webrick 1.8.1 → 1.9.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: a401983074ecea6a30f8227ed888b735b3cdceadde14a7030b391cc45f948c2c
-  data.tar.gz: d40f18576cb9c335439796b1cdd92c7faf515ef944deb53c517fdf8c8390a79a
+  metadata.gz: d133a0575bc3ed8393d991def2829498130eac921b9485e47d00a6259ec00fe6
+  data.tar.gz: 2e8da0c038c346abc67b325c41408199eb6475ee7fad9a155c67330ca15c5aed
 SHA512:
-  metadata.gz: 1e5edb6d6798b75aafd9d16787f910e7a4beaf5cb7762af1c9f5add5725b037547bd875e9df8bc1f9ca18bcd3fa5839d25a566891f64cd55b9f145e8735e02b2
-  data.tar.gz: 7d3ffd0d2db521ca3ee6cdb3d8a7e448037d9694ceae62737b71d887e8089902ee71a2b334970dabad2767085b771c315a968993f6df83429f8f957d40ae72a8
+  metadata.gz: c5f68a58deca28be7dbde1b557a17a16f9d69c244c567830b89b22c26689db8b28e6a69097e6f47fc3d50d9caea69c691ead0468ef13777081aaf03e0d7c46f2
+  data.tar.gz: b9c35a51cf9d662d2151dd40d79c2cceebe5404fe5e8464cd666eff3127729a7225b728e78f59bfc08ea545b4de1046dad1c08a65e1e2fd402e91a0c53a264e6

data/Gemfile

@@ -4,3 +4,7 @@ gemspec
 
 gem "rake"
 gem "test-unit"
+gem "test-unit-ruby-core"
+
+# rbs requires ruby 3.0+
+gem "rbs", require: false if !RUBY_VERSION.start_with?('2.')

data/README.md

@@ -10,6 +10,8 @@ A WEBrick server can be composed of multiple WEBrick servers or servlets to prov
 
 WEBrick also includes tools for daemonizing a process and starting a process at a higher privilege level and dropping permissions.
 
+WEBrick is suitable for use in testing and for development.  However, while the developers of WEBrick will attempt to fix security issues, they do not encourage the use of WEBrick to serve production web applications that may be subject to hostile input.
+
 ## Installation
 
 Add this line to your application's Gemfile:

data/Rakefile

@@ -7,11 +7,4 @@ Rake::TestTask.new(:test) do |t|
   t.test_files = FileList["test/**/test_*.rb"]
 end
 
-task :sync_tool do
-  require 'fileutils'
-  FileUtils.cp "../ruby/tool/lib/core_assertions.rb", "./test/lib"
-  FileUtils.cp "../ruby/tool/lib/envutil.rb", "./test/lib"
-  FileUtils.cp "../ruby/tool/lib/find_executable.rb", "./test/lib"
-end
-
 task :default => :test

data/lib/webrick/cgi.rb

@@ -160,7 +160,7 @@ module WEBrick
         __send__(method_name, req, res)
       else
         raise HTTPStatus::MethodNotAllowed,
-              "unsupported method `#{req.request_method}'."
+              "unsupported method '#{req.request_method}'."
       end
     end
 

data/lib/webrick/httpauth/authenticator.rb

@@ -108,10 +108,10 @@ module WEBrick
     # authentication schemes for proxies.
 
     module ProxyAuthenticator
-      RequestField  = "Proxy-Authorization" # :nodoc:
-      ResponseField = "Proxy-Authenticate" # :nodoc:
-      InfoField     = "Proxy-Authentication-Info" # :nodoc:
-      AuthException = HTTPStatus::ProxyAuthenticationRequired # :nodoc:
+      RequestField      = "Proxy-Authorization" # :nodoc:
+      ResponseField     = "Proxy-Authenticate" # :nodoc:
+      ResponseInfoField = "Proxy-Authentication-Info" # :nodoc:
+      AuthException     = HTTPStatus::ProxyAuthenticationRequired # :nodoc:
     end
   end
 end

data/lib/webrick/httpauth/htgroup.rb

@@ -49,7 +49,7 @@ module WEBrick
           File.open(@path){|io|
             while line = io.gets
               line.chomp!
-              group, members = line.split(/:\s*/)
+              group, members = line.split(/:\s*/, 2)
               @group[group] = members.split(/\s+/)
             end
           }

data/lib/webrick/httpauth/htpasswd.rb

@@ -77,12 +77,12 @@ module WEBrick
                 if @password_hash == :bcrypt
                   raise StandardError, ".htpasswd file contains crypt password, only bcrypt passwords supported"
                 end
-                user, pass = line.split(":")
+                user, pass = line.split(":", 2)
               when %r!\A[^:]+:\$2[aby]\$\d{2}\$.{53}\z!
                 if @password_hash == :crypt
                   raise StandardError, ".htpasswd file contains bcrypt password, only crypt passwords supported"
                 end
-                user, pass = line.split(":")
+                user, pass = line.split(":", 2)
               when /:\$/, /:{SHA}/
                 raise NotImplementedError,
                       'MD5, SHA1 .htpasswd file not supported'

data/lib/webrick/httpproxy.rb

@@ -118,7 +118,7 @@ module WEBrick
         public_send("do_#{req.request_method}", req, res)
       rescue NoMethodError
         raise HTTPStatus::MethodNotAllowed,
-          "unsupported method `#{req.request_method}'."
+          "unsupported method '#{req.request_method}'."
       rescue => err
         logger.debug("#{err.class}: #{err.message}")
         raise HTTPStatus::ServiceUnavailable, err.message
@@ -149,7 +149,7 @@ module WEBrick
       end
 
       begin
-        @logger.debug("CONNECT: upstream proxy is `#{host}:#{port}'.")
+        @logger.debug("CONNECT: upstream proxy is '#{host}:#{port}'.")
         os = TCPSocket.new(host, port)     # origin server
 
         if proxy
@@ -175,7 +175,7 @@ module WEBrick
         @logger.debug("CONNECT #{host}:#{port}: succeeded")
         res.status = HTTPStatus::RC_OK
       rescue => ex
-        @logger.debug("CONNECT #{host}:#{port}: failed `#{ex.message}'")
+        @logger.debug("CONNECT #{host}:#{port}: failed '#{ex.message}'")
         res.set_error(ex)
         raise HTTPStatus::EOFError
       ensure
@@ -241,7 +241,7 @@ module WEBrick
         if HopByHop.member?(key)          || # RFC2616: 13.5.1
            connections.member?(key)       || # RFC2616: 14.10
            ShouldNotTransfer.member?(key)    # pragmatics
-          @logger.debug("choose_header: `#{key}: #{value}'")
+          @logger.debug("choose_header: '#{key}: #{value}'")
           next
         end
         dst[key] = value

data/lib/webrick/httprequest.rb

@@ -162,7 +162,6 @@ module WEBrick
       @script_name = @path_info = nil
       @query_string = nil
       @query = nil
-      @form_data = nil
 
       @raw_header = Array.new
       @header = nil
@@ -173,7 +172,8 @@ module WEBrick
       @accept_language = []
       @body = +""
 
-      @addr = @peeraddr = nil
+      @addr = []
+      @peeraddr = []
       @attributes = {}
       @user = nil
       @keep_alive = false
@@ -224,7 +224,7 @@ module WEBrick
         @script_name = ""
         @path_info = @path.dup
       rescue
-        raise HTTPStatus::BadRequest, "bad URI `#{@unparsed_uri}'."
+        raise HTTPStatus::BadRequest, "bad URI '#{@unparsed_uri}'."
       end
 
       if /\Aclose\z/io =~ self["connection"]
@@ -318,7 +318,7 @@ module WEBrick
     def [](header_name)
       if @header
         value = @header[header_name.downcase]
-        value.empty? ? nil : value.join(", ")
+        value.empty? ? nil : value.join
       end
     end
 
@@ -329,7 +329,7 @@ module WEBrick
       if @header
         @header.each{|k, v|
           value = @header[k]
-          yield(k, value.empty? ? nil : value.join(", "))
+          yield(k, value.empty? ? nil : value.join)
         }
       end
     end
@@ -402,7 +402,7 @@ module WEBrick
     # This method provides the metavariables defined by the revision 3
     # of "The WWW Common Gateway Interface Version 1.1"
     # To browse the current document of CGI Version 1.1, see below:
-    # http://tools.ietf.org/html/rfc3875
+    # https://www.rfc-editor.org/rfc/rfc3875
 
     def meta_vars
       meta = Hash.new
@@ -458,27 +458,46 @@ module WEBrick
       end
 
