Only allow GET in Rack::File

kuroda · Dec 17, 2011 · 010315f · 010315f
1 parent db5e128
commit 010315f
Show file tree

Hide file tree

Showing 2 changed files with 22 additions and 0 deletions.
diff --git a/lib/rack/file.rb b/lib/rack/file.rb
@@ -13,6 +13,7 @@ module Rack
 
   class File
     SEPS = Regexp.union(*[::File::SEPARATOR, ::File::ALT_SEPARATOR].compact)
+    ALLOWED_VERBS = %w[GET]
 
     attr_accessor :root
     attr_accessor :path
@@ -32,6 +33,10 @@ def call(env)
     F = ::File
 
     def _call(env)
+      unless ALLOWED_VERBS.include? env["REQUEST_METHOD"]
+        return fail(403, "Forbidden")
+      end
+
       @path_info = Utils.unescape(env["PATH_INFO"])
       parts = @path_info.split SEPS
 

diff --git a/test/spec_file.rb b/test/spec_file.rb
@@ -154,4 +154,21 @@
     heads['Cache-Control'].should.equal 'public, max-age=38'
   end
 
+  should "only support GET and HEAD requests" do
+    req = Rack::MockRequest.new(Rack::Lint.new(Rack::File.new(DOCROOT)))
+
+    forbidden = %w[post put delete]
+    forbidden.each do |method|
+
+      res = req.send(method, "/cgi/test")
+      res.should.be.forbidden
+    end
+
+    allowed = %w[get] # TODO: head
+    allowed.each do |method|
+      res = req.send(method, "/cgi/test")
+      res.should.be.successful
+    end
+  end
+
 end