Overview

File 0008-A-Request-Line-must-not-contain-CR-or-LF.patch of Package ruby2.1

From 8a7e7777f5d1c0d3fda23dd9560f5314ec01ce3c Mon Sep 17 00:00:00 2001
From: shugo <shugo@b2dd03c8-39d4-4d8f-98ff-823fe69b080e>
Date: Wed, 6 Jul 2016 00:01:20 +0000
Subject: [PATCH 08/13] A Request-Line must not contain CR or LF.

git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@55581 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
---
 lib/net/http/generic_request.rb | 7 ++++++-
 test/net/http/test_http.rb      | 8 ++++++++
 2 files changed, 14 insertions(+), 1 deletion(-)

diff --git a/lib/net/http/generic_request.rb b/lib/net/http/generic_request.rb
index b51034c7ea..51fecdf99f 100644
--- a/lib/net/http/generic_request.rb
+++ b/lib/net/http/generic_request.rb
@@ -317,7 +317,12 @@ class Net::HTTPGenericRequest
   end
 
   def write_header(sock, ver, path)
-    buf = "#{@method} #{path} HTTP/#{ver}\r\n"
+    reqline = "#{@method} #{path} HTTP/#{ver}"
+    if /[\r\n]/ =~ reqline
+      raise ArgumentError, "A Request-Line must not contain CR or LF"
+    end
+    buf = ""
+    buf << reqline << "\r\n"
     each_capitalized do |k,v|
       buf << "#{k}: #{v}\r\n"
     end
diff --git a/test/net/http/test_http.rb b/test/net/http/test_http.rb
index 7d9c2b09d1..2a4b5184b2 100644
--- a/test/net/http/test_http.rb
+++ b/test/net/http/test_http.rb
@@ -291,6 +291,14 @@ module TestNetHTTP_version_1_1_methods
     assert_equal $test_net_http_data, res.body
   end
 
+  def test_get__crlf
+    start {|http|
+      assert_raise(ArgumentError) do
+        http.get("\r")
+      end
+    }
+  end
+
   def test_get2
     start {|http|
       http.get2('/') {|res|
-- 
2.12.0
openSUSE Build Service is sponsored by
Places