Bug #5418
Some properties of WEBrick::HTTPRequest could be malformed
Description
Original reported issue: CVE-2011-3187
Users may expect that properties of WEBrick::HTTPRequest to be not
malformed/faked. But at the fact, in current implementation, following
properties can be malformed and faked by HTTP header sent by attacker.
HTTPRequest#host
- can be malformed/faked by 'x-forwarded-host'
- can be faked by 'Host'
HTTPRequest#port
- can be faked by 'Host'
HTTPRequest#server_name
- can be malformed/faked by 'x-forwarded-server'
HTTPRequest#remote_ip
- can be malformed/faked by 'x-forwarded-for' and 'client-ip'
HTTPRequest#ssl?
- can be faked by 'Host'
HTTPRequest#meta_vars (Hash of meta vars such as 'REQUEST_URI')
- can be malformed/faked by some HTTP headers
Here's the list of reason why we're thinking it's not a
high-priority security bug at this moment.
For faked data issue, we don't have a way to guarantee that it's not
faked. So developers of HTTPRequest must aware of that.For malformed data issue, it should be a bug of HTTPRequest to be
fixed, but it's the same problem for x-forwarded-host,
x-forwarded-server and client-ip. We're offering those data in as-is
basis from HTTP header so we can expect users handle the data
properly for their purpose (for dumping to xterm, embedding to HTML,
etc.)And the fix for this bug would be a little complex for quick-fix
because it's not only x-forwarded-for which causes this issue.
'client-ip' needs care, too. Documentation would be enough for
server_name. We think we need general development cycle for fixing
it.
ref:
https://bugzilla.novell.com/show_bug.cgi?id=673010
http://webservsec.blogspot.com/2011/02/ruby-on-rails-vulnerability.html