Fix possible HTTP Response Splitting

[macournoyer]

Ignore any response header with \r or \n in their value.

See GHSA-84j7-475p-hp8v

[ioquatix]

Should this raise an error?

[macournoyer]

I based my approach on Puma's https://github.com/puma/puma/blob/3846a4e0ae9cdfe80b4dfb7fc477f03ec4cabb9d/lib/puma/server.rb#L775

[ioquatix]

I personally think this should raise an exception as it represents a faulty request and I don't think we should try to interpret the remainder of the request as valid.

[ockeghem]

How about the following modifications of webrick?
https://github.com/ruby/webrick/blob/8658b1bd1fac9641806dc9efb4855c1c2e19eb72/lib/webrick/httpresponse.rb#L398

[ioquatix]

This looks good to me. Does this result in a 400 Bad Request?

[ockeghem]

This looks good to me. Does this result in a 400 Bad Request?

No. 500 Internal Server Error

curl -s -i http://localhost:3000/header/index | sed 's/\r/[CR]/'
HTTP/1.1 500 Internal Server Error[CR]
Content-Type: text/html; charset=ISO-8859-1[CR]
[CR]
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0//EN">
<HTML>
  <HEAD><TITLE>Internal Server Error</TITLE></HEAD>
  <BODY>
    <H1>Internal Server Error</H1>
    WEBrick::HTTPResponse::InvalidHeader
    <HR>
    <ADDRESS>
     WEBrick/1.7.0 (Ruby/3.0.1/2021-04-05) at
     localhost:3000
    </ADDRESS>
  </BODY>
</HTML>

But, I also think 400 is a valid response code.