Merge pull request excon#675 from excon/fix-header-splitting

geemus · web-flow · commit 3bc977d146ef · 2018-05-30T14:48:33.000-05:00
fix header splitting bug
diff --git a/lib/excon/connection.rb b/lib/excon/connection.rb
@@ -138,7 +138,13 @@ def request_call(datum)
 
           # add headers to request
           datum[:headers].each do |key, values|
+            if key.to_s.match(/[\r\n]/)
+              raise Excon::Errors::InvalidHeaderKey.new(key.to_s.inspect + ' contains forbidden "\r" or "\n"')
+            end
             [values].flatten.each do |value|
+              if value.to_s.match(/[\r\n]/)
+                raise Excon::Errors::InvalidHeaderValue.new(value.to_s.inspect + ' contains forbidden "\r" or "\n"')
+              end
               request << key.to_s << ': ' << value.to_s << CR_NL
             end
           end
@@ -185,7 +191,7 @@ def request_call(datum)
         end
       rescue => error
         case error
-        when Excon::Errors::StubNotFound, Excon::Errors::Timeout
+        when Excon::Errors::InvalidHeaderKey, Excon::Errors::InvalidHeaderValue, Excon::Errors::StubNotFound, Excon::Errors::Timeout
           raise(error)
         else
           raise_socket_error(error)
diff --git a/lib/excon/error.rb b/lib/excon/error.rb
@@ -45,6 +45,8 @@ def initialize(socket_error = Excon::Error.new)
       end
     end
 
+    class InvalidHeaderKey < Error; end
+    class InvalidHeaderValue < Error; end
     class Timeout < Error; end
     class ResponseParse < Error; end
     class ProxyParse < Error; end
diff --git a/tests/bad_tests.rb b/tests/bad_tests.rb
@@ -2,6 +2,28 @@
 
   with_server('bad') do
 
+    tests('header splitting') do
+
+      tests('prevents key splitting').raises(Excon::Errors::InvalidHeaderKey) do
+        connection = Excon.new('http://127.0.0.1:9292')
+        connection.request(
+          headers: { "Foo\r\nBar" => "baz" },
+          method:  :get,
+          path: '/echo'
+        )
+      end
+
+      tests('prevents value splitting').raises(Excon::Errors::InvalidHeaderValue) do
+        connection = Excon.new('http://127.0.0.1:9292')
+        connection.request(
+          headers: { Foo: "bar\r\nBaz: qux" },
+          method:  :get,
+          path: '/echo'
+        )
+      end
+
+    end
+
     tests('bad server: causes EOFError') do
 
       tests('with no content length and no chunking') do
diff --git a/tests/servers/bad.rb b/tests/servers/bad.rb
@@ -5,6 +5,11 @@
 module BadServer
   def receive_data(data)
     case data
+    when %r{^GET /echo\s}
+      send_data "HTTP/1.1 200 OK\r\n"
+      send_data "\r\n"
+      send_data data
+      close_connection(true)
     when %r{^GET /eof/no_content_length_and_no_chunking\s}
       send_data "HTTP/1.1 200 OK\r\n"
       send_data "\r\n"
