Skip to content
This repository

Update lib/rack/directory.rb #521

wants to merge 1 commit into from

4 participants

Louis Nyffenegger Christian Neukirchen Konstantin Haase James Tucker
Louis Nyffenegger

File XSS in the path_info

Louis Nyffenegger Update lib/rack/directory.rb
File XSS in the path_info
Louis Nyffenegger

The same issue is in file.rb line 62

Christian Neukirchen

Content-Type is text/plain, how is this XSS?

Louis Nyffenegger
Louis Nyffenegger

No need to do an advisory or get a CVE. I just use Rack and would like this to be fixed since in my use case it could be exploited :)

I submitted another patch to prevent symlinks usage. Not sure if you'd like me to put that as an option to Rack::File or you're happy with the current patch.

Any issue let me know. I can re-submit the same commit as "encoding improvement" if you want to avoid the term XSS ;)

Louis Nyffenegger

I just patch in 2 places (example of basic auth and digest auth) to use secure_compare instead of ==

Konstantin Haase
rkh commented April 12, 2013

I still don't understand. HTML escaping in a text document makes no sense. How does the XSS attack work?

Louis Nyffenegger
snyff commented April 14, 2013

It can happens with older browsers that will try to load the content even if the content-type is text/plain

James Tucker
raggi commented April 21, 2013

This is a browser bug, not a bug in our code. The escaping you propose is invalid for the document type.

James Tucker raggi closed this April 21, 2013
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Showing 1 unique commit by 1 author.

Feb 20, 2013
Louis Nyffenegger Update lib/rack/directory.rb
File XSS in the path_info
This page is out of date. Refresh to see the latest.

Showing 1 changed file with 1 addition and 1 deletion. Show diff stats Hide diff stats

  1. 2  lib/rack/directory.rb
2  lib/rack/directory.rb
@@ -127,7 +127,7 @@ def list_path
127 127
128 128
129 129
     def entity_not_found
-      body = "Entity not found: #{@path_info}\n"
+      body = "Entity not found: #{Utils.escape_html(@path_info)}\n"
131 131
       size = Rack::Utils.bytesize(body)
132 132
       return [404, {"Content-Type" => "text/plain",
133 133
         "Content-Length" => size.to_s,

Tip: You can add notes to lines in a file. Hover to the left of a line to make a note

Something went wrong with that request. Please try again.