Fix security issue allowing directory traversal for any request serve…

…d from the public directory
chrisboulton · Oct 20, 2010 · c35751e · c35751e
1 parent 7dcbdf4
commit c35751e
Show file tree

Hide file tree

Showing 2 changed files with 6 additions and 5 deletions.
diff --git a/lib/clarity.rb b/lib/clarity.rb
@@ -18,6 +18,6 @@
 module Clarity
   VERSION = '0.9.8'  
 
-  Templates = File.dirname(__FILE__) + '/../views'
-  Public    = File.dirname(__FILE__) + '/../public'
+  Templates = File.expand_path(File.dirname(__FILE__) + '/../views')
+  Public    = File.expand_path(File.dirname(__FILE__) + '/../public')
 end
diff --git a/lib/clarity/server/chunk_http.rb b/lib/clarity/server/chunk_http.rb
@@ -37,9 +37,10 @@ def template(filename)
     end
 
     def public_file(filename)
-      File.read( File.join(Clarity::Public, filename) ) 
-    rescue Errno::ENOENT
-      raise NotFoundError
+      path = File.expand_path(File.join(Clarity::Public, filename))
+      raise NotFoundError unless path[0, Clarity::Public.length] == Clarity::Public
+      raise NotFoundError unless File.file?(path)
+      File.read(path)
     end
 
     def logfiles