Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP
Browse files

Fix directory traversal exploits in Rack::File and Rack::Directory

  • Loading branch information...
commit 84245c6379c36644fa29c47523186daaa7a3fec6 1 parent 3568c0d
@chneukirchen chneukirchen authored
View
8 README
@@ -224,6 +224,9 @@ run on port 11211) and memcache-client installed.
* Made HeaderHash case-preserving.
* Many bugfixes and small improvements.
+* January 9th, 2009: Sixth public release 0.9.1.
+ * Fix directory traversal exploits in Rack::File and Rack::Directory.
+
== Contact
Please mail bugs, suggestions and patches to
@@ -258,8 +261,9 @@ would like to thank:
* Tim Fletcher, for the HTTP authentication code.
* Luc Heinrich for the Cookie sessions, the static file handler and bugfixes.
* Armin Ronacher, for the logo and racktools.
-* Aredridel, Ben Alpert, Dan Kubb, Daniel Roethlisberger, Matt Todd, and
- Phil Hagelberg for bug fixing and other improvements.
+* Aredridel, Ben Alpert, Dan Kubb, Daniel Roethlisberger, Matt Todd,
+ Tom Robinson, and Phil Hagelberg for bug fixing and other
+ improvements.
* Stephen Bannasch, for bug reports and documentation.
* Gary Wright, for proposing a better Rack::Response interface.
* Jonathan Buch, for improvements regarding Rack::Response.
View
5 lib/rack/directory.rb
@@ -54,12 +54,13 @@ def call(env)
def _call(env)
@env = env
- @path_info, @script_name = env.values_at('PATH_INFO', 'SCRIPT_NAME')
+ @script_name = env['SCRIPT_NAME']
+ @path_info = Utils.unescape(env['PATH_INFO'])
if forbidden = check_forbidden
forbidden
else
- @path = F.join(@root, Utils.unescape(@path_info))
+ @path = F.join(@root, @path_info)
list_path
end
end
View
4 lib/rack/file.rb
@@ -23,9 +23,9 @@ def call(env)
F = ::File
def _call(env)
- return forbidden if env["PATH_INFO"].include? ".."
-
@path_info = Utils.unescape(env["PATH_INFO"])
+ return forbidden if @path_info.include? ".."
+
@path = F.join(@root, @path_info)
begin
View
5 test/spec_rack_directory.rb
@@ -45,6 +45,11 @@
get("/cgi/../test")
res.should.be.forbidden
+
+ res = Rack::MockRequest.new(Rack::Lint.new(app)).
+ get("/cgi/%2E%2E/test")
+
+ res.should.be.forbidden
end
specify "404s if it can't find the file" do
View
7 test/spec_rack_file.rb
@@ -41,6 +41,13 @@
res.should.be.forbidden
end
+ specify "does not allow directory traversal with encoded periods" do
+ res = Rack::MockRequest.new(Rack::Lint.new(Rack::File.new(DOCROOT))).
+ get("/%2E%2E/README")
+
+ res.should.be.forbidden
+ end
+
specify "404s if it can't find the file" do
res = Rack::MockRequest.new(Rack::Lint.new(Rack::File.new(DOCROOT))).
get("/cgi/blubb")
Please sign in to comment.
Something went wrong with that request. Please try again.