webrick 1.3.1

data/test/webrick/test_cgi.rb

@@ -0,0 +1,134 @@
+require_relative "utils"
+require "webrick"
+require "test/unit"
+
+class TestWEBrickCGI < Test::Unit::TestCase
+  CRLF = "\r\n"
+
+  def start_cgi_server(&block)
+    config = {
+      :CGIInterpreter => TestWEBrick::RubyBin,
+      :DocumentRoot => File.dirname(__FILE__),
+      :DirectoryIndex => ["webrick.cgi"],
+      :RequestCallback => Proc.new{|req, res|
+        def req.meta_vars
+          meta = super
+          meta["RUBYLIB"] = $:.join(File::PATH_SEPARATOR)
+          meta[RbConfig::CONFIG['LIBPATHENV']] = ENV[RbConfig::CONFIG['LIBPATHENV']] if RbConfig::CONFIG['LIBPATHENV']
+          return meta
+        end
+      },
+    }
+    if RUBY_PLATFORM =~ /mswin32|mingw|cygwin|bccwin32/
+      config[:CGIPathEnv] = ENV['PATH'] # runtime dll may not be in system dir.
+    end
+    TestWEBrick.start_httpserver(config){|server, addr, port, log|
+      block.call(server, addr, port, log)
+    }
+  end
+
+  def test_cgi
+    start_cgi_server{|server, addr, port, log|
+      http = Net::HTTP.new(addr, port)
+      req = Net::HTTP::Get.new("/webrick.cgi")
+      http.request(req){|res| assert_equal("/webrick.cgi", res.body, log.call)}
+      req = Net::HTTP::Get.new("/webrick.cgi/path/info")
+      http.request(req){|res| assert_equal("/path/info", res.body, log.call)}
+      req = Net::HTTP::Get.new("/webrick.cgi/%3F%3F%3F?foo=bar")
+      http.request(req){|res| assert_equal("/???", res.body, log.call)}
+      req = Net::HTTP::Get.new("/webrick.cgi/%A4%DB%A4%B2/%A4%DB%A4%B2")
+      http.request(req){|res|
+        assert_equal("/\xA4\xDB\xA4\xB2/\xA4\xDB\xA4\xB2", res.body, log.call)}
+      req = Net::HTTP::Get.new("/webrick.cgi?a=1;a=2;b=x")
+      http.request(req){|res| assert_equal("a=1, a=2, b=x", res.body, log.call)}
+      req = Net::HTTP::Get.new("/webrick.cgi?a=1&a=2&b=x")
+      http.request(req){|res| assert_equal("a=1, a=2, b=x", res.body, log.call)}
+
+      req = Net::HTTP::Post.new("/webrick.cgi?a=x;a=y;b=1")
+      req["Content-Type"] = "application/x-www-form-urlencoded"
+      http.request(req, "a=1;a=2;b=x"){|res|
+        assert_equal("a=1, a=2, b=x", res.body, log.call)}
+      req = Net::HTTP::Post.new("/webrick.cgi?a=x&a=y&b=1")
+      req["Content-Type"] = "application/x-www-form-urlencoded"
+      http.request(req, "a=1&a=2&b=x"){|res|
+        assert_equal("a=1, a=2, b=x", res.body, log.call)}
+      req = Net::HTTP::Get.new("/")
+      http.request(req){|res|
+        ary = res.body.lines.to_a
+        assert_match(%r{/$}, ary[0], log.call)
+        assert_match(%r{/webrick.cgi$}, ary[1], log.call)
+      }
+
+      req = Net::HTTP::Get.new("/webrick.cgi")
+      req["Cookie"] = "CUSTOMER=WILE_E_COYOTE; PART_NUMBER=ROCKET_LAUNCHER_0001"
+      http.request(req){|res|
+        assert_equal(
+          "CUSTOMER=WILE_E_COYOTE\nPART_NUMBER=ROCKET_LAUNCHER_0001\n",
+          res.body, log.call)
+      }
+
+      req = Net::HTTP::Get.new("/webrick.cgi")
+      cookie =  %{$Version="1"; }
+      cookie << %{Customer="WILE_E_COYOTE"; $Path="/acme"; }
+      cookie << %{Part_Number="Rocket_Launcher_0001"; $Path="/acme"; }
+      cookie << %{Shipping="FedEx"; $Path="/acme"}
+      req["Cookie"] = cookie
+      http.request(req){|res|
+        assert_equal("Customer=WILE_E_COYOTE, Shipping=FedEx",
+                     res["Set-Cookie"], log.call)
+        assert_equal("Customer=WILE_E_COYOTE\n" +
