Update lib/rack/file.rb #522

Closed
wants to merge 6 commits into
from

1 participant

@snyff

Fix XSS in path_info

snyff added some commits Feb 20, 2013
@snyff snyff Update lib/rack/file.rb
Fix XSS in path_info
dd2d7d5
@snyff snyff Update lib/rack/directory.rb
fix XSS
66b41c8
@snyff snyff Update lib/rack/file.rb
prevent symlink usage to access files outside of the "mounted" directory
a9abcc7
@snyff snyff Encoding issue
Can lead to XSS
7367a70
@snyff snyff Update lib/rack/auth/digest/md5.rb
secure_compare for digest authentication
df06eb2
@snyff snyff Update example/protectedlobster.rb
More secure example
b8168b5
@rkh rkh commented on the diff Apr 12, 2013
lib/rack/auth/digest/md5.rb
@@ -96,7 +96,7 @@ def valid_nonce?(auth)
def valid_digest?(auth)
pw = @authenticator.call(auth.username)
- pw && digest(auth, pw) == auth.response
+ pw && Rack::Utils.secure_compare(digest(auth, pw), auth.response)
@rkh
Official Rack repositories member
rkh added a line comment Apr 12, 2013

Could you do this in a separate PR? I'd like to merge that.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
@rkh rkh commented on the diff Apr 12, 2013
lib/rack/directory.rb
@@ -98,7 +98,7 @@ def list_directory
url << '/' if stat.directory?
basename << '/' if stat.directory?
- @files << [ url, basename, size, type, mtime ]
+ @files << [ url, Utils.escape_html(basename), size, type, mtime ]
@rkh
Official Rack repositories member
rkh added a line comment Apr 12, 2013

This one is good.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
@rkh rkh commented on the diff Apr 12, 2013
lib/rack/directory.rb
@@ -127,7 +127,7 @@ def list_path
end
def entity_not_found
- body = "Entity not found: #{@path_info}\n"
+ body = "Entity not found: #{Utils.escape_html(@path_info)}\n"
@rkh
Official Rack repositories member
rkh added a line comment Apr 12, 2013

Again, HTML escaping in a text document?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
@rkh rkh commented on the diff Apr 12, 2013
lib/rack/file.rb
@@ -51,7 +51,7 @@ def _call(env)
@path = F.join(@root, *clean)
available = begin
- F.file?(@path) && F.readable?(@path)
+ F.file?(@path) && F.readable?(@path) && !F.symlink?(@path)
@rkh
Official Rack repositories member
rkh added a line comment Apr 12, 2013

This is actually changed behavior. I'm not sure we don't want to follow symlinks. Maybe make this an option?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
@raggi raggi added a commit that closed this pull request Apr 21, 2013
@raggi raggi Sure up HTML escaping in Rack::Directory
 * Supersedes & closes #522
ba98d5f
@raggi raggi closed this in ba98d5f Apr 21, 2013
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment