Update lib/rack/directory.rb #521

Closed
wants to merge 1 commit into
from

Projects

None yet

4 participants

@snyff
Contributor
snyff commented Feb 20, 2013

File XSS in the path_info

@snyff snyff Update lib/rack/directory.rb
File XSS in the path_info
3e6d46e
@snyff
Contributor
snyff commented Feb 20, 2013

The same issue is in file.rb line 62

@chneukirchen
Member

Content-Type is text/plain, how is this XSS?

@snyff
Contributor
snyff commented Feb 20, 2013

In some conditions you can still trigger XSS.

On Wednesday, February 20, 2013, Christian Neukirchen wrote:

Content-Type is text/plain, how is this XSS?


Reply to this email directly or view it on GitHubhttps://github.com/rack/rack/pull/521#issuecomment-13829109.

@snyff
Contributor
snyff commented Feb 20, 2013

No need to do an advisory or get a CVE. I just use Rack and would like this to be fixed since in my use case it could be exploited :)

I submitted another patch to prevent symlinks usage. Not sure if you'd like me to put that as an option to Rack::File or you're happy with the current patch.

Any issue let me know. I can re-submit the same commit as "encoding improvement" if you want to avoid the term XSS ;)

@snyff
Contributor
snyff commented Feb 28, 2013

If you have a file named something like blah in the directory, the directory listing will be also vulnerable to XSS. I added a patch for this as well

@snyff
Contributor
snyff commented Feb 28, 2013

I just patch in 2 places (example of basic auth and digest auth) to use secure_compare instead of ==

@rkh
Member
rkh commented Apr 12, 2013

I still don't understand. HTML escaping in a text document makes no sense. How does the XSS attack work?

@snyff
Contributor
snyff commented Apr 15, 2013

It can happens with older browsers that will try to load the content even if the content-type is text/plain

@raggi
Member
raggi commented Apr 21, 2013

This is a browser bug, not a bug in our code. The escaping you propose is invalid for the document type.

@raggi raggi closed this Apr 21, 2013
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment