Issue #5418 has been reported by Hiroshi Nakamura. ---------------------------------------- Bug #5418: Some properties of WEBrick::HTTPRequest could be malformed http://redmine.ruby-lang.org/issues/5418 Author: Hiroshi Nakamura Status: Open Priority: Normal Assignee: Hiroshi Nakamura Category: lib Target version: 1.9.x ruby -v: - Original reported issue: CVE-2011-3187 Users may expect that properties of WEBrick::HTTPRequest to be not malformed/faked. But at the fact, in current implementation, following properties can be malformed and faked by HTTP header sent by attacker. - HTTPRequest#host - can be malformed/faked by 'x-forwarded-host' - can be faked by 'Host' - HTTPRequest#port - can be faked by 'Host' - HTTPRequest#server_name - can be malformed/faked by 'x-forwarded-server' - HTTPRequest#remote_ip - can be malformed/faked by 'x-forwarded-for' and 'client-ip' - HTTPRequest#ssl? - can be faked by 'Host' - HTTPRequest#meta_vars (Hash of meta vars such as 'REQUEST_URI') - can be malformed/faked by some HTTP headers Here's the list of reason why we're thinking it's not a high-priority security bug at this moment. - For faked data issue, we don't have a way to guarantee that it's not faked. So developers of HTTPRequest must aware of that. - For malformed data issue, it should be a bug of HTTPRequest to be fixed, but it's the same problem for x-forwarded-host, x-forwarded-server and client-ip. We're offering those data in as-is basis from HTTP header so we can expect users handle the data properly for their purpose (for dumping to xterm, embedding to HTML, etc.) - And the fix for this bug would be a little complex for quick-fix because it's not only x-forwarded-for which causes this issue. 'client-ip' needs care, too. Documentation would be enough for server_name. We think we need general development cycle for fixing it. ref: https://bugzilla.novell.com/show_bug.cgi?id=673010 http://webservsec.blogspot.com/2011/02/ruby-on-rai...
on 2011-10-07 05:01
on 2013-02-17 11:08
Issue #5418 has been updated by ko1 (Koichi Sasada). Target version changed from 2.0.0 to 2.1.0 Time up for 2.0.0. Nahi-san, how about this ticket? ---------------------------------------- Bug #5418: Some properties of WEBrick::HTTPRequest could be malformed https://bugs.ruby-lang.org/issues/5418#change-36419 Author: nahi (Hiroshi Nakamura) Status: Assigned Priority: Normal Assignee: nahi (Hiroshi Nakamura) Category: lib Target version: 2.1.0 ruby -v: - Original reported issue: CVE-2011-3187 Users may expect that properties of WEBrick::HTTPRequest to be not malformed/faked. But at the fact, in current implementation, following properties can be malformed and faked by HTTP header sent by attacker. - HTTPRequest#host - can be malformed/faked by 'x-forwarded-host' - can be faked by 'Host' - HTTPRequest#port - can be faked by 'Host' - HTTPRequest#server_name - can be malformed/faked by 'x-forwarded-server' - HTTPRequest#remote_ip - can be malformed/faked by 'x-forwarded-for' and 'client-ip' - HTTPRequest#ssl? - can be faked by 'Host' - HTTPRequest#meta_vars (Hash of meta vars such as 'REQUEST_URI') - can be malformed/faked by some HTTP headers Here's the list of reason why we're thinking it's not a high-priority security bug at this moment. - For faked data issue, we don't have a way to guarantee that it's not faked. So developers of HTTPRequest must aware of that. - For malformed data issue, it should be a bug of HTTPRequest to be fixed, but it's the same problem for x-forwarded-host, x-forwarded-server and client-ip. We're offering those data in as-is basis from HTTP header so we can expect users handle the data properly for their purpose (for dumping to xterm, embedding to HTML, etc.) - And the fix for this bug would be a little complex for quick-fix because it's not only x-forwarded-for which causes this issue. 'client-ip' needs care, too. Documentation would be enough for server_name. We think we need general development cycle for fixing it. ref: https://bugzilla.novell.com/show_bug.cgi?id=673010 http://webservsec.blogspot.com/2011/02/ruby-on-rai...
Enable email notification
Enable multi-page viewPlease log in before posting. Registration is free and takes only a minute.
Existing account
(Switch to SSL-encrypted connection)
NEW: Do you have a Google/GoogleMail or Yahoo account? No registration required!
Log in with Google account | Log in with Yahoo account
Log in with Google account | Log in with Yahoo account
No account? Register here.