cgi_multipart_eof_fix 2.0.1

data/README.txt

@@ -0,0 +1,43 @@
+
+DESCRIPTION
+
+Fix an exploitable bug in CGI multipart parsing which affects Ruby <= 1.8.5
+when multipart boundary attribute contains a non-halting regular expression
+string. The boundary searcher in the CGI module does not properly escape 
+the user-supplied parameter and will execute arbitrary regular expressions. 
+The fix adds escaping for the user data.
+
+This is fix is cumulative with previous CGI multipart vulnerability fixes; see
+version 1.0.0 of the gem by Zed Shaw.
+
+SCOPE
+
+Affected: standalone CGI, Mongrel, WEBrick
+Unaffected: FastCGI
+Unknown: mod_ruby
+
+USAGE
+
+Install the hotfix gem and  run the included test to verify the flaw is 
+corrected. You must require the gem in every affected application, as follows:
+
+  require 'rubygems' 
+  require 'cgi_multipart_eof_fix'
+
+If you only use mongrel_rails for application hosting, you may install mongrel 
+like so:
+
+  sudo gem install mongrel --source=http://mongrel.rubyforge.org/releases
+  
+Then mongrel will require the fix for you, provided you have installed version 2.0.0
+of this gem. This is a hack, and mongrel may change in the future.
+
+RESOURCES
+
+http://www.ruby-lang.org/en/news/2006/12/04/another-dos-vulnerability-in-cgi-library/
+http://blog.evanweaver.com/articles/2006/12/05/cgi-rb-vulnerability-hotfix
+    
+LICENSE
+
+Licensed under the same license as Ruby itself. Software contains the work of others.
+

data/Rakefile

@@ -0,0 +1,53 @@
+require 'rubygems'
+require 'rake'
+
+NAME = "cgi_multipart_eof_fix"
+
+begin
+  require 'rake/clean'
+  require 'echoe'
+  require 'fileutils'
+
+  AUTHOR = "Evan Weaver"
+  EMAIL = "evan at cloudbur dot st"
+  DESCRIPTION = "Fix an exploitable bug in CGI multipart parsing which affects Ruby <= 1.8.5 when multipart boundary attribute contains a non-halting regular expression string."
+  RUBYFORGE_NAME = "fauna"
+  GEM_NAME = "cgi_multipart_eof_fix" 
+  HOMEPATH = "http://blog.evanweaver.com"
+  RELEASE_TYPES = ["gem"]
+  REV = nil
+  VERS = "2.0.1"
+  CLEAN.include ['**/.*.sw?', '*.gem', '.config']
+  RDOC_OPTS = ['--quiet', '--title', "cgi_multipart_eof_fix documentation",
+      "--opname", "index.html",
+      "--line-numbers", 
+      "--main", "README",
+      "--inline-source"]
+  
+  include FileUtils
+  require File.join(File.dirname(__FILE__), 'lib', 'cgi_multipart_eof_fix')
+    
+  echoe = Echoe.new(GEM_NAME, VERS) do |p|
+    p.author = AUTHOR 
+    p.rubyforge_name = RUBYFORGE_NAME
+    p.name = NAME
+    p.description = DESCRIPTION
+    p.email = EMAIL
+    p.summary = DESCRIPTION
+    p.url = HOMEPATH
+    p.test_globs = ["*_test.rb"]
+    p.clean_globs = CLEAN  
+  end
+            
+rescue LoadError => boom
+  puts "You are missing a dependency required for meta-operations on this gem."
+  puts "#{boom.to_s.capitalize}."
+  
+  desc 'Run the default tasks'
+  task :default => :test
+  
+  desc 'Run the test suite.'
+  task :test do
+     system "ruby -Ibin:lib:test #{NAME}_test.rb"
+  end
+end

data/cgi_multipart_eof_fix_test.rb

@@ -0,0 +1,31 @@
+#!/usr/bin/env ruby
+require 'cgi'
+require 'stringio'
+require 'timeout'
+
+def test_read_multipart_eof_fix
+  boundary = '%?%(\w*)\\((\w*)\\)'
+  data = "--#{boundary}\r\nContent-Disposition: form-data; name=\"a_field\"\r\n\r\nBang!\r\n--#{boundary}--\r\n"
+
+  ENV['REQUEST_METHOD'] = "POST"
+  ENV['CONTENT_TYPE']   = "multipart/form-data; boundary=\"#{boundary}\""
+  ENV['CONTENT_LENGTH'] = data.length.to_s
+
+  $stdin = StringIO.new(data)
+
+  begin
+    Timeout.timeout(3) { CGI.new }
+    $stderr.puts ' => CGI is safe: read_multipart does not hang on malicious multipart requests.'
+  rescue TimeoutError
+    $stderr.puts ' => CGI is exploitable: read_multipart hangs on malicious multipart requests.'
+  end
+end
+
+$stderr.puts 'Testing malicious multipart boundary request injection'
+test_read_multipart_eof_fix
+
+$stderr.puts 'Patching CGI::QueryExtension.read_multipart'
+require 'rubygems'
+require 'cgi_multipart_eof_fix'
+
+test_read_multipart_eof_fix

