Skip to content


Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP


Update lib/rack/directory.rb #521

wants to merge 1 commit into from

4 participants

Louis Nyffenegger Christian Neukirchen Konstantin Haase James Tucker
Louis Nyffenegger

File XSS in the path_info

Louis Nyffenegger snyff Update lib/rack/directory.rb
File XSS in the path_info
Louis Nyffenegger

The same issue is in file.rb line 62

Christian Neukirchen

Content-Type is text/plain, how is this XSS?

Louis Nyffenegger
Louis Nyffenegger

No need to do an advisory or get a CVE. I just use Rack and would like this to be fixed since in my use case it could be exploited :)

I submitted another patch to prevent symlinks usage. Not sure if you'd like me to put that as an option to Rack::File or you're happy with the current patch.

Any issue let me know. I can re-submit the same commit as "encoding improvement" if you want to avoid the term XSS ;)

Louis Nyffenegger

If you have a file named something like blah in the directory, the directory listing will be also vulnerable to XSS. I added a patch for this as well

Louis Nyffenegger

I just patch in 2 places (example of basic auth and digest auth) to use secure_compare instead of ==

Konstantin Haase

I still don't understand. HTML escaping in a text document makes no sense. How does the XSS attack work?

Louis Nyffenegger

It can happens with older browsers that will try to load the content even if the content-type is text/plain

James Tucker

This is a browser bug, not a bug in our code. The escaping you propose is invalid for the document type.

James Tucker raggi closed this
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Commits on Feb 20, 2013
  1. Louis Nyffenegger

    Update lib/rack/directory.rb

    snyff authored
    File XSS in the path_info
This page is out of date. Refresh to see the latest.
Showing with 1 addition and 1 deletion.
  1. +1 −1  lib/rack/directory.rb
2  lib/rack/directory.rb
@@ -127,7 +127,7 @@ def list_path
def entity_not_found
- body = "Entity not found: #{@path_info}\n"
+ body = "Entity not found: #{Utils.escape_html(@path_info)}\n"
size = Rack::Utils.bytesize(body)
return [404, {"Content-Type" => "text/plain",
"Content-Length" => size.to_s,
Something went wrong with that request. Please try again.