+                     "Part_Number=Rocket_Launcher_0001\n" +
+                     "Shipping=FedEx\n", res.body, log.call)
+      }
+    }
+  end
+
+  def test_bad_request
+    start_cgi_server{|server, addr, port, log|
+      sock = TCPSocket.new(addr, port)
+      begin
+        sock << "POST /webrick.cgi HTTP/1.0" << CRLF
+        sock << "Content-Type: application/x-www-form-urlencoded" << CRLF
+        sock << "Content-Length: 1024" << CRLF
+        sock << CRLF
+        sock << "a=1&a=2&b=x"
+        sock.close_write
+        assert_match(%r{\AHTTP/\d.\d 400 Bad Request}, sock.read, log.call)
+      ensure
+        sock.close
+      end
+    }
+  end
+
+  CtrlSeq = [0x7f, *(1..31)].pack("C*").gsub(/\s+/, '')
+  CtrlPat = /#{Regexp.quote(CtrlSeq)}/o
+  DumpPat = /#{Regexp.quote(CtrlSeq.dump[1...-1])}/o
+
+  def test_bad_uri
+    start_cgi_server{|server, addr, port, log|
+      res = TCPSocket.open(addr, port) {|sock|
+        sock << "GET /#{CtrlSeq}#{CRLF}#{CRLF}"
+        sock.close_write
+        sock.read
+      }
+      assert_match(%r{\AHTTP/\d.\d 400 Bad Request}, res)
+      s = log.call.each_line.grep(/ERROR bad URI/)[0]
+      assert_match(DumpPat, s)
+      assert_not_match(CtrlPat, s)
+    }
+  end
+
+  def test_bad_header
+    start_cgi_server{|server, addr, port, log|
+      res = TCPSocket.open(addr, port) {|sock|
+        sock << "GET / HTTP/1.0#{CRLF}#{CtrlSeq}#{CRLF}#{CRLF}"
+        sock.close_write
+        sock.read
+      }
+      assert_match(%r{\AHTTP/\d.\d 400 Bad Request}, res)
+      s = log.call.each_line.grep(/ERROR bad header/)[0]
+      assert_match(DumpPat, s)
+      assert_not_match(CtrlPat, s)
+    }
+  end
+end

data/test/webrick/test_cookie.rb

@@ -0,0 +1,131 @@
+require "test/unit"
+require "webrick/cookie"
+
+class TestWEBrickCookie < Test::Unit::TestCase
+  def test_new
+    cookie = WEBrick::Cookie.new("foo","bar")
+    assert_equal("foo", cookie.name)
+    assert_equal("bar", cookie.value)
+    assert_equal("foo=bar", cookie.to_s)
+  end
+
+  def test_time
+    cookie = WEBrick::Cookie.new("foo","bar")
+    t = 1000000000
+    cookie.max_age = t
+    assert_match(t.to_s, cookie.to_s)
+
+    cookie = WEBrick::Cookie.new("foo","bar")
+    t = Time.at(1000000000)
+    cookie.expires = t
+    assert_equal(Time, cookie.expires.class)
+    assert_equal(t, cookie.expires)
+    ts = t.httpdate
+    cookie.expires = ts
+    assert_equal(Time, cookie.expires.class)
+    assert_equal(t, cookie.expires)
+    assert_match(ts, cookie.to_s)
+  end
+
+  def test_parse
+    data = ""
+    data << '$Version="1"; '
+    data << 'Customer="WILE_E_COYOTE"; $Path="/acme"; '
+    data << 'Part_Number="Rocket_Launcher_0001"; $Path="/acme"; '
+    data << 'Shipping="FedEx"; $Path="/acme"'
+    cookies = WEBrick::Cookie.parse(data)
+    assert_equal(3, cookies.size)
+    assert_equal(1, cookies[0].version)
+    assert_equal("Customer", cookies[0].name)
+    assert_equal("WILE_E_COYOTE", cookies[0].value)
+    assert_equal("/acme", cookies[0].path)
+    assert_equal(1, cookies[1].version)
+    assert_equal("Part_Number", cookies[1].name)
+    assert_equal("Rocket_Launcher_0001", cookies[1].value)
+    assert_equal(1, cookies[2].version)
+    assert_equal("Shipping", cookies[2].name)
+    assert_equal("FedEx", cookies[2].value)
+
+    data = "hoge=moge; __div__session=9865ecfd514be7f7"
+    cookies = WEBrick::Cookie.parse(data)
+    assert_equal(0, cookies[0].version)
