Skip to content

Commit

Permalink
Whitelist http/https schemes
Browse files Browse the repository at this point in the history 
[CVE-2018-16471]
  • Loading branch information
@PatrickTulskie @tenderlove
PatrickTulskie authored and tenderlove committed Nov 5, 2018
1 parent 37c1160 commit 313dd6a
Show file tree
Hide file tree
Showing 2 changed files with 22 additions and 4 deletions.
21 changes: 17 additions & 4 deletions lib/rack/request.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,8 @@ module Rack
# req.params["data"]

class Request
SCHEME_WHITELIST = %w(https http).freeze

def initialize(env)
@params = nil
super(env)
Expand Down Expand Up @@ -188,10 +190,8 @@ def scheme
'https'
elsif get_header(HTTP_X_FORWARDED_SSL) == 'on'
'https'
elsif get_header(HTTP_X_FORWARDED_SCHEME)
get_header(HTTP_X_FORWARDED_SCHEME)
elsif get_header(HTTP_X_FORWARDED_PROTO)
get_header(HTTP_X_FORWARDED_PROTO).split(',')[0]
elsif forwarded_scheme
forwarded_scheme
else
get_header(RACK_URL_SCHEME)
end
Expand Down Expand Up @@ -479,6 +479,19 @@ def split_ip_addresses(ip_addresses)
def reject_trusted_ip_addresses(ip_addresses)
ip_addresses.reject { |ip| trusted_proxy?(ip) }
end

def forwarded_scheme
scheme_headers = [
get_header(HTTP_X_FORWARDED_SCHEME),
get_header(HTTP_X_FORWARDED_PROTO).to_s.split(',')[0]
]

scheme_headers.each do |header|
return header if SCHEME_WHITELIST.include?(header)
end

nil
end
end

include Env
Expand Down
5 changes: 5 additions & 0 deletions test/spec_request.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -572,6 +572,11 @@ def initialize(*)
request.must_be :ssl?
end

it "prevents scheme abuse" do
request = make_request(Rack::MockRequest.env_for("/", 'HTTP_X_FORWARDED_SCHEME' => 'a."><script>alert(1)</script>'))
request.scheme.must_equal 'http'
end

it "parse cookies" do
req = make_request \
Rack::MockRequest.env_for("", "HTTP_COOKIE" => "foo=bar;quux=h&m")
Expand Down

0 comments on commit 313dd6a

Please sign in to comment.