Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP

Loading…

Update lib/rack/directory.rb #521

Closed
wants to merge 1 commit into from

4 participants

@snyff

File XSS in the path_info

@snyff snyff Update lib/rack/directory.rb
File XSS in the path_info
3e6d46e
@snyff

The same issue is in file.rb line 62

@chneukirchen

Content-Type is text/plain, how is this XSS?

@snyff
@snyff

No need to do an advisory or get a CVE. I just use Rack and would like this to be fixed since in my use case it could be exploited :)

I submitted another patch to prevent symlinks usage. Not sure if you'd like me to put that as an option to Rack::File or you're happy with the current patch.

Any issue let me know. I can re-submit the same commit as "encoding improvement" if you want to avoid the term XSS ;)

@snyff

If you have a file named something like blah in the directory, the directory listing will be also vulnerable to XSS. I added a patch for this as well

@snyff

I just patch in 2 places (example of basic auth and digest auth) to use secure_compare instead of ==

@rkh
Owner

I still don't understand. HTML escaping in a text document makes no sense. How does the XSS attack work?

@snyff

It can happens with older browsers that will try to load the content even if the content-type is text/plain

@raggi
Owner

This is a browser bug, not a bug in our code. The escaping you propose is invalid for the document type.

@raggi raggi closed this
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Commits on Feb 20, 2013
  1. @snyff

    Update lib/rack/directory.rb

    snyff authored
    File XSS in the path_info
This page is out of date. Refresh to see the latest.
Showing with 1 addition and 1 deletion.
  1. +1 −1  lib/rack/directory.rb
View
2  lib/rack/directory.rb
@@ -127,7 +127,7 @@ def list_path
end
def entity_not_found
- body = "Entity not found: #{@path_info}\n"
+ body = "Entity not found: #{Utils.escape_html(@path_info)}\n"
size = Rack::Utils.bytesize(body)
return [404, {"Content-Type" => "text/plain",
"Content-Length" => size.to_s,
Something went wrong with that request. Please try again.