+    assert_equal("hoge", cookies[0].name)
+    assert_equal("moge", cookies[0].value)
+    assert_equal("__div__session", cookies[1].name)
+    assert_equal("9865ecfd514be7f7", cookies[1].value)
+  end
+
+  def test_parse_no_whitespace
+    data = [
+      '$Version="1"; ',
+      'Customer="WILE_E_COYOTE";$Path="/acme";', # no SP between cookie-string
+      'Part_Number="Rocket_Launcher_0001";$Path="/acme";', # no SP between cookie-string
+      'Shipping="FedEx";$Path="/acme"'
+    ].join
+    cookies = WEBrick::Cookie.parse(data)
+    assert_equal(1, cookies.size)
+  end
+
+  def test_parse_too_much_whitespaces
+    # According to RFC6265,
+    #   cookie-string = cookie-pair *( ";" SP cookie-pair )
+    # So single 0x20 is needed after ';'. We allow multiple spaces here for
+    # compatibility with older WEBrick versions.
+    data = [
+      '$Version="1"; ',
+      'Customer="WILE_E_COYOTE";$Path="/acme";     ', # no SP between cookie-string
+      'Part_Number="Rocket_Launcher_0001";$Path="/acme";     ', # no SP between cookie-string
+      'Shipping="FedEx";$Path="/acme"'
+    ].join
+    cookies = WEBrick::Cookie.parse(data)
+    assert_equal(3, cookies.size)
+  end
+
+  def test_parse_set_cookie
+    data = %(Customer="WILE_E_COYOTE"; Version="1"; Path="/acme")
+    cookie = WEBrick::Cookie.parse_set_cookie(data)
+    assert_equal("Customer", cookie.name)
+    assert_equal("WILE_E_COYOTE", cookie.value)
+    assert_equal(1, cookie.version)
+    assert_equal("/acme", cookie.path)
+
+    data = %(Shipping="FedEx"; Version="1"; Path="/acme"; Secure)
+    cookie = WEBrick::Cookie.parse_set_cookie(data)
+    assert_equal("Shipping", cookie.name)
+    assert_equal("FedEx", cookie.value)
+    assert_equal(1, cookie.version)
+    assert_equal("/acme", cookie.path)
+    assert_equal(true, cookie.secure)
+  end
+
+  def test_parse_set_cookies
+    data = %(Shipping="FedEx"; Version="1"; Path="/acme"; Secure)
+    data << %(, CUSTOMER=WILE_E_COYOTE; path=/; expires=Wednesday, 09-Nov-99 23:12:40 GMT; path=/; Secure)
+    data << %(, name="Aaron"; Version="1"; path="/acme")
+    cookies = WEBrick::Cookie.parse_set_cookies(data)
+    assert_equal(3, cookies.length)
+
+    fed_ex = cookies.find { |c| c.name == 'Shipping' }
+    assert_not_nil(fed_ex)
+    assert_equal("Shipping", fed_ex.name)
+    assert_equal("FedEx", fed_ex.value)
+    assert_equal(1, fed_ex.version)
+    assert_equal("/acme", fed_ex.path)
+    assert_equal(true, fed_ex.secure)
+
+    name = cookies.find { |c| c.name == 'name' }
+    assert_not_nil(name)
+    assert_equal("name", name.name)
+    assert_equal("Aaron", name.value)
+    assert_equal(1, name.version)
+    assert_equal("/acme", name.path)
+
+    customer = cookies.find { |c| c.name == 'CUSTOMER' }
+    assert_not_nil(customer)
+    assert_equal("CUSTOMER", customer.name)
+    assert_equal("WILE_E_COYOTE", customer.value)
+    assert_equal(0, customer.version)
+    assert_equal("/", customer.path)
+    assert_equal(Time.utc(1999, 11, 9, 23, 12, 40), customer.expires)
+  end
+end

data/test/webrick/test_filehandler.rb

@@ -0,0 +1,285 @@
+require "test/unit"
+require_relative "utils.rb"
+require "webrick"
+require "stringio"
+
+class WEBrick::TestFileHandler < Test::Unit::TestCase
+  def default_file_handler(filename)
+    klass = WEBrick::HTTPServlet::DefaultFileHandler
+    klass.new(WEBrick::Config::HTTP, filename)
+  end
+
+  def windows?
