diff options
| author | Jeroen van Meeuwen (OGD) <j.van.meeuwen@ogd.nl> | 2009-12-21 23:44:03 +0100 |
|---|---|---|
| committer | Jeroen van Meeuwen (OGD) <j.van.meeuwen@ogd.nl> | 2009-12-21 23:44:03 +0100 |
| commit | c90c0297f7df090525244743422975821074fce6 (patch) | |
| tree | 43cfcf2752d7f156ae8ec8df9531515a8e19fefb | |
| parent | f5a11ddccb3df3c3cc11739dbcbad6b465e9438c (diff) | |
| download | ruby-c90c0297f7df090525244743422975821074fce6.tar.gz ruby-c90c0297f7df090525244743422975821074fce6.tar.xz ruby-c90c0297f7df090525244743422975821074fce6.zip | |
CVE-2008-5189
| -rw-r--r-- | lib/cgi.rb | 5 |
1 files changed, 5 insertions, 0 deletions
diff --git a/lib/cgi.rb b/lib/cgi.rb index bf64d5a54..63b0880ef 100644 --- a/lib/cgi.rb +++ b/lib/cgi.rb @@ -546,6 +546,11 @@ class CGI when Hash options = options.dup end + options.each_value do |value| + if /\n(?![ \t])/ === value + raise ArgumentError, "potential HTTP header injection detected" + end + end unless options.has_key?("type") options["type"] = "text/html" |