       @request_time = Time.now
-      if /^(\S+)\s+(\S++)(?:\s+HTTP\/(\d+\.\d+))?\r?\n/mo =~ @request_line
+      if /^(\S+) (\S++)(?: HTTP\/(\d+\.\d+))?\r\n/mo =~ @request_line
         @request_method = $1
         @unparsed_uri   = $2
         @http_version   = HTTPVersion.new($3 ? $3 : "0.9")
       else
         rl = @request_line.sub(/\x0d?\x0a\z/o, '')
-        raise HTTPStatus::BadRequest, "bad Request-Line `#{rl}'."
+        raise HTTPStatus::BadRequest, "bad Request-Line '#{rl}'."
       end
     end
 
     def read_header(socket)
       if socket
+        end_of_headers = false
+
         while line = read_line(socket)
-          break if /\A(#{CRLF}|#{LF})\z/om =~ line
+          if line == CRLF
+            end_of_headers = true
+            break
+          end
           if (@request_bytes += line.bytesize) > MAX_HEADER_LENGTH
             raise HTTPStatus::RequestEntityTooLarge, 'headers too large'
           end
+          if line.include?("\x00")
+            raise HTTPStatus::BadRequest, 'null byte in header'
+          end
           @raw_header << line
         end
+
+        # Allow if @header already set to support chunked trailers
+        raise HTTPStatus::EOFError unless end_of_headers || @header
       end
       @header = HTTPUtils::parse_header(@raw_header.join)
+
+      if (content_length = @header['content-length']) && content_length.length != 0
+        if content_length.length > 1
+          raise HTTPStatus::BadRequest, "multiple content-length request headers"
+        elsif !/\A\d+\z/.match?(content_length[0])
+          raise HTTPStatus::BadRequest, "invalid content-length request header"
+        end
+      end
     end
 
     def parse_uri(str, scheme="http")
@@ -503,14 +522,19 @@ module WEBrick
       return URI::parse(uri.to_s)
     end
 
+    host_pattern = URI::RFC2396_Parser.new.pattern.fetch(:HOST)
+    HOST_PATTERN = /\A(#{host_pattern})(?::(\d+))?\z/n
     def parse_host_request_line(host)
-      pattern = /\A(#{URI::REGEXP::PATTERN::HOST})(?::(\d+))?\z/no
-      host.scan(pattern)[0]
+      host.scan(HOST_PATTERN)[0]
     end
 
     def read_body(socket, block)
       return unless socket
       if tc = self['transfer-encoding']
+        if self['content-length']
+          raise HTTPStatus::BadRequest, "request with both transfer-encoding and content-length, possible request smuggling"
+        end
+
         case tc
         when /\Achunked\z/io then read_chunked(socket, block)
         else raise HTTPStatus::NotImplemented, "Transfer-Encoding: #{tc}."
@@ -534,12 +558,12 @@ module WEBrick
 
     def read_chunk_size(socket)
       line = read_line(socket)
-      if /^([0-9a-fA-F]+)(?:;(\S+))?/ =~ line
+      if /\A([0-9a-fA-F]+)(?:;(\S+(?:=\S+)?))?\r\n\z/ =~ line
         chunk_size = $1.hex
         chunk_ext = $2
         [ chunk_size, chunk_ext ]
       else
-        raise HTTPStatus::BadRequest, "bad chunk `#{line}'."
+        raise HTTPStatus::BadRequest, "bad chunk '#{line}'."
       end
     end
 
@@ -555,7 +579,11 @@ module WEBrick
           block.call(data)
         end while (chunk_size -= sz) > 0
 
