* lib/webrick/accesslog.rb : Escape needed.

	* lib/webrick/httpstatus.rb : ditto.

	* lib/webrick/httprequest.rb : ditto.

	* lib/webrick/httputils.rb : ditto.

	* test/webrick/test_cgi.rb (TestWEBrickCGI::test_bad_): Test for it.


git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@26267 b2dd03c8-39d4-4d8f-98ff-823fe69b080e

Author: shyouhei

ChangeLog

@@ -1,3 +1,15 @@
+Sun Jan 10 17:25:24 2010  Nobuyoshi Nakada  <[email protected]>
+
+	* lib/webrick/accesslog.rb : Escape needed.
+
+	* lib/webrick/httpstatus.rb : ditto.
+
+	* lib/webrick/httprequest.rb : ditto.
+
+	* lib/webrick/httputils.rb : ditto.
+
+	* test/webrick/test_cgi.rb (TestWEBrickCGI::test_bad_): Test for it.
+
 Sun Jan 10 04:54:36 2010  Nobuyoshi Nakada  <[email protected]>
 
 	* class.c (rb_define_class): raise TypeError same as class

lib/webrick/accesslog.rb

@@ -53,15 +53,23 @@ def format(format_string, params)
          when ?e, ?i, ?n, ?o
            raise AccessLogError,
              "parameter is required for \"#{spec}\"" unless param
-           params[spec][param] || "-"
+           param = params[spec][param] ? escape(param) : "-"
          when ?t
            params[spec].strftime(param || CLF_TIME_FORMAT)
          when ?%
            "%"
          else
-           params[spec]
+           escape(params[spec].to_s)
          end
       }
     end
+
+    def escape(data)
+      if data.tainted?
+        data.gsub(/[[:cntrl:]\\]+/) {$&.dump[1...-1]}.untaint
+      else
+        data
+      end
+    end
   end
 end

lib/webrick/httprequest.rb

@@ -266,11 +266,7 @@ def read_header(socket)
           @raw_header << line
         end
       end
-      begin
-        @header = HTTPUtils::parse_header(@raw_header.join)
-      rescue => ex
-        raise  HTTPStatus::BadRequest, ex.message
-      end
+      @header = HTTPUtils::parse_header(@raw_header.join)
     end
 
     def parse_uri(str, scheme="http")

lib/webrick/httpstatus.rb

@@ -12,7 +12,17 @@ module WEBrick
 
   module HTTPStatus
 
-    class Status      < StandardError; end
+    class Status      < StandardError
+      def initialize(message, *rest)
+        super(AccessLog.escape(message), *rest)
+      end
+      class << self
+        attr_reader :code, :reason_phrase
+      end
+      def code() self::class::code end
+      def reason_phrase() self::class::reason_phrase end
+      alias to_i code
+    end
     class Info        < Status; end
     class Success     < Status; end
     class Redirect    < Status; end
@@ -68,6 +78,7 @@ class EOFError < StandardError; end
     CodeToError = {}
 
     StatusMessage.each{|code, message|
+      message.freeze
       var_name = message.gsub(/[ \-]/,'_').upcase
       err_name = message.gsub(/[ \-]/,'')
 
@@ -79,18 +90,12 @@ class EOFError < StandardError; end
       when 500...600; parent = ServerError
       end
 
-      eval %-
-        RC_#{var_name} = #{code}
-        class #{err_name} < #{parent}
-          def self.code() RC_#{var_name} end
-          def self.reason_phrase() StatusMessage[code] end
-          def code() self::class::code end
-          def reason_phrase() self::class::reason_phrase end
-          alias to_i code
-        end
-      -
-
-      CodeToError[code] = const_get(err_name)
+      const_set("RC_#{var_name}", code)
+      err_class = Class.new(parent)
+      err_class.instance_variable_set(:@code, code)
+      err_class.instance_variable_set(:@reason_phrase, message)
+      const_set(err_name, err_class)
+      CodeToError[code] = err_class
     }
 
     def reason_phrase(code)

lib/webrick/httputils.rb

@@ -129,11 +129,11 @@ def parse_header(raw)
         when /^\s+(.*?)\s*\z/om
           value = $1
           unless field
-            raise "bad header '#{line.inspect}'."
+            raise HTTPStatus::BadRequest, "bad header '#{line}'."
           end
           header[field][-1] << " " << value
         else
-          raise "bad header '#{line.inspect}'."
+          raise HTTPStatus::BadRequest, "bad header '#{line}'."
         end
       }
       header.each{|key, values|

test/webrick/test_cgi.rb

@@ -98,4 +98,36 @@ def test_bad_request
       end
     }
   end
+
+  CtrlSeq = [0x7f, *(1..31)].pack("C*").gsub(/\s+/, '')
+  CtrlPat = /#{Regexp.quote(CtrlSeq)}/o
+  DumpPat = /#{Regexp.quote(CtrlSeq.dump[1...-1])}/o
+
+  def test_bad_uri
+    start_cgi_server{|server, addr, port, log|
+      res = TCPSocket.open(addr, port) {|sock|
+        sock << "GET /#{CtrlSeq}#{CRLF}#{CRLF}"
+        sock.close_write
+        sock.read
+      }
+      assert_match(%r{\AHTTP/\d.\d 400 Bad Request}, res)
+      s = log.call.each_line.grep(/ERROR bad URI/)[0]
+      assert_match(DumpPat, s)
+      assert_not_match(CtrlPat, s)
+    }
+  end
+
+  def test_bad_header
+    start_cgi_server{|server, addr, port, log|
+      res = TCPSocket.open(addr, port) {|sock|
+        sock << "GET / HTTP/1.0#{CRLF}#{CtrlSeq}#{CRLF}#{CRLF}"
+        sock.close_write
+        sock.read
+      }
+      assert_match(%r{\AHTTP/\d.\d 400 Bad Request}, res)
+      s = log.call.each_line.grep(/ERROR bad header/)[0]
+      assert_match(DumpPat, s)
+      assert_not_match(CtrlPat, s)
+    }
+  end
 end