Project

General

Profile

Actions

Bug #5418

closed

Some properties of WEBrick::HTTPRequest could be malformed

Added by nahi (Hiroshi Nakamura) about 13 years ago. Updated about 4 years ago.

Status:
Rejected
Target version:
-
ruby -v:
-
Backport:
[ruby-core:40014]
Tags:

Description

Original reported issue: CVE-2011-3187

Users may expect that properties of WEBrick::HTTPRequest to be not
malformed/faked. But at the fact, in current implementation, following
properties can be malformed and faked by HTTP header sent by attacker.

  • HTTPRequest#host

  • can be malformed/faked by 'x-forwarded-host'

  • can be faked by 'Host'

  • HTTPRequest#port

  • can be faked by 'Host'

  • HTTPRequest#server_name

  • can be malformed/faked by 'x-forwarded-server'

  • HTTPRequest#remote_ip

  • can be malformed/faked by 'x-forwarded-for' and 'client-ip'

  • HTTPRequest#ssl?

  • can be faked by 'Host'

  • HTTPRequest#meta_vars (Hash of meta vars such as 'REQUEST_URI')

  • can be malformed/faked by some HTTP headers

Here's the list of reason why we're thinking it's not a
high-priority security bug at this moment.

  • For faked data issue, we don't have a way to guarantee that it's not
    faked. So developers of HTTPRequest must aware of that.

  • For malformed data issue, it should be a bug of HTTPRequest to be
    fixed, but it's the same problem for x-forwarded-host,
    x-forwarded-server and client-ip. We're offering those data in as-is
    basis from HTTP header so we can expect users handle the data
    properly for their purpose (for dumping to xterm, embedding to HTML,
    etc.)

  • And the fix for this bug would be a little complex for quick-fix
    because it's not only x-forwarded-for which causes this issue.
    'client-ip' needs care, too. Documentation would be enough for
    server_name. We think we need general development cycle for fixing
    it.

ref:
https://bugzilla.novell.com/show_bug.cgi?id=673010
http://webservsec.blogspot.com/2011/02/ruby-on-rails-vulnerability.html

Actions #1

Updated by shyouhei (Shyouhei Urabe) almost 13 years ago

  • Status changed from Open to Assigned

Updated by ko1 (Koichi Sasada) almost 12 years ago

  • Target version changed from 2.0.0 to 2.1.0

Time up for 2.0.0.

Nahi-san, how about this ticket?

Updated by hsbt (Hiroshi SHIBATA) almost 11 years ago

  • Target version changed from 2.1.0 to 2.2.0
Actions #4

Updated by naruse (Yui NARUSE) almost 7 years ago

  • Target version deleted (2.2.0)

Updated by naruse (Yui NARUSE) over 6 years ago

  • Assignee changed from nahi (Hiroshi Nakamura) to normalperson (Eric Wong)

As Rails did, webrick seems to need introduce TRUSTED_PROXIES.

Updated by hsbt (Hiroshi SHIBATA) about 4 years ago

  • Status changed from Assigned to Rejected

WEBrick has been removed from ruby repository.

If anyone interest this, Please file this to https://github.com/ruby/webrick

Actions

Also available in: Atom PDF

Like0
Like0Like0Like0Like0Like0Like0