data/lib/cgi_multipart_eof_fix.rb

@@ -0,0 +1,112 @@
+require 'cgi'
+
+class CGI
+  module QueryExtension
+    def read_multipart(boundary, content_length)
+      params = Hash.new([])
+      boundary = "--" + boundary
+      quoted_boundary = Regexp.quote(boundary, "n")
+      buf = ""
+      bufsize = 10 * 1024
+      boundary_end=""
+
+      # start multipart/form-data
+      stdinput.binmode if defined? stdinput.binmode
+      boundary_size = boundary.size + EOL.size
+      content_length -= boundary_size
+      status = stdinput.read(boundary_size)
+      if nil == status
+        raise EOFError, "no content body"
+      elsif boundary + EOL != status
+        raise EOFError, "bad content body #{status.inspect} expected, got #{(boundary + EOL).inspect}"
+      end
+
+      loop do
+        head = nil
+        if 10240 < content_length
+          require "tempfile"
+          body = Tempfile.new("CGI")
+        else
+          begin
+            require "stringio"
+            body = StringIO.new
+          rescue LoadError
+            require "tempfile"
+            body = Tempfile.new("CGI")
+          end
+        end
+        body.binmode if defined? body.binmode
+
+        until head and /#{quoted_boundary}(?:#{EOL}|--)/n.match(buf)
+
+          if (not head) and /#{EOL}#{EOL}/n.match(buf)
+            buf = buf.sub(/\A((?:.|\n)*?#{EOL})#{EOL}/n) do
+              head = $1.dup
+              ""
+            end
+            next
+          end
+
+          if head and ( (EOL + boundary + EOL).size < buf.size )
+            body.print buf[0 ... (buf.size - (EOL + boundary + EOL).size)]
+            buf[0 ... (buf.size - (EOL + boundary + EOL).size)] = ""
+          end
+
+          c = if bufsize < content_length
+                stdinput.read(bufsize)
+              else
+                stdinput.read(content_length)
+              end
+          if c.nil? || c.empty?
+            raise EOFError, "bad content body"
+          end
+          buf.concat(c)
+          content_length -= c.size
+        end
+
+        buf = buf.sub(/\A((?:.|\n)*?)(?:[\r\n]{1,2})?#{quoted_boundary}([\r\n]{1,2}|--)/n) do
+          body.print $1
+          if "--" == $2
+            content_length = -1
+          end
+         boundary_end = $2.dup
+          ""
+        end
+
+        body.rewind
+
+        /Content-Disposition:.* filename="?([^\";]*)"?/ni.match(head)
+	filename = ($1 or "")
+	if /Mac/ni.match(env_table['HTTP_USER_AGENT']) and
+	    /Mozilla/ni.match(env_table['HTTP_USER_AGENT']) and
+	    (not /MSIE/ni.match(env_table['HTTP_USER_AGENT']))
+	  filename = CGI::unescape(filename)
+	end
+        
+        /Content-Type: (.*)/ni.match(head)
+        content_type = ($1 or "")
+
+        (class << body; self; end).class_eval do
+          alias local_path path
+          define_method(:original_filename) {filename.dup.taint}
+          define_method(:content_type) {content_type.dup.taint}
+        end
+
+        /Content-Disposition:.* name="?([^\";]*)"?/ni.match(head)
+        name = $1.dup
+
+        if params.has_key?(name)
+          params[name].push(body)
+        else
+          params[name] = [body]
+        end
+        break if buf.size == 0
+        break if content_length === -1
+      end
+      raise EOFError, "bad boundary end of body part" unless boundary_end=~/--/
+
+      params
+    end # read_multipart
+    private :read_multipart
+  end
+end

metadata

@@ -0,0 +1,49 @@
+--- !ruby/object:Gem::Specification 
+rubygems_version: 0.9.0.9
+specification_version: 1
+name: cgi_multipart_eof_fix
+version: !ruby/object:Gem::Version 
+  version: 2.0.1
+date: 2007-01-10 00:00:00 -05:00
+summary: Fix an exploitable bug in CGI multipart parsing which affects Ruby <= 1.8.5 when multipart boundary attribute contains a non-halting regular expression string.
+require_paths: 
+- lib
+email: evan at cloudbur dot st
+homepage: http://blog.evanweaver.com
+rubyforge_project: fauna
+description: Fix an exploitable bug in CGI multipart parsing which affects Ruby <= 1.8.5 when multipart boundary attribute contains a non-halting regular expression string.
+autorequire: 
+default_executable: 
+bindir: bin
+has_rdoc: true
+required_ruby_version: !ruby/object:Gem::Version::Requirement 
+  requirements: 
+  - - ">"
+    - !ruby/object:Gem::Version 
+      version: 0.0.0
+  version: 
+platform: ruby
+signing_key: 
+cert_chain: 
+post_install_message: 
+authors: 
+- Evan Weaver
+files: 
+- README.txt
+- Rakefile
+- lib/cgi_multipart_eof_fix.rb
+- cgi_multipart_eof_fix_test.rb
+test_files: 
+- cgi_multipart_eof_fix_test.rb
+rdoc_options: []
+
+extra_rdoc_files: []
+
+executables: []
+
+extensions: []
+
+requirements: []
+
+dependencies: []
+