merge revision(s) 55581,55582: [Backport #12557]

* lib/net/http/generic_rquest.rb (write_header): A Request-Line must
	  not contain CR or LF.


git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_2_2@55874 b2dd03c8-39d4-4d8f-98ff-823fe69b080e

ChangeLog

@@ -1,3 +1,8 @@
+Fri Aug 12 11:45:02 2016  Shugo Maeda  <shugo@ruby-lang.org>
+
+	* lib/net/http/generic_rquest.rb (write_header): A Request-Line must
+	  not contain CR or LF.
+
 Fri Aug 12 11:41:41 2016  Shugo Maeda  <shugo@ruby-lang.org>
 
 	* lib/net/ftp.rb (putline): raise an ArgumentError when

lib/net/http/generic_request.rb

@@ -320,7 +320,12 @@ class Net::HTTPGenericRequest
   end
 
   def write_header(sock, ver, path)
-    buf = "#{@method} #{path} HTTP/#{ver}\r\n"
+    reqline = "#{@method} #{path} HTTP/#{ver}"
+    if /[\r\n]/ =~ reqline
+      raise ArgumentError, "A Request-Line must not contain CR or LF"
+    end
+    buf = ""
+    buf << reqline << "\r\n"
     each_capitalized do |k,v|
       buf << "#{k}: #{v}\r\n"
     end

test/net/http/test_http.rb

@@ -291,6 +291,17 @@ module TestNetHTTP_version_1_1_methods
     assert_equal $test_net_http_data, res.body
   end
 
+  def test_get__crlf
+    start {|http|
+      assert_raise(ArgumentError) do
+        http.get("\r")
+      end
+      assert_raise(ArgumentError) do
+        http.get("\n")
+      end
+    }
+  end
+
   def test_get2
     start {|http|
       http.get2('/') {|res|

version.h

@@ -1,6 +1,6 @@
 #define RUBY_VERSION "2.2.6"
 #define RUBY_RELEASE_DATE "2016-08-12"
-#define RUBY_PATCHLEVEL 346
+#define RUBY_PATCHLEVEL 347
 
 #define RUBY_RELEASE_YEAR 2016
 #define RUBY_RELEASE_MONTH 8