+    File.directory?("\\")
+  end
+
+  def get_res_body(res)
+    if defined? res.body.read
+      res.body.read
+    else
+      res.body
+    end
+  end
+
+  def make_range_request(range_spec)
+    msg = <<-END_OF_REQUEST
+      GET / HTTP/1.0
+      Range: #{range_spec}
+
+    END_OF_REQUEST
+    return StringIO.new(msg.gsub(/^ {6}/, ""))
+  end
+
+  def make_range_response(file, range_spec)
+    req = WEBrick::HTTPRequest.new(WEBrick::Config::HTTP)
+    req.parse(make_range_request(range_spec))
+    res = WEBrick::HTTPResponse.new(WEBrick::Config::HTTP)
+    size = File.size(file)
+    handler = default_file_handler(file)
+    handler.make_partial_content(req, res, file, size)
+    return res
+  end
+
+  def test_make_partial_content
+    filename = __FILE__
+    filesize = File.size(filename)
+
+    res = make_range_response(filename, "bytes=#{filesize-100}-")
+    assert_match(%r{^text/plain}, res["content-type"])
+    assert_equal(get_res_body(res).size, 100)
+
+    res = make_range_response(filename, "bytes=-100")
+    assert_match(%r{^text/plain}, res["content-type"])
+    assert_equal(get_res_body(res).size, 100)
+
+    res = make_range_response(filename, "bytes=0-99")
+    assert_match(%r{^text/plain}, res["content-type"])
+    assert_equal(get_res_body(res).size, 100)
+
+    res = make_range_response(filename, "bytes=100-199")
+    assert_match(%r{^text/plain}, res["content-type"])
+    assert_equal(get_res_body(res).size, 100)
+
+    res = make_range_response(filename, "bytes=0-0")
+    assert_match(%r{^text/plain}, res["content-type"])
+    assert_equal(get_res_body(res).size, 1)
+
+    res = make_range_response(filename, "bytes=-1")
+    assert_match(%r{^text/plain}, res["content-type"])
+    assert_equal(get_res_body(res).size, 1)
+
+    res = make_range_response(filename, "bytes=0-0, -2")
+    assert_match(%r{^multipart/byteranges}, res["content-type"])
+  end
+
+  def test_filehandler
+    config = { :DocumentRoot => File.dirname(__FILE__), }
+    this_file = File.basename(__FILE__)
+    filesize = File.size(__FILE__)
+    this_data = File.open(__FILE__, "rb") {|f| f.read}
+    range = nil
+    bug2593 = '[ruby-dev:40030]'
+
+    TestWEBrick.start_httpserver(config) do |server, addr, port, log|
+      http = Net::HTTP.new(addr, port)
+      req = Net::HTTP::Get.new("/")
+      http.request(req){|res|
+        assert_equal("200", res.code, log.call)
+        assert_equal("text/html", res.content_type, log.call)
+        assert_match(/HREF="#{this_file}"/, res.body, log.call)
+      }
+      req = Net::HTTP::Get.new("/#{this_file}")
+      http.request(req){|res|
+        assert_equal("200", res.code, log.call)
+        assert_equal("text/plain", res.content_type, log.call)
+        assert_equal(File.read(__FILE__), res.body, log.call)
+      }
+
+      req = Net::HTTP::Get.new("/#{this_file}", "range"=>"bytes=#{filesize-100}-")
+      http.request(req){|res|
+        assert_equal("206", res.code, log.call)
+        assert_equal("text/plain", res.content_type, log.call)
+        assert_nothing_raised(bug2593) {range = res.content_range}
+        assert_equal((filesize-100)..(filesize-1), range, log.call)
+        assert_equal(this_data[-100..-1], res.body, log.call)
+      }
+
+      req = Net::HTTP::Get.new("/#{this_file}", "range"=>"bytes=-100")
+      http.request(req){|res|
+        assert_equal("206", res.code, log.call)
+        assert_equal("text/plain", res.content_type, log.call)
+        assert_nothing_raised(bug2593) {range = res.content_range}
+        assert_equal((filesize-100)..(filesize-1), range, log.call)
