Reject null bytes in header lines

Fixes #126

Author: jeremyevans

lib/webrick/httprequest.rb

@@ -475,6 +475,9 @@ def read_header(socket)
           if (@request_bytes += line.bytesize) > MAX_HEADER_LENGTH
             raise HTTPStatus::RequestEntityTooLarge, 'headers too large'
           end
+          if line.include?("\x00")
+            raise HTTPStatus::BadRequest, 'null byte in header'
+          end
           @raw_header << line
         end
       end

test/webrick/test_httprequest.rb

@@ -312,6 +312,17 @@ def test_bad_chunked
     end
   end
 
+  def test_null_byte_in_header
+    msg = <<-_end_of_message_
+      POST /path HTTP/1.1\r
+      Evil: evil\x00\r
+      \r
+    _end_of_message_
+    msg.gsub!(/^ {6}/, "")
+    req = WEBrick::HTTPRequest.new(WEBrick::Config::HTTP)
+    assert_raise(WEBrick::HTTPStatus::BadRequest){ req.parse(StringIO.new(msg)) }
+  end
+
   def test_forwarded
     msg = <<-_end_of_message_
       GET /foo HTTP/1.1