Commit 3126d94f authored by Sruthi Chandran's avatar Sruthi Chandran

Remove CVE-2018-16471.patch already applied upstream

parent fc7ae1ac
From: Chris Lamb <lamby@debian.org>
Date: Wed, 21 Nov 2018 14:31:03 +0100
Subject: CVE-2018-16471: Prevent a possible XSS vulnerability where a
malicious request could impact the HTTP/HTTPS scheme returned to the
underlying application. (Closes: #913005)
---
lib/rack/request.rb | 21 +++++++++++++++++----
test/spec_request.rb | 5 +++++
2 files changed, 22 insertions(+), 4 deletions(-)
diff --git a/lib/rack/request.rb b/lib/rack/request.rb
index 2a00de7..6307b61 100644
--- a/lib/rack/request.rb
+++ b/lib/rack/request.rb
@@ -11,6 +11,8 @@ module Rack
# req.params["data"]
class Request
+ SCHEME_WHITELIST = %w(https http).freeze
+
def initialize(env)
@params = nil
super(env)
@@ -188,10 +190,8 @@ module Rack
'https'
elsif get_header(HTTP_X_FORWARDED_SSL) == 'on'
'https'
- elsif get_header(HTTP_X_FORWARDED_SCHEME)
- get_header(HTTP_X_FORWARDED_SCHEME)
- elsif get_header(HTTP_X_FORWARDED_PROTO)
- get_header(HTTP_X_FORWARDED_PROTO).split(',')[0]
+ elsif forwarded_scheme
+ forwarded_scheme
else
get_header(RACK_URL_SCHEME)
end
@@ -479,6 +479,19 @@ module Rack
def reject_trusted_ip_addresses(ip_addresses)
ip_addresses.reject { |ip| trusted_proxy?(ip) }
end
+
+ def forwarded_scheme
+ scheme_headers = [
+ get_header(HTTP_X_FORWARDED_SCHEME),
+ get_header(HTTP_X_FORWARDED_PROTO).to_s.split(',')[0]
+ ]
+
+ scheme_headers.each do |header|
+ return header if SCHEME_WHITELIST.include?(header)
+ end
+
+ nil
+ end
end
include Env
diff --git a/test/spec_request.rb b/test/spec_request.rb
index bdad68f..cfaedbc 100644
--- a/test/spec_request.rb
+++ b/test/spec_request.rb
@@ -572,6 +572,11 @@ class RackRequestTest < Minitest::Spec
request.must_be :ssl?
end
+ it "prevents scheme abuse" do
+ request = make_request(Rack::MockRequest.env_for("/", 'HTTP_X_FORWARDED_SCHEME' => 'a."><script>alert(1)</script>'))
+ request.scheme.must_equal 'http'
+ end
+
it "parse cookies" do
req = make_request \
Rack::MockRequest.env_for("", "HTTP_COOKIE" => "foo=bar;quux=h&m")
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment