webrick: prevent response splitting and header injection
Original patch by tenderlove (with minor style adjustments).
* lib/webrick/httpresponse.rb (send_header): call check_header
(check_header): raise on embedded CRLF in header value
* test/webrick/test_httpresponse.rb
(test_prevent_response_splitting_headers): new test
* (test_prevent_response_splitting_cookie_headers): ditto
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_2_2@63022 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
webrick: support Proc objects as body responses
* lib/webrick/httpresponse.rb (send_body): call send_body_proc
(send_body_proc): new method
(class ChunkedWrapper): new class
* test/webrick/test_httpresponse.rb (test_send_body_proc): new test
(test_send_body_proc_chunked): ditto
[Feature #855]
webrick: favor .write over << method
This will make the next change to use IO.copy_stream
easier-to-read. When we can drop Ruby 2.4 support in a few
years, this will allow us to use writev(2) with multiple
arguments for headers and chunked responses.
* lib/webrick/cgi.rb (write): new wrapper method
lib/webrick/httpresponse.rb: (send_header): use socket.write
(send_body_io): ditto
(send_body_string): ditto
(send_body_proc): ditto
(_write_data): ditto
(ChunkedWrapper#write): ditto
(_send_file): ditto
------------------------------------------------------------------------
r62954 | normal | 2018-03-28 17:05:52 +0900 (水, 28 3 2018) | 14 lines
webrick/httpresponse: IO.copy_stream for regular files
Remove the redundant _send_file method since its functionality
is unnecessary with IO.copy_stream. IO.copy_stream also allows
the use of sendfile under some OSes to speed up copies to
non-TLS sockets.
Testing with "curl >/dev/null" and "ruby -run -e httpd" to
read a 1G file over Linux loopback reveals a reduction from
around ~0.770 to ~0.490 seconds on the client side.
* lib/webrick/httpresponse.rb (send_body_io): use IO.copy_stream
(_send_file): remove
[Feature #14237]
------------------------------------------------------------------------
r62955 | normal | 2018-03-28 17:05:57 +0900 (水, 28 3 2018) | 10 lines
webrick: use IO.copy_stream for single range response
This is also compatible with range responses generated
by Rack::File (tested with rack 2.0.3).
* lib/webrick/httpresponse.rb (send_body_io): use Content-Range
* lib/webrick/httpservlet/filehandler.rb (make_partial_content):
use File object for the single range case
* test/webrick/test_filehandler.rb (get_res_body): use send_body
to test result
------------------------------------------------------------------------
r62956 | normal | 2018-03-28 17:06:02 +0900 (水, 28 3 2018) | 7 lines
test/webrick/test_filehandler.rb: stricter multipart range test
We need to ensure we generate compatibile output in
the face of future changes
* test/webrick/test_filehandler.rb (test_make_partial_content):
check response body
------------------------------------------------------------------------
r62957 | normal | 2018-03-28 17:06:08 +0900 (水, 28 3 2018) | 8 lines
webrick: quiet warning for multi-part ranges
Content-Length is ignored by WEBrick::HTTPResponse even if we
calculate it, so instead we chunk responses to HTTP/1.1 clients
and terminate HTTP/1.0 connections.
* lib/webrick/httpservlet/filehandler.rb (make_partial_content):
quiet warning
------------------------------------------------------------------------
r62958 | normal | 2018-03-28 17:06:13 +0900 (水, 28 3 2018) | 7 lines
webrick/httpresponse: make ChunkedWrapper copy_stream-compatible
The .write method needs to return the number of bytes written
to avoid confusing IO.copy_stream.
* lib/webrick/httpresponse.rb (ChunkedWrapper#write): return bytes written
(ChunkedWrapper#<<): return self
------------------------------------------------------------------------
r62959 | normal | 2018-03-28 17:06:18 +0900 (水, 28 3 2018) | 9 lines
webrick: use IO.copy_stream for multipart response
Use the new Proc response body feature to generate a multipart
range response dynamically. We use a flat array to minimize
object overhead as much as possible; as many ranges may fit
into an HTTP request header.
* lib/webrick/httpservlet/filehandler.rb (multipart_body): new method
(make_partial_content): use multipart_body
get rid of test error/failure on Windows introduced at r62955
* lib/webrick/httpresponse.rb (send_body_io): use seek if NotImplementedError
is raised in IO.copy_stream with offset.
