rb
+++ b/test/cgi/test_cgi_header.rb
@@ -176,6 +176,14 @@ class CGIHeaderTest < Test::Unit::TestCase
   end
 
 
+  def test_cgi_http_header_crlf_injection
+    cgi = CGI.new
+    assert_raise(RuntimeError) { cgi.http_header("text/xhtml\r\nBOO") }
+    assert_raise(RuntimeError) { cgi.http_header("type" => "text/xhtml\r\nBOO") }
+    assert_raise(RuntimeError) { cgi.http_header("status" => "200 OK\r\nBOO") }
+    assert_raise(RuntimeError) { cgi.http_header("location" => "text/xhtml\r\nBOO") }
+  end
+
 
   instance_methods.each do |method|
     private method if method =~ /^test_(.*)/ && $1 != ENV['TEST']
author	Yusuke Endoh <[email protected]>	2022-11-22 10:49:27 +0900
committer	git <[email protected]>	2022-11-22 02:00:11 +0000
commit	0e75b2f2e633ac9579e63e1d4b3bad02e915889c (patch)
tree	576e58cd001bd47738e6b53869737c8a5432d1ef /test/cgi/test_cgi_header.rb
parent	c05f85f373ed48594d9bf08e11ae0c84c06062f7 (diff)