Skip to content
This repository

Update lib/rack/file.rb #522

Closed
wants to merge 6 commits into from

2 participants

Louis Nyffenegger Konstantin Haase
Louis Nyffenegger

Fix XSS in path_info

added some commits
Louis Nyffenegger Update lib/rack/file.rb
Fix XSS in path_info
dd2d7d5
Louis Nyffenegger Update lib/rack/directory.rb
fix XSS
66b41c8
Louis Nyffenegger Update lib/rack/file.rb
prevent symlink usage to access files outside of the "mounted" directory
a9abcc7
Louis Nyffenegger Encoding issue
Can lead to XSS
7367a70
Louis Nyffenegger Update lib/rack/auth/digest/md5.rb
secure_compare for digest authentication
df06eb2
Louis Nyffenegger Update example/protectedlobster.rb
More secure example
b8168b5
Konstantin Haase rkh commented on the diff
lib/rack/auth/digest/md5.rb
@@ -96,7 +96,7 @@ def valid_nonce?(auth)
96 96
 
97 97
         def valid_digest?(auth)
98 98
           pw = @authenticator.call(auth.username)
99  
-          pw && digest(auth, pw) == auth.response
  99
+          pw && Rack::Utils.secure_compare(digest(auth, pw), auth.response)
1
Konstantin Haase Collaborator
rkh added a note

Could you do this in a separate PR? I'd like to merge that.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Konstantin Haase rkh commented on the diff
lib/rack/directory.rb
@@ -98,7 +98,7 @@ def list_directory
98 98
         url << '/'  if stat.directory?
99 99
         basename << '/'  if stat.directory?
100 100
 
101  
-        @files << [ url, basename, size, type, mtime ]
  101
+        @files << [ url, Utils.escape_html(basename), size, type, mtime ]
1
Konstantin Haase Collaborator
rkh added a note

This one is good.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Konstantin Haase rkh commented on the diff
lib/rack/directory.rb
@@ -127,7 +127,7 @@ def list_path
127 127
     end
128 128
 
129 129
     def entity_not_found
130  
-      body = "Entity not found: #{@path_info}\n"
  130
+      body = "Entity not found: #{Utils.escape_html(@path_info)}\n"
1
Konstantin Haase Collaborator
rkh added a note

Again, HTML escaping in a text document?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Konstantin Haase rkh commented on the diff
lib/rack/file.rb
@@ -51,7 +51,7 @@ def _call(env)
51 51
       @path = F.join(@root, *clean)
52 52
 
53 53
       available = begin
54  
-        F.file?(@path) && F.readable?(@path)
  54
+        F.file?(@path) && F.readable?(@path) && !F.symlink?(@path)
1
Konstantin Haase Collaborator
rkh added a note

This is actually changed behavior. I'm not sure we don't want to follow symlinks. Maybe make this an option?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
James Tucker raggi closed this pull request from a commit
James Tucker Sure up HTML escaping in Rack::Directory
 * Supersedes & closes #522
ba98d5f
James Tucker raggi closed this in ba98d5f
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Showing 6 unique commits by 1 author.

Feb 20, 2013
Louis Nyffenegger Update lib/rack/file.rb
Fix XSS in path_info
dd2d7d5
Louis Nyffenegger Update lib/rack/directory.rb
fix XSS
66b41c8
Louis Nyffenegger Update lib/rack/file.rb
prevent symlink usage to access files outside of the "mounted" directory
a9abcc7
Feb 28, 2013
Louis Nyffenegger Encoding issue
Can lead to XSS
7367a70
Louis Nyffenegger Update lib/rack/auth/digest/md5.rb
secure_compare for digest authentication
df06eb2
Louis Nyffenegger Update example/protectedlobster.rb
More secure example
b8168b5
This page is out of date. Refresh to see the latest.
2  example/protectedlobster.rb
@@ -4,7 +4,7 @@
4 4
 lobster = Rack::Lobster.new
5 5
 
6 6
 protected_lobster = Rack::Auth::Basic.new(lobster) do |username, password|
7  
-  'secret' == password
  7
+  Rack::Utils.secure_compare('secret', password)
8 8
 end
9 9
 
10 10
 protected_lobster.realm = 'Lobster 2.0'
2  lib/rack/auth/digest/md5.rb
@@ -96,7 +96,7 @@ def valid_nonce?(auth)
96 96
 
97 97
         def valid_digest?(auth)
98 98
           pw = @authenticator.call(auth.username)
99  
-          pw && digest(auth, pw) == auth.response
  99
+          pw && Rack::Utils.secure_compare(digest(auth, pw), auth.response)
100 100
         end
101 101
 
102 102
         def md5(data)
6  lib/rack/directory.rb
@@ -98,7 +98,7 @@ def list_directory
98 98
         url << '/'  if stat.directory?
99 99
         basename << '/'  if stat.directory?
100 100
 
101  
-        @files << [ url, basename, size, type, mtime ]
  101
+        @files << [ url, Utils.escape_html(basename), size, type, mtime ]
102 102
       end
103 103
 
104 104
       return [ 200, {'Content-Type'=>'text/html; charset=utf-8'}, self ]
@@ -127,7 +127,7 @@ def list_path
127 127
     end
128 128
 
129 129
     def entity_not_found
130  
-      body = "Entity not found: #{@path_info}\n"
  130
+      body = "Entity not found: #{Utils.escape_html(@path_info)}\n"
131 131
       size = Rack::Utils.bytesize(body)
132 132
       return [404, {"Content-Type" => "text/plain",
133 133
         "Content-Length" => size.to_s,
@@ -135,7 +135,7 @@ def entity_not_found
135 135
     end
136 136
 
137 137
     def each
138  
-      show_path = @path.sub(/^#{@root}/,'')
  138
+      show_path = Utils.escape_html(@path.sub(/^#{@root}/,''))
139 139
       files = @files.map{|f| DIR_FILE % f }*"\n"
140 140
       page  = DIR_PAGE % [ show_path, show_path , files ]
141 141
       page.each_line{|l| yield l }
4  lib/rack/file.rb
@@ -51,7 +51,7 @@ def _call(env)
51 51
       @path = F.join(@root, *clean)
52 52
 
53 53
       available = begin
54  
-        F.file?(@path) && F.readable?(@path)
  54
+        F.file?(@path) && F.readable?(@path) && !F.symlink?(@path)
55 55
       rescue SystemCallError
56 56
         false
57 57
       end
@@ -59,7 +59,7 @@ def _call(env)
59 59
       if available
60 60
         serving(env)
61 61
       else
62  
-        fail(404, "File not found: #{path_info}")
  62
+        fail(404, "File not found: #{Utils.escape_html(path_info)}")
63 63
       end
64 64
     end
65 65
 
Commit_comment_tip

Tip: You can add notes to lines in a file. Hover to the left of a line to make a note

Something went wrong with that request. Please try again.