* lib/webrick/httpservlet/filehandler.rb (multipart_body): ditto.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_2_2@63020 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
that responds to #readpartial and #read.
[ruby-trunk - Feature #8155]
* NEWS: NEWS for above
* test/webrick/test_httpresponse.rb: Tests for above.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@42427 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
use readpartial to get data even if the response is streaming data and
each data is smaller than @buffer_size.
patched by yu nobuoka. [ruby-dev:45471] [Bug #6230]
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@35253 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
are allowed to have Keep-Alive connections.
* test/webrick/test_httpresponse.rb: corresponding test.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@34024 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
are allowed to have a Keep-Alive connection. [ruby-core:41581]
* test/webrick/test_httpresponse.rb: corresponding test.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@34023 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
HTTP/1.1 connection when returning an IO object as response body
without setting HTTPResponse#chunked to true. See #855 no.1.
* test/webrick/test_httpserver.rb: Test it.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@32188 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
* lib/webrick/httpresponse.rb (WEBrick::HTTPResponse#set_error):
Fix for possible cross-site scripting (CVE-2010-0541).
Found by Apple, reported by Hideki Yamane.
Patch by Hirokazu Nishio <nishio.hirokazu AT gmail.com>.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@29002 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
:InputBufferSize and :OutputBufferSize.
* lib/webrick/utils.rb (WEBrick::Utils.timeout): add new timeout
method. this implementation is expected to be compatible with
timeout.rb and faster than timeout.rb.
* lib/webrick/httprequest.rb (WEBrick::HTTPRequest#_read_data):
Timeout.timeout is replaced by WEBrick::Utils.timeout.
* lib/webrick/httprequest.rb: WEBrick::HTTPRequest::BUFSIZE is
replaced by config[:InputBufferSize].
* lib/webrick/httpresposne.rb: WEBrick::HTTPResponse::BUFSIZE is
replaced by config[:OutputBufferSize].
* lib/webrick/server.rb: get rid of unnecessary require.
* test/webrick/test_utils.rb: test for WEBrick::Utils.timeout.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@10167 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
add WEBrick::Config::FileHandler[:AcceptableLanguages].
* lib/webrick/httpservlet/filehandler.rb
(WEBrick::HTTPServlet::FileHandler#set_filename): search files
having suffix of language-name which Accept-Language header field
includes if :AcceptableLanguages options is present.
* lib/webrick/httpservlet/filehandler.rb
(WEBrick::HTTPServlet::FileHandler#get_servlet): new method to
search servlet correspond to the suffix of filename.
* lib/webrick/httprequest.rb: add attributes access methods: accept,
accept_charset, accept_encoding, accept_language, content_length
and content_type.
* lib/webrick/httpresponse.rb: add attribute access methods:
content_length, content_length=, content_type and content_type=.
* lib/webrick/httputils.rb (WEBrick::HTTPUtils.mime_types):
use the second suffix to detect media type. (the first suffix
may be a language name.)
* lib/webrick/httputils.rb (WEBrick::HTTPUtils.parse_qvalues):
add method to parse Accept header field. it returns an Array of
values sorted by the qvalues.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@7033 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
* lib/webrick/cgi.rb (CGI::Socket): add check for existence of
OpenSSL module in all HTTPS related methods.
* lib/webrick/cgi.rb (CGI::Socket#cipher): should create similar
value to OpenSSL::SSLSocket#cipher.
* lib/webrick/httpresponse.rb (HTTPResponse#setup_header): should
set "connection: close" if @keep_alive is false.
* lib/webrick/https.rb (HTTPrequest#meta_vars): add supprt for
SSL_PROTOCOL, SSL_CIPHER_USEKEYSIZE and SSL_CIPHER_ALGKEYSIZE.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@5254 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
Exception to avoid unexpected aborting. [ruby-core:01853]
* lib/webrick/server.rb (GenericServer#start_thread): should check
that peeraddr isn't nil before printing.
* lib/webrick/httpresponse.rb (HTTPResponse#start_thread): should
rescue Exception to avoid unexpected aborting of thread.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@5098 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
* lib/webrick/httpserver.rb (HTTPServer#run): should pass the
request's keep_alive flag to the response.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@5031 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
