Skip to content


Subversion checkout URL

You can clone with
Download ZIP


Update lib/rack/directory.rb #521

wants to merge 1 commit into from

4 participants


File XSS in the path_info

@snyff snyff Update lib/rack/directory.rb
File XSS in the path_info

The same issue is in file.rb line 62


Content-Type is text/plain, how is this XSS?


No need to do an advisory or get a CVE. I just use Rack and would like this to be fixed since in my use case it could be exploited :)

I submitted another patch to prevent symlinks usage. Not sure if you'd like me to put that as an option to Rack::File or you're happy with the current patch.

Any issue let me know. I can re-submit the same commit as "encoding improvement" if you want to avoid the term XSS ;)


If you have a file named something like blah in the directory, the directory listing will be also vulnerable to XSS. I added a patch for this as well


I just patch in 2 places (example of basic auth and digest auth) to use secure_compare instead of ==


I still don't understand. HTML escaping in a text document makes no sense. How does the XSS attack work?


It can happens with older browsers that will try to load the content even if the content-type is text/plain


This is a browser bug, not a bug in our code. The escaping you propose is invalid for the document type.

@raggi raggi closed this
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Commits on Feb 20, 2013
  1. @snyff

    Update lib/rack/directory.rb

    snyff committed
    File XSS in the path_info
This page is out of date. Refresh to see the latest.
Showing with 1 addition and 1 deletion.
  1. +1 −1  lib/rack/directory.rb
2  lib/rack/directory.rb
@@ -127,7 +127,7 @@ def list_path
def entity_not_found
- body = "Entity not found: #{@path_info}\n"
+ body = "Entity not found: #{Utils.escape_html(@path_info)}\n"
size = Rack::Utils.bytesize(body)
return [404, {"Content-Type" => "text/plain",
"Content-Length" => size.to_s,
Something went wrong with that request. Please try again.