blob: 014888aa75b28f9578095d457cd8bf6aebf4b6b9 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
|
$NetBSD: patch-dw,v 1.2 2010/01/14 15:07:28 taca Exp $
webrick security fix.
http://www.ruby-lang.org/en/news/2010/01/10/webrick-escape-sequence-injection/
--- lib/webrick/accesslog.rb.orig 2007-02-12 23:01:19.000000000 +0000
+++ lib/webrick/accesslog.rb
@@ -53,15 +53,23 @@ module WEBrick
when ?e, ?i, ?n, ?o
raise AccessLogError,
"parameter is required for \"#{spec}\"" unless param
- params[spec][param] || "-"
+ (param = params[spec][param]) ? escape(param) : "-"
when ?t
params[spec].strftime(param || CLF_TIME_FORMAT)
when ?%
"%"
else
- params[spec]
+ escape(params[spec].to_s)
end
}
end
+
+ def escape(data)
+ if data.tainted?
+ data.gsub(/[[:cntrl:]\\]+/) {$&.dump[1...-1]}.untaint
+ else
+ data
+ end
+ end
end
end
|
