ruby/ruby-1.8.6-p287-CVE-2008-5189.patch

15 lines
375 B
Diff
Raw Normal View History

2009-03-15 05:56:18 +00:00
--- lib/cgi.rb (revision 19665)
+++ lib/cgi.rb (working copy)
@@ -546,6 +546,11 @@
when Hash
options = options.dup
end
+ options.each_value do |value|
+ if /\n(?![ \t])/ === value
+ raise ArgumentError, "potential HTTP header injection detected"
+ end
+ end
unless options.has_key?("type")
options["type"] = "text/html"