Forum: Ruby-core [Ruby 1.9 - Bug #5418][Open] Some properties of WEBrick::HTTPRequest could be malformed

6c06915d9aa00cd5c7d4acfb27cdd4e9?d=identicon&s=25 Hiroshi Nakamura (Guest)
on 2011-10-07 05:01
(Received via mailing list)
Issue #5418 has been reported by Hiroshi Nakamura.

----------------------------------------
Bug #5418: Some properties of WEBrick::HTTPRequest could be malformed
http://redmine.ruby-lang.org/issues/5418

Author: Hiroshi Nakamura
Status: Open
Priority: Normal
Assignee: Hiroshi Nakamura
Category: lib
Target version: 1.9.x
ruby -v: -


Original reported issue: CVE-2011-3187

Users may expect that properties of WEBrick::HTTPRequest to be not
malformed/faked. But at the fact, in current implementation, following
properties can be malformed and faked by HTTP header sent by attacker.

 - HTTPRequest#host
  - can be malformed/faked by 'x-forwarded-host'
  - can be faked by 'Host'

 - HTTPRequest#port
  - can be faked by 'Host'

 - HTTPRequest#server_name
  - can be malformed/faked by 'x-forwarded-server'

 - HTTPRequest#remote_ip
  - can be malformed/faked by 'x-forwarded-for' and 'client-ip'

 - HTTPRequest#ssl?
  - can be faked by 'Host'

 - HTTPRequest#meta_vars (Hash of meta vars such as 'REQUEST_URI')
  - can be malformed/faked by some HTTP headers

Here's the list of reason why we're thinking it's not a
high-priority security bug at this moment.

 - For faked data issue, we don't have a way to guarantee that it's not
  faked. So developers of HTTPRequest must aware of that.

 - For malformed data issue, it should be a bug of HTTPRequest to be
  fixed, but it's the same problem for x-forwarded-host,
  x-forwarded-server and client-ip. We're offering those data in as-is
  basis from HTTP header so we can expect users handle the data
  properly for their purpose (for dumping to xterm, embedding to HTML,
  etc.)

 - And the fix for this bug would be a little complex for quick-fix
  because it's not only x-forwarded-for which causes this issue.
  'client-ip' needs care, too. Documentation would be enough for
  server_name. We think we need general development cycle for fixing
  it.

ref:
https://bugzilla.novell.com/show_bug.cgi?id=673010
http://webservsec.blogspot.com/2011/02/ruby-on-rai...
C4e88907313843cf07f6d85ba8162120?d=identicon&s=25 ko1 (Koichi Sasada) (Guest)
on 2013-02-17 11:08
(Received via mailing list)
Issue #5418 has been updated by ko1 (Koichi Sasada).

Target version changed from 2.0.0 to 2.1.0

Time up for 2.0.0.

Nahi-san, how about this ticket?

----------------------------------------
Bug #5418: Some properties of WEBrick::HTTPRequest could be malformed
https://bugs.ruby-lang.org/issues/5418#change-36419

Author: nahi (Hiroshi Nakamura)
Status: Assigned
Priority: Normal
Assignee: nahi (Hiroshi Nakamura)
Category: lib
Target version: 2.1.0
ruby -v: -


Original reported issue: CVE-2011-3187

Users may expect that properties of WEBrick::HTTPRequest to be not
malformed/faked. But at the fact, in current implementation, following
properties can be malformed and faked by HTTP header sent by attacker.

 - HTTPRequest#host
  - can be malformed/faked by 'x-forwarded-host'
  - can be faked by 'Host'

 - HTTPRequest#port
  - can be faked by 'Host'

 - HTTPRequest#server_name
  - can be malformed/faked by 'x-forwarded-server'

 - HTTPRequest#remote_ip
  - can be malformed/faked by 'x-forwarded-for' and 'client-ip'

 - HTTPRequest#ssl?
  - can be faked by 'Host'

 - HTTPRequest#meta_vars (Hash of meta vars such as 'REQUEST_URI')
  - can be malformed/faked by some HTTP headers

Here's the list of reason why we're thinking it's not a
high-priority security bug at this moment.

 - For faked data issue, we don't have a way to guarantee that it's not
  faked. So developers of HTTPRequest must aware of that.

 - For malformed data issue, it should be a bug of HTTPRequest to be
  fixed, but it's the same problem for x-forwarded-host,
  x-forwarded-server and client-ip. We're offering those data in as-is
  basis from HTTP header so we can expect users handle the data
  properly for their purpose (for dumping to xterm, embedding to HTML,
  etc.)

 - And the fix for this bug would be a little complex for quick-fix
  because it's not only x-forwarded-for which causes this issue.
  'client-ip' needs care, too. Documentation would be enough for
  server_name. We think we need general development cycle for fixing
  it.

ref:
https://bugzilla.novell.com/show_bug.cgi?id=673010
http://webservsec.blogspot.com/2011/02/ruby-on-rai...
Eabad423977cfc6873b8f5df62b848a6?d=identicon&s=25 unknown (Guest)
on 2014-01-30 07:17
(Received via mailing list)
Issue #5418 has been updated by Hiroshi SHIBATA.

Target version changed from 2.1.0 to current: 2.2.0

----------------------------------------
Bug #5418: Some properties of WEBrick::HTTPRequest could be malformed
https://bugs.ruby-lang.org/issues/5418#change-44740

* Author: Hiroshi Nakamura
* Status: Assigned
* Priority: Normal
* Assignee: Hiroshi Nakamura
* Category: lib
* Target version: current: 2.2.0
* ruby -v: -
* Backport:
----------------------------------------
Original reported issue: CVE-2011-3187

Users may expect that properties of WEBrick::HTTPRequest to be not
malformed/faked. But at the fact, in current implementation, following
properties can be malformed and faked by HTTP header sent by attacker.

 - HTTPRequest#host
  - can be malformed/faked by 'x-forwarded-host'
  - can be faked by 'Host'

 - HTTPRequest#port
  - can be faked by 'Host'

 - HTTPRequest#server_name
  - can be malformed/faked by 'x-forwarded-server'

 - HTTPRequest#remote_ip
  - can be malformed/faked by 'x-forwarded-for' and 'client-ip'

 - HTTPRequest#ssl?
  - can be faked by 'Host'

 - HTTPRequest#meta_vars (Hash of meta vars such as 'REQUEST_URI')
  - can be malformed/faked by some HTTP headers

Here's the list of reason why we're thinking it's not a
high-priority security bug at this moment.

 - For faked data issue, we don't have a way to guarantee that it's not
  faked. So developers of HTTPRequest must aware of that.

 - For malformed data issue, it should be a bug of HTTPRequest to be
  fixed, but it's the same problem for x-forwarded-host,
  x-forwarded-server and client-ip. We're offering those data in as-is
  basis from HTTP header so we can expect users handle the data
  properly for their purpose (for dumping to xterm, embedding to HTML,
  etc.)

 - And the fix for this bug would be a little complex for quick-fix
  because it's not only x-forwarded-for which causes this issue.
  'client-ip' needs care, too. Documentation would be enough for
  server_name. We think we need general development cycle for fixing
  it.

ref:
https://bugzilla.novell.com/show_bug.cgi?id=673010
http://webservsec.blogspot.com/2011/02/ruby-on-rai...
This topic is locked and can not be replied to.