-        read_line(socket)                    # skip CRLF
+        line = read_line(socket)              # skip CRLF
+        unless line == "\r\n"
+          raise HTTPStatus::BadRequest, "extra data after chunk '#{line}'."
+        end
+
         chunk_size, = read_chunk_size(socket)
       end
       read_header(socket)                    # trailer + CRLF

data/lib/webrick/httpresponse.rb

@@ -453,7 +453,7 @@ module WEBrick
       _end_of_html_
 
       if backtrace && $DEBUG
-        @body << "backtrace of `#{HTMLUtils::escape(ex.class.to_s)}' "
+        @body << "backtrace of '#{HTMLUtils::escape(ex.class.to_s)}' "
         @body << "#{HTMLUtils::escape(ex.message)}"
         @body << "<PRE>"
         ex.backtrace.each{|line| @body << "\t#{line}\n"}

data/lib/webrick/httpserver.rb

@@ -128,11 +128,11 @@ module WEBrick
           do_OPTIONS(req, res)
           raise HTTPStatus::OK
         end
-        raise HTTPStatus::NotFound, "`#{req.unparsed_uri}' not found."
+        raise HTTPStatus::NotFound, "'#{req.unparsed_uri}' not found."
       end
 
       servlet, options, script_name, path_info = search_servlet(req.path)
-      raise HTTPStatus::NotFound, "`#{req.path}' not found." unless servlet
+      raise HTTPStatus::NotFound, "'#{req.path}' not found." unless servlet
       req.script_name = script_name
       req.path_info = path_info
       si = servlet.get_instance(self, *options)

data/lib/webrick/httpservlet/abstract.rb

@@ -105,7 +105,7 @@ module WEBrick
           __send__(method_name, req, res)
         else
           raise HTTPStatus::MethodNotAllowed,
-                "unsupported method `#{req.request_method}'."
+                "unsupported method '#{req.request_method}'."
         end
       end
 

data/lib/webrick/httpservlet/filehandler.rb

@@ -250,7 +250,7 @@ module WEBrick
 
       def do_POST(req, res)
         unless exec_handler(req, res)
-          raise HTTPStatus::NotFound, "`#{req.path}' not found."
+          raise HTTPStatus::NotFound, "'#{req.path}' not found."
         end
       end
 
@@ -307,7 +307,7 @@ module WEBrick
       end
 
       def exec_handler(req, res)
-        raise HTTPStatus::NotFound, "`#{req.path}' not found." unless @root
+        raise HTTPStatus::NotFound, "'#{req.path}' not found." unless @root
         if set_filename(req, res)
           handler = get_handler(req, res)
           call_callback(:HandlerCallback, req, res)
@@ -359,7 +359,7 @@ module WEBrick
             call_callback(:FileCallback, req, res)
             return true
           else
-            raise HTTPStatus::NotFound, "`#{req.path}' not found."
+            raise HTTPStatus::NotFound, "'#{req.path}' not found."
           end
         end
 
@@ -368,8 +368,8 @@ module WEBrick
 
       def check_filename(req, res, name)
         if nondisclosure_name?(name) || windows_ambiguous_name?(name)
-          @logger.warn("the request refers nondisclosure name `#{name}'.")
-          raise HTTPStatus::NotFound, "`#{req.path}' not found."
+          @logger.warn("the request refers nondisclosure name '#{name}'.")
+          raise HTTPStatus::NotFound, "'#{req.path}' not found."
         end
       end
 
@@ -437,7 +437,7 @@ module WEBrick
       def set_dir_list(req, res)
         redirect_to_directory_uri(req, res)
         unless @options[:FancyIndexing]
-          raise HTTPStatus::Forbidden, "no access permission to `#{req.path}'"
+          raise HTTPStatus::Forbidden, "no access permission to '#{req.path}'"
         end
         local_path = res.filename
         list = Dir::entries(local_path).collect{|name|

data/lib/webrick/httputils.rb

@@ -29,14 +29,14 @@ module WEBrick
     # normalized.
 
     def normalize_path(path)
-      raise "abnormal path `#{path}'" if path[0] != ?/
+      raise "abnormal path '#{path}'" if path[0] != ?/
       ret = path.dup
 
       ret.gsub!(%r{/+}o, '/')                    # //      => /
       while ret.sub!(%r'/\.(?:/|\Z)', '/'); end  # /.      => /
       while ret.sub!(%r'/(?!\.\./)[^/]+/\.\.(?:/|\Z)', '/'); end # /foo/.. => /foo
 
-      raise "abnormal path `#{path}'" if %r{/\.\.(/|\Z)} =~ ret
+      raise "abnormal path '#{path}'" if %r{/\.\.(/|\Z)} =~ ret
       ret
     end
     module_function :normalize_path
@@ -55,7 +55,6 @@ module WEBrick
       "cer"   => "application/pkix-cert",
       "crl"   => "application/pkix-crl",
       "crt"   => "application/x-x509-ca-cert",
-     #"crl"   => "application/x-pkcs7-crl",
       "css"   => "text/css",
       "dms"   => "application/octet-stream",
       "doc"   => "application/msword",
@@ -153,28 +152,49 @@ module WEBrick
     # Parses an HTTP header +raw+ into a hash of header fields with an Array
     # of values.
 
