Merge pull request #158 from guard/fix_path_traversal_vulnerability

Prevent requesting arbitrary file paths via socket
guard · Feb 4, 2016 · 0e98469 · 0e98469
2 parents 09ecacc + a24c99e
commit 0e98469
Showing 1 changed file with 5 additions and 2 deletions.
diff --git a/lib/guard/livereload/websocket.rb b/lib/guard/livereload/websocket.rb
@@ -6,6 +6,9 @@
 module Guard
   class LiveReload
     class WebSocket < EventMachine::WebSocket::Connection
+      HTTP_DATA_FORBIDDEN = "HTTP/1.1 403 Forbidden\r\nContent-Type: text/plain\r\nContent-Length: 13\r\n\r\n403 Forbidden"
+      HTTP_DATA_NOT_FOUND = "HTTP/1.1 404 Not Found\r\nContent-Type: text/plain\r\nContent-Length: 13\r\n\r\n404 Not Found"
+
       def initialize(options)
         @livereload_js_path = options[:livereload_js_path]
         super
@@ -58,8 +61,8 @@ def _livereload_js_path
 
       def _serve(path)
         return _serve_file(_livereload_js_path) if path == './livereload.js'
-        return _serve_file(path) if _readable_file(path)
-        send_data("HTTP/1.1 404 Not Found\r\nContent-Type: text/plain\r\nContent-Length: 13\r\n\r\n404 Not Found")
+        data = _readable_file(path) ? HTTP_DATA_FORBIDDEN : HTTP_DATA_NOT_FOUND
+        send_data(data)
         close_connection_after_writing
       end