Skip to content

Commit

Permalink
Fix bug chunk extension detection
Browse files Browse the repository at this point in the history
This fixes a request smuggling vulnerability (Fixes ruby#124).

Co-authored-by: Ben Kallus <benjamin.p.kallus.gr@dartmouth.edu>
  • Loading branch information
jeremyevans and kenballus committed Nov 12, 2023
1 parent 15e5ca9 commit 6018ab9
Show file tree
Hide file tree
Showing 2 changed files with 26 additions and 1 deletion.
2 changes: 1 addition & 1 deletion lib/webrick/httprequest.rb
Original file line number Diff line number Diff line change
Expand Up @@ -542,7 +542,7 @@ def read_body(socket, block)

def read_chunk_size(socket)
line = read_line(socket)
if /^([0-9a-fA-F]+)(?:;(\S+))?/ =~ line
if /\A([0-9a-fA-F]+)(?:;(\S+(?:=\S+)?))?\r\n\z/ =~ line
chunk_size = $1.hex
chunk_ext = $2
[ chunk_size, chunk_ext ]
Expand Down
25 changes: 25 additions & 0 deletions test/webrick/test_httprequest.rb
Original file line number Diff line number Diff line change
Expand Up @@ -289,6 +289,31 @@ def test_chunked
assert_equal(expect, dst.string)
end

def test_bad_chunked
crlf = "\x0d\x0a"
expect = File.binread(__FILE__).freeze
msg = <<-_end_of_message_
POST /path HTTP/1.1\r
Transfer-Encoding: chunked\r
\r
01x1\r
\r
1
_end_of_message_
msg.gsub!(/^ {6}/, "")
req = WEBrick::HTTPRequest.new(WEBrick::Config::HTTP)
req.parse(StringIO.new(msg))
assert_raise(WEBrick::HTTPStatus::BadRequest){ req.body }

# chunked req.body_reader
req = WEBrick::HTTPRequest.new(WEBrick::Config::HTTP)
req.parse(StringIO.new(msg))
dst = StringIO.new
assert_raise(WEBrick::HTTPStatus::BadRequest) do
IO.copy_stream(req.body_reader, dst)
end
end

def test_forwarded
msg = <<-_end_of_message_
GET /foo HTTP/1.1
Expand Down

0 comments on commit 6018ab9

Please sign in to comment.