+    class SplitHeader < Array
+      def join(separator = ", ")
+        super
+      end
+    end
+
+    class CookieHeader < Array
+      def join(separator = "; ")
+        super
+      end
+    end
+
+    HEADER_CLASSES = Hash.new(SplitHeader).update({
+      "cookie" => CookieHeader,
+    })
+
     def parse_header(raw)
       header = Hash.new([].freeze)
       field = nil
       raw.each_line{|line|
         case line
-        when /^([A-Za-z0-9!\#$%&'*+\-.^_`|~]+):\s*(.*?)\s*\z/om
+        when /^([A-Za-z0-9!\#$%&'*+\-.^_`|~]+):([^\r\n\0]*?)\r\n\z/om
           field, value = $1, $2
           field.downcase!
-          header[field] = [] unless header.has_key?(field)
+          header[field] = HEADER_CLASSES[field].new unless header.has_key?(field)
           header[field] << value
-        when /^\s+(.*?)\s*\z/om
-          value = $1
+        when /^[ \t]+([^\r\n\0]*?)\r\n/om
           unless field
             raise HTTPStatus::BadRequest, "bad header '#{line}'."
           end
+          value = line
+          value.gsub!(/\A[ \t]+/, '')
+          value.slice!(-2..-1)
           header[field][-1] << " " << value
         else
           raise HTTPStatus::BadRequest, "bad header '#{line}'."
         end
       }
       header.each{|key, values|
-        values.each(&:strip!)
+        values.each{|value|
+          value.gsub!(/\A[ \t]+/, '')
+          value.gsub!(/[ \t]+\z/, '')
+        }
       }
       header
     end
@@ -184,8 +204,8 @@ module WEBrick
     # Splits a header value +str+ according to HTTP specification.
 
     def split_header_value(str)
-      str.scan(%r'\G((?:"(?:\\.|[^"])+?"|[^",]+)+)
-                    (?:,\s*|\Z)'xn).flatten
+      str.scan(%r'\G((?:"(?:\\.|[^"])+?"|[^",]++)+)
+                    (?:,[ \t]*|\Z)'xn).flatten
     end
     module_function :split_header_value
 
@@ -213,9 +233,9 @@ module WEBrick
     def parse_qvalues(value)
       tmp = []
       if value
-        parts = value.split(/,\s*/)
+        parts = value.split(/,[ \t]*/)
         parts.each {|part|
-          if m = %r{^([^\s,]+?)(?:;\s*q=(\d+(?:\.\d+)?))?$}.match(part)
+          if m = %r{^([^ \t,]+?)(?:;[ \t]*q=(\d+(?:\.\d+)?))?$}.match(part)
             val = m[1]
             q = (m[2] or 1).to_f
             tmp.push([val, q])
@@ -314,8 +334,8 @@ module WEBrick
         elsif str == CRLF
           @header = HTTPUtils::parse_header(@raw_header.join)
           if cd = self['content-disposition']
-            if /\s+name="(.*?)"/ =~ cd then @name = $1 end
-            if /\s+filename="(.*?)"/ =~ cd then @filename = $1 end
+            if /[ \t]+name="(.*?)"/ =~ cd then @name = $1 end
+            if /[ \t]+filename="(.*?)"/ =~ cd then @filename = $1 end
           end
         else
           @raw_header << str

data/lib/webrick/server.rb

@@ -365,7 +365,7 @@ module WEBrick
         begin
           s.shutdown
         rescue Errno::ENOTCONN
-          # when `Errno::ENOTCONN: Socket is not connected' on some platforms,
+          # when 'Errno::ENOTCONN: Socket is not connected' on some platforms,
           # call #close instead of #shutdown.
           # (ignore @config[:ShutdownSocketWithoutClose])
           s.close

