"hack" was too short. The tests checks the error html, which includes
hostname. GitHub Actions hostname seems randomly generated, and it may
include the indicator string.
784896235
```
1) Failure:
WEBrick::TestHTTPResponse#test_prevent_response_splitting_cookie_headers_cr [/home/runner/work/ruby/ruby/src/test/webrick/test_httpresponse.rb:71]:
Expected /hack/ to not match "HTTP/1.1 500 Internal Server Error\r\nContent-Type: text/html; charset=ISO-8859-1\r\n\r\n<!DOCTYPE HTML PUBLIC \"-//W3C//DTD HTML 4.0//EN\">\n<HTML>\n <HEAD><TITLE>Internal Server Error</TITLE></HEAD>\n <BODY>\n <H1>Internal Server Error</H1>\n WEBrick::HTTPResponse::InvalidHeader\n <HR>\n <ADDRESS>\n WEBrick/1.6.0 (Ruby/2.8.0/2020-06-18) at\n fv-az89.dddawhu1s14uzpjkiz5fhackre.cx.internal.cloudapp.net:80\n </ADDRESS>\n </BODY>\n</HTML>\n".
```
This change uses longer indicator "cracked_indicator_for_test" instead.
This is a follow up to d9d4a28f1c.
The commit prevented CRLR, but did not address an isolated CR or an
isolated LF.
Co-Authored-By: NARUSE, Yui <naruse@airemix.jp>
Remove extraneous spaces after the status code that is
non-compliant with RFC, i.e `HTTP 200 OK `, to unnecessary
confusion for WEBrick users, by a risk that WEBrick instances in
the wild will have server responses flagged as suspicious or
malicious due to a similar bug in [Cobalt Strike
misconfiguration].
Reported by Matt Tennis <mtennis@paloaltonetworks.com>
[Cobalt Strike misconfiguration]: https://blog.fox-it.com/2019/02/26/identifying-cobalt-strike-team-servers-in-the-wild/
Prevents response splitting and HTML injection attacks in
poorly-written applications which blindly pass along user input
in redirects.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@63964 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
Original patch by tenderlove (with minor style adjustments).
* lib/webrick/httpresponse.rb (send_header): call check_header
(check_header): raise on embedded CRLF in header value
* test/webrick/test_httpresponse.rb
(test_prevent_response_splitting_headers): new test
* (test_prevent_response_splitting_cookie_headers): ditto
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@62968 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
* lib/webrick/httpresponse.rb (send_body): call send_body_proc
(send_body_proc): new method
(class ChunkedWrapper): new class
* test/webrick/test_httpresponse.rb (test_send_body_proc): new test
(test_send_body_proc_chunked): ditto
[Feature #855]
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@60584 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
override the body more easily. [fix GH-1307]
* test/webrick/test_httpresponse.rb: ditto.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@54346 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
When you change this to true, you may need to add more tests.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@53141 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
expectations assumes that the IOs are binmode. fixed test failures
introduced at r42427 on Windows.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@42433 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
that responds to #readpartial and #read.
[ruby-trunk - Feature #8155]
* NEWS: NEWS for above
* test/webrick/test_httpresponse.rb: Tests for above.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@42427 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
are allowed to have Keep-Alive connections.
* test/webrick/test_httpresponse.rb: corresponding test.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@34024 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
are allowed to have a Keep-Alive connection. [ruby-core:41581]
* test/webrick/test_httpresponse.rb: corresponding test.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@34023 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
