current/SOURCES/ruby-2.0.0-CVE-2017-10784.patch

diff --git a/lib/webrick/httpstatus.rb b/lib/webrick/httpstatus.rb
index 7ffda64cf0f9..5dc136f88f70 100644
--- a/lib/webrick/httpstatus.rb
+++ b/lib/webrick/httpstatus.rb
@@ -22,10 +22,6 @@ module HTTPStatus
     ##
     # Root of the HTTP status class hierarchy
     class Status < StandardError
-      def initialize(*args) # :nodoc:
-        args[0] = AccessLog.escape(args[0]) unless args.empty?
-        super(*args)
-      end
       class << self
         attr_reader :code, :reason_phrase # :nodoc:
       end
diff --git a/lib/webrick/log.rb b/lib/webrick/log.rb
index 41cde4a74084..4f069ac0c549 100644
--- a/lib/webrick/log.rb
+++ b/lib/webrick/log.rb
@@ -117,10 +117,10 @@ def debug?; @level >= DEBUG; end
     # * Otherwise it will return +arg+.inspect.
     def format(arg)
       if arg.is_a?(Exception)
-        "#{arg.class}: #{arg.message}\n\t" <<
+        "#{arg.class}: #{AccessLog.escape(arg.message)}\n\t" <<
         arg.backtrace.join("\n\t") << "\n"
       elsif arg.respond_to?(:to_str)
-        arg.to_str
+        AccessLog.escape(arg.to_str)
       else
         arg.inspect
       end
diff --git a/test/webrick/test_httpauth.rb b/test/webrick/test_httpauth.rb
index 27c37f36770b..0aebb7a231c7 100644
--- a/test/webrick/test_httpauth.rb
+++ b/test/webrick/test_httpauth.rb
@@ -81,6 +81,42 @@ def test_basic_auth3
     tmpfile.close(true)
   end
 
+  def test_bad_username_with_control_characters
+    log_tester = lambda {|log, access_log|
+      assert_equal(2, log.length)
+      assert_match(/ERROR Basic WEBrick's realm: foo\\ebar: the user is not allowed./, log[0])
+      assert_match(/ERROR WEBrick::HTTPStatus::Unauthorized/, log[1])
+    }
+    TestWEBrick.start_httpserver({}, log_tester) {|server, addr, port, log|
+      realm = "WEBrick's realm"
+      path = "/basic_auth"
+
+      Tempfile.create("test_webrick_auth") {|tmpfile|
+        tmpfile.close
+        tmp_pass = WEBrick::HTTPAuth::Htpasswd.new(tmpfile.path)
+        tmp_pass.set_passwd(realm, "webrick", "supersecretpassword")
+        tmp_pass.set_passwd(realm, "foo", "supersecretpassword")
+        tmp_pass.flush
+
+        htpasswd = WEBrick::HTTPAuth::Htpasswd.new(tmpfile.path)
+        users = []
+        htpasswd.each{|user, pass| users << user }
+        server.mount_proc(path){|req, res|
+          auth = WEBrick::HTTPAuth::BasicAuth.new(
+            :Realm => realm, :UserDB => htpasswd,
+            :Logger => server.logger
+          )
+          auth.authenticate(req, res)
+          res.body = "hoge"
+        }
+        http = Net::HTTP.new(addr, port)
+        g = Net::HTTP::Get.new(path)
+        g.basic_auth("foo\ebar", "passwd")
+        http.request(g){|res| assert_not_equal("hoge", res.body, log.call) }
+      }
+    }
+  end
+
   DIGESTRES_ = /
     ([a-zA-z\-]+)
       [\s\t]*(?:\r\n[\s\t]*)*
1	diff --git a/lib/webrick/httpstatus.rb b/lib/webrick/httpstatus.rb
2	index 7ffda64cf0f9..5dc136f88f70 100644
3	--- a/lib/webrick/httpstatus.rb
4	+++ b/lib/webrick/httpstatus.rb
5	@@ -22,10 +22,6 @@ module HTTPStatus
6	##
7	# Root of the HTTP status class hierarchy
8	class Status < StandardError
9	- def initialize(*args) # :nodoc:
10	- args[0] = AccessLog.escape(args[0]) unless args.empty?
11	- super(*args)
12	- end
13	class << self
14	attr_reader :code, :reason_phrase # :nodoc:
15	end
16	diff --git a/lib/webrick/log.rb b/lib/webrick/log.rb
17	index 41cde4a74084..4f069ac0c549 100644
18	--- a/lib/webrick/log.rb
19	+++ b/lib/webrick/log.rb
20	@@ -117,10 +117,10 @@ def debug?; @level >= DEBUG; end
21	# * Otherwise it will return +arg+.inspect.
22	def format(arg)
23	if arg.is_a?(Exception)
24	- "#{arg.class}: #{arg.message}\n\t" <<
25	+ "#{arg.class}: #{AccessLog.escape(arg.message)}\n\t" <<
26	arg.backtrace.join("\n\t") << "\n"
27	elsif arg.respond_to?(:to_str)
28	- arg.to_str
29	+ AccessLog.escape(arg.to_str)
30	else
31	arg.inspect
32	end
33	diff --git a/test/webrick/test_httpauth.rb b/test/webrick/test_httpauth.rb
34	index 27c37f36770b..0aebb7a231c7 100644
35	--- a/test/webrick/test_httpauth.rb
36	+++ b/test/webrick/test_httpauth.rb
37	@@ -81,6 +81,42 @@ def test_basic_auth3
38	tmpfile.close(true)
39	end
40
41	+ def test_bad_username_with_control_characters
42	+ log_tester = lambda {\|log, access_log\|
43	+ assert_equal(2, log.length)
44	+ assert_match(/ERROR Basic WEBrick's realm: foo\\ebar: the user is not allowed./, log[0])
45	+ assert_match(/ERROR WEBrick::HTTPStatus::Unauthorized/, log[1])
46	+ }
47	+ TestWEBrick.start_httpserver({}, log_tester) {\|server, addr, port, log\|
48	+ realm = "WEBrick's realm"
49	+ path = "/basic_auth"
50	+
51	+ Tempfile.create("test_webrick_auth") {\|tmpfile\|
52	+ tmpfile.close
53	+ tmp_pass = WEBrick::HTTPAuth::Htpasswd.new(tmpfile.path)
54	+ tmp_pass.set_passwd(realm, "webrick", "supersecretpassword")
55	+ tmp_pass.set_passwd(realm, "foo", "supersecretpassword")
56	+ tmp_pass.flush
57	+
58	+ htpasswd = WEBrick::HTTPAuth::Htpasswd.new(tmpfile.path)
59	+ users = []
60	+ htpasswd.each{\|user, pass\| users << user }
61	+ server.mount_proc(path){\|req, res\|
62	+ auth = WEBrick::HTTPAuth::BasicAuth.new(
63	+ :Realm => realm, :UserDB => htpasswd,
64	+ :Logger => server.logger
65	+ )
66	+ auth.authenticate(req, res)
67	+ res.body = "hoge"
68	+ }
69	+ http = Net::HTTP.new(addr, port)
70	+ g = Net::HTTP::Get.new(path)
71	+ g.basic_auth("foo\ebar", "passwd")
72	+ http.request(g){\|res\| assert_not_equal("hoge", res.body, log.call) }
73	+ }
74	+ }
75	+ end
76	+
77	DIGESTRES_ = /
78	([a-zA-z\-]+)
79	[\s\t](?:\r\n[\s\t])*