Skip to content
Browse files

Fix script name escaping in Rack::Directory

Closes #415 and replaces it, which came with no tests and an insecure
implementation.
  • Loading branch information...
1 parent 40cb556 commit 7c36a88f73339bebe8b91b27e47ac958a7965f4f @raggi raggi committed Aug 26, 2012
Showing with 19 additions and 1 deletion.
  1. +1 −1 lib/rack/directory.rb
  2. +18 −0 test/spec_directory.rb
View
2 lib/rack/directory.rb
@@ -80,7 +80,7 @@ def list_directory
@files = [['../','Parent Directory','','','']]
glob = F.join(@path, '*')
- url_head = ([@script_name] + @path_info.split('/')).map do |part|
+ url_head = (@script_name.split('/') + @path_info.split('/')).map do |part|
Rack::Utils.escape part
end
View
18 test/spec_directory.rb
@@ -67,4 +67,22 @@
res = mr.get("/cgi/test%2bdirectory/test%2bfile")
res.should.be.ok
end
+
+ should "correctly escape script name" do
+ app2 = Rack::Builder.new do
+ map '/script-path' do
+ run app
+ end
+ end
+
+ mr = Rack::MockRequest.new(Rack::Lint.new(app2))
+
+ res = mr.get("/script-path/cgi/test%2bdirectory")
+
+ res.should.be.ok
+ res.body.should =~ %r[/script-path/cgi/test%2Bdirectory/test%2Bfile]
+
+ res = mr.get("/script-path/cgi/test%2bdirectory/test%2bfile")
+ res.should.be.ok
+ end
end

0 comments on commit 7c36a88

Please sign in to comment.
Something went wrong with that request. Please try again.