+        assert_equal(this_data[-100..-1], res.body, log.call)
+      }
+
+      req = Net::HTTP::Get.new("/#{this_file}", "range"=>"bytes=0-99")
+      http.request(req){|res|
+        assert_equal("206", res.code, log.call)
+        assert_equal("text/plain", res.content_type, log.call)
+        assert_nothing_raised(bug2593) {range = res.content_range}
+        assert_equal(0..99, range, log.call)
+        assert_equal(this_data[0..99], res.body, log.call)
+      }
+
+      req = Net::HTTP::Get.new("/#{this_file}", "range"=>"bytes=100-199")
+      http.request(req){|res|
+        assert_equal("206", res.code, log.call)
+        assert_equal("text/plain", res.content_type, log.call)
+        assert_nothing_raised(bug2593) {range = res.content_range}
+        assert_equal(100..199, range, log.call)
+        assert_equal(this_data[100..199], res.body, log.call)
+      }
+
+      req = Net::HTTP::Get.new("/#{this_file}", "range"=>"bytes=0-0")
+      http.request(req){|res|
+        assert_equal("206", res.code, log.call)
+        assert_equal("text/plain", res.content_type, log.call)
+        assert_nothing_raised(bug2593) {range = res.content_range}
+        assert_equal(0..0, range, log.call)
+        assert_equal(this_data[0..0], res.body, log.call)
+      }
+
+      req = Net::HTTP::Get.new("/#{this_file}", "range"=>"bytes=-1")
+      http.request(req){|res|
+        assert_equal("206", res.code, log.call)
+        assert_equal("text/plain", res.content_type, log.call)
+        assert_nothing_raised(bug2593) {range = res.content_range}
+        assert_equal((filesize-1)..(filesize-1), range, log.call)
+        assert_equal(this_data[-1, 1], res.body, log.call)
+      }
+
+      req = Net::HTTP::Get.new("/#{this_file}", "range"=>"bytes=0-0, -2")
+      http.request(req){|res|
+        assert_equal("206", res.code, log.call)
+        assert_equal("multipart/byteranges", res.content_type, log.call)
+      }
+
+    end
+  end
+
+  def test_non_disclosure_name
+    config = { :DocumentRoot => File.dirname(__FILE__), }
+    this_file = File.basename(__FILE__)
+    TestWEBrick.start_httpserver(config) do |server, addr, port, log|
+      http = Net::HTTP.new(addr, port)
+      doc_root_opts = server[:DocumentRootOptions]
+      doc_root_opts[:NondisclosureName] = %w(.ht* *~ test_*)
+      req = Net::HTTP::Get.new("/")
+      http.request(req){|res|
+        assert_equal("200", res.code, log.call)
+        assert_equal("text/html", res.content_type, log.call)
+        assert_no_match(/HREF="#{File.basename(__FILE__)}"/, res.body)
+      }
+      req = Net::HTTP::Get.new("/#{this_file}")
+      http.request(req){|res|
+        assert_equal("404", res.code, log.call)
+      }
+      doc_root_opts[:NondisclosureName] = %w(.ht* *~ TEST_*)
+      http.request(req){|res|
+        assert_equal("404", res.code, log.call)
+      }
+    end
+  end
+
+  def test_directory_traversal
+    config = { :DocumentRoot => File.dirname(__FILE__), }
+    this_file = File.basename(__FILE__)
+    TestWEBrick.start_httpserver(config) do |server, addr, port, log|
+      http = Net::HTTP.new(addr, port)
+      req = Net::HTTP::Get.new("/../../")
+      http.request(req){|res| assert_equal("400", res.code, log.call) }
+      req = Net::HTTP::Get.new("/..%5c../#{File.basename(__FILE__)}")
+      http.request(req){|res| assert_equal(windows? ? "200" : "404", res.code, log.call) }
+      req = Net::HTTP::Get.new("/..%5c..%5cruby.c")
+      http.request(req){|res| assert_equal("404", res.code, log.call) }
+    end
+  end
+
+  def test_unwise_in_path
+    if windows?
