Improper Neutralization of CRLF Sequences ('CRLF Injection')

Summary

Rack provides an interface for developing web applications in Ruby. The `Rack::CommonLogger` can be exploited by crafting input that includes newline characters to manipulate log entries. The supplied proof-of-concept demonstrates injecting malicious content into logs. When a user provides the authorization credentials via `Rack::Auth::Basic`, if success, the username will be put in `env['REMOTE_USER']` and later be used by `Rack::CommonLogger` for logging purposes. The issue occurs when a server intentionally or unintentionally allows a user creation with the username containing CRLF and white space characters, or the server just wants to log every login attempt. If an attacker enters a username with a CRLF character, the logger will log the malicious username with CRLF characters into the log file. Attackers can break log formats or insert fraudulent entries, potentially obscuring real activity or injecting malicious data into log files. This issue affects rack versions prior to 2.2.11, 3.0.x prior to 3.0.12, and 3.1.x prior to 3.1.10.