diff options
author | kefren <kefren> | 2008-09-01 09:28:54 +0000 |
---|---|---|
committer | kefren <kefren> | 2008-09-01 09:28:54 +0000 |
commit | f47c2ea0fd2af56d896e064211949bc03010bc0a (patch) | |
tree | 3656feee674020935f22d0998edbaee55a982825 /lang/mono/patches | |
parent | 213e174969cb0f2a2727ea2e5c7b90328f9b4777 (diff) | |
download | pkgsrc-f47c2ea0fd2af56d896e064211949bc03010bc0a.tar.gz |
Merge fix for Bug 418620 (SVN revision 111276) - Sys.Web is prone to
"HTTP header injection" attacks
Diffstat (limited to 'lang/mono/patches')
-rw-r--r-- | lang/mono/patches/patch-cl | 70 | ||||
-rw-r--r-- | lang/mono/patches/patch-cm | 21 |
2 files changed, 91 insertions, 0 deletions
diff --git a/lang/mono/patches/patch-cl b/lang/mono/patches/patch-cl new file mode 100644 index 00000000000..9add244aa5c --- /dev/null +++ b/lang/mono/patches/patch-cl @@ -0,0 +1,70 @@ +$NetBSD: patch-cl,v 1.1 2008/09/01 09:28:54 kefren Exp $ +--- mcs/class/System.Web/System.Web/HttpResponseHeader.cs 2008/08/21 16:19:17 111275 ++++ mcs/class/System.Web/System.Web/HttpResponseHeader.cs 2008/08/21 16:51:54 111276 +@@ -30,17 +30,65 @@ + + using System.Collections; + using System.Text; ++using System.Web.Configuration; + + namespace System.Web { + + internal abstract class BaseResponseHeader { +- public string Value; ++ string headerValue; ++ ++ public string Value { ++ get { return headerValue; } ++ set { headerValue = EncodeHeader (value); } ++ } + ++ static bool headerCheckingEnabled; ++ ++ static BaseResponseHeader () { ++#if NET_2_0 ++ HttpRuntimeSection section = WebConfigurationManager.GetSection ("system.web/httpRuntime") as HttpRuntimeSection; ++#else ++ HttpRuntimeConfig section = HttpContext.GetAppConfig ("system.web/httpRuntime") as HttpRuntimeConfig; ++#endif ++ headerCheckingEnabled = section == null || section.EnableHeaderChecking; ++ } ++ ++ + internal BaseResponseHeader (string val) + { + Value = val; + } + ++ string EncodeHeader (string value) ++ { ++ if (value == null || value.Length == 0) ++ return value; ++ ++ if (headerCheckingEnabled) { ++ StringBuilder ret = new StringBuilder (); ++ int len = value.Length; ++ ++ for (int i = 0; i < len; i++) { ++ switch (value [i]) { ++ case '\r': ++ ret.Append ("%0d"); ++ break; ++ ++ case '\n': ++ ret.Append ("%0a"); ++ break; ++ ++ default: ++ ret.Append (value [i]); ++ break; ++ } ++ } ++ ++ return ret.ToString (); ++ } else ++ return value; ++ } ++ + internal abstract void SendContent (HttpWorkerRequest wr); + } + diff --git a/lang/mono/patches/patch-cm b/lang/mono/patches/patch-cm new file mode 100644 index 00000000000..32e0ec20cc9 --- /dev/null +++ b/lang/mono/patches/patch-cm @@ -0,0 +1,21 @@ +$NetBSD: patch-cm,v 1.1 2008/09/01 09:28:54 kefren Exp $ +--- mcs/class/System.Web/System.Web.Configuration/HttpRuntimeConfig.cs 2008/08/21 16:19:17 111275 ++++ mcs/class/System.Web/System.Web.Configuration/HttpRuntimeConfig.cs 2008/08/21 16:51:54 111276 +@@ -55,7 +55,8 @@ + public int IdleTimeout = 20; // minutes + public bool Enable = true; + public string VersionHeader; +- ++ public bool EnableHeaderChecking = true; ++ + /* Only the config. handler should create instances of this. Use GetInstance (context) */ + public HttpRuntimeConfig (object p) + { +@@ -92,6 +93,7 @@ + RequireRootSaveAsPath = parent.RequireRootSaveAsPath; + IdleTimeout = parent.IdleTimeout; + Enable = parent.Enable; ++ EnableHeaderChecking = parent.EnableHeaderChecking; + } + } + } |