data/lib/webrick/version.rb

@@ -14,5 +14,5 @@ module WEBrick
   ##
   # The WEBrick version
 
-  VERSION      = "1.8.1"
+  VERSION      = "1.9.1"
 end

data/sig/accesslog.rbs

@@ -0,0 +1,24 @@
+module WEBrick
+  module AccessLog
+    class AccessLogError < StandardError
+    end
+
+    CLF_TIME_FORMAT: String
+
+    COMMON_LOG_FORMAT: String
+
+    CLF: String
+
+    REFERER_LOG_FORMAT: String
+
+    AGENT_LOG_FORMAT: String
+
+    COMBINED_LOG_FORMAT: String
+
+    def self?.setup_params: (Hash[Symbol, untyped] config, HTTPRequest req, HTTPResponse res) -> Hash[String, untyped]
+
+    def self?.format: (String format_string, Hash[String, untyped] params) -> String
+
+    def self?.escape: (String data) -> String
+  end
+end

data/sig/cgi.rbs

@@ -0,0 +1,92 @@
+module WEBrick
+  class CGI
+    @options: Array[untyped]
+
+    class CGIError < StandardError
+    end
+
+    attr_reader config: Hash[Symbol, untyped]
+
+    attr_reader logger: BasicLog
+
+    def initialize: (*untyped args) -> void
+
+    def []: (Symbol key) -> untyped
+
+    interface _Env
+      def []: (String) -> String?
+    end
+
+    def start: (?_Env env, ?IO stdin, ?IO stdout) -> void
+
+    def self.setup_header: () -> untyped
+
+    def self.status_line: () -> ""
+
+    def service: (HTTPRequest req, HTTPResponse res) -> void
+
+    class Socket
+      @config: Hash[Symbol, untyped]
+
+      @env: _Env
+
+      @header_part: StringIO
+
+      @body_part: IO
+
+      @out_port: IO
+
+      @server_addr: String
+
+      @server_name: String?
+
+      @server_port: String?
+
+      @remote_addr: String?
+
+      @remote_host: String?
+
+      @remote_port: (String | 0)
+
+      include Enumerable[String]
+
+      private
+
+      def initialize: (Hash[Symbol, untyped] config, _Env env, IO stdin, IO stdout) -> void
+
+      def request_line: () -> String
+
+      def setup_header: () -> void
+
+      def add_header: (String hdrname, String value) -> void
+
+      def input: () -> (IO | StringIO)
+
+      public
+
+      def peeraddr: () -> [nil, (String | 0), String?, String?]
+
+      def addr: () -> [nil, String?, String?, String]
+
+      def gets: (?String eol, ?Integer? size) -> String?
+
+      def read: (?Integer? size) -> String?
+
+      def each: () { (String) -> void } -> void
+
+      def eof?: () -> bool
+
+      def <<: (_ToS data) -> IO
+
+      def write: (_ToS data) -> Integer
+
+      def cert: () -> OpenSSL::X509::Certificate?
+
+      def peer_cert: () -> OpenSSL::X509::Certificate?
+
+      def peer_cert_chain: () -> Array[OpenSSL::X509::Certificate]?
+
+      def cipher: () -> [String?, String?, String?, String?]?
+    end
+  end
+end

data/sig/compat.rbs

@@ -0,0 +1,18 @@
+#
+# System call error module used by webrick for cross platform compatibility.
+#
+# EPROTO:: protocol error
+# ECONNRESET:: remote host reset the connection request
+# ECONNABORTED:: Client sent TCP reset (RST) before server has accepted the
+#                connection requested by client.
+#
+module Errno
+  class EPROTO < SystemCallError
+  end
+
+  class ECONNRESET < SystemCallError
+  end
+
+  class ECONNABORTED < SystemCallError
+  end
+end

data/sig/config.rbs

@@ -0,0 +1,17 @@
+module WEBrick
+  module Config
+    LIBDIR: String
+
+    # for GenericServer
+    General: Hash[Symbol, untyped]
+
+    # for HTTPServer, HTTPRequest, HTTPResponse ...
+    HTTP: Hash[Symbol, untyped]
+
+    FileHandler: Hash[Symbol, untyped]
+
+    BasicAuth: Hash[Symbol, untyped]
+
+    DigestAuth: Hash[Symbol, untyped]
+  end
+end