Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 940185 - <dev-ruby/webrick-1.8.2: HTTP Request Smuggling
Summary: <dev-ruby/webrick-1.8.2: HTTP Request Smuggling
Status: CONFIRMED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal
Assignee: Gentoo Security
URL: https://github.com/ruby/webrick/issue...
Whiteboard: B4 [cleanup glsa?]
Keywords:
Depends on: 941221
Blocks:
  Show dependency tree
 
Reported: 2024-09-24 04:30 UTC by Hans de Graaff
Modified: 2024-10-25 12:52 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Hans de Graaff gentoo-dev Security 2024-09-24 04:30:33 UTC 
An issue was discovered in the WEBrick toolkit through 1.8.1 for Ruby. It allows HTTP request smuggling by providing both a Content-Length header and a Transfer-Encoding header, e.g., "GET /admin HTTP/1.1\r\n" inside of a "POST /user HTTP/1.1\r\n" request.

NOTE: the supplier's position is "Webrick should not be used in production."