+      config = { :DocumentRoot => File.dirname(__FILE__), }
+      this_file = File.basename(__FILE__)
+      TestWEBrick.start_httpserver(config) do |server, addr, port, log|
+        http = Net::HTTP.new(addr, port)
+        req = Net::HTTP::Get.new("/..%5c..")
+        http.request(req){|res| assert_equal("301", res.code, log.call) }
+      end
+    end
+  end
+
+  def test_short_filename
+    config = {
+      :CGIInterpreter => TestWEBrick::RubyBin,
+      :DocumentRoot => File.dirname(__FILE__),
+      :CGIPathEnv => ENV['PATH'],
+    }
+    TestWEBrick.start_httpserver(config) do |server, addr, port, log|
+      http = Net::HTTP.new(addr, port)
+      if windows?
+        fname = nil
+        Dir.chdir(config[:DocumentRoot]) do
+          fname = IO.popen("dir /x webrick_long_filename.cgi", "r").read.match(/\s(w.+?cgi)\s/i)[1].downcase
+        end
+      else
+        fname = "webric~1.cgi"
+      end
+      req = Net::HTTP::Get.new("/#{fname}/test")
+      http.request(req) do |res|
+        if windows?
+          assert_equal("200", res.code, log.call)
+          assert_equal("/test", res.body, log.call)
+        else
+          assert_equal("404", res.code, log.call)
+        end
+      end
+
+      req = Net::HTTP::Get.new("/.htaccess")
+      http.request(req) {|res| assert_equal("404", res.code, log.call) }
+      req = Net::HTTP::Get.new("/htacce~1")
+      http.request(req) {|res| assert_equal("404", res.code, log.call) }
+      req = Net::HTTP::Get.new("/HTACCE~1")
+      http.request(req) {|res| assert_equal("404", res.code, log.call) }
+    end
+  end
+
+  def test_script_disclosure
+    config = {
+      :CGIInterpreter => TestWEBrick::RubyBin,
+      :DocumentRoot => File.dirname(__FILE__),
+      :CGIPathEnv => ENV['PATH'],
+      :RequestCallback => Proc.new{|req, res|
+        def req.meta_vars
+          meta = super
+          meta["RUBYLIB"] = $:.join(File::PATH_SEPARATOR)
+          meta[RbConfig::CONFIG['LIBPATHENV']] = ENV[RbConfig::CONFIG['LIBPATHENV']] if RbConfig::CONFIG['LIBPATHENV']
+          return meta
+        end
+      },
+    }
+    TestWEBrick.start_httpserver(config) do |server, addr, port, log|
+      http = Net::HTTP.new(addr, port)
+
+      req = Net::HTTP::Get.new("/webrick.cgi/test")
+      http.request(req) do |res|
+        assert_equal("200", res.code, log.call)
+        assert_equal("/test", res.body, log.call)
+      end
+
+      response_assertion = Proc.new do |res|
+        if windows?
+          assert_equal("200", res.code, log.call)
+          assert_equal("/test", res.body, log.call)
+        else
+          assert_equal("404", res.code, log.call)
+        end
+      end
+      req = Net::HTTP::Get.new("/webrick.cgi%20/test")
+      http.request(req, &response_assertion)
+      req = Net::HTTP::Get.new("/webrick.cgi./test")
+      http.request(req, &response_assertion)
+      req = Net::HTTP::Get.new("/webrick.cgi::$DATA/test")
+      http.request(req, &response_assertion)
+    end
+  end
+end