File XSS in the path_info
The same issue is in file.rb line 62
Content-Type is text/plain, how is this XSS?
No need to do an advisory or get a CVE. I just use Rack and would like this to be fixed since in my use case it could be exploited :)
I submitted another patch to prevent symlinks usage. Not sure if you'd like me to put that as an option to Rack::File or you're happy with the current patch.
Any issue let me know. I can re-submit the same commit as "encoding improvement" if you want to avoid the term XSS ;)
If you have a file named something like blah in the directory, the directory listing will be also vulnerable to XSS. I added a patch for this as well
I just patch in 2 places (example of basic auth and digest auth) to use secure_compare instead of ==
I still don't understand. HTML escaping in a text document makes no sense. How does the XSS attack work?
It can happens with older browsers that will try to load the content even if the content-type is text/plain
This is a browser bug, not a bug in our code. The escaping you propose is invalid for the document type.