HEX
Server: Apache
System: Linux s198.coreserver.jp 5.15.0-151-generic #161-Ubuntu SMP Tue Jul 22 14:25:40 UTC 2025 x86_64
User: nagasaki (10062)
PHP: 7.1.33
Disabled: NONE
$ pwd: /usr/local/rvm/src/ruby-2.7.4/spec/ruby/security/
Upload Files
File: //usr/local/rvm/src/ruby-2.7.4/spec/ruby/security/cve_2017_17742_spec.rb
require_relative '../spec_helper'

require "webrick"
require "stringio"
require "net/http"

describe "WEBrick" do
  describe "resists CVE-2017-17742" do
    it "for a response splitting headers" do
      config = WEBrick::Config::HTTP
      res = WEBrick::HTTPResponse.new config
      res['X-header'] = "malicious\r\nCookie: hack"
      io = StringIO.new
      res.send_response io
      io.rewind
      res = Net::HTTPResponse.read_new(Net::BufferedIO.new(io))
      res.code.should == '500'
      io.string.should_not =~ /hack/
    end

    it "for a response splitting cookie headers" do
      user_input = "malicious\r\nCookie: hack"
      config = WEBrick::Config::HTTP
      res = WEBrick::HTTPResponse.new config
      res.cookies << WEBrick::Cookie.new('author', user_input)
      io = StringIO.new
      res.send_response io
      io.rewind
      res = Net::HTTPResponse.read_new(Net::BufferedIO.new(io))
      res.code.should == '500'
      io.string.should_not =~ /hack/
    end
  end
end
@ Telegram