Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Already on GitHub? Sign in to your account

Update lib/rack/file.rb #522

Closed
wants to merge 6 commits into
from

Conversation

Projects
None yet
2 participants
Contributor

snyff commented Feb 20, 2013

Fix XSS in path_info

snyff added some commits Feb 20, 2013

@snyff snyff Update lib/rack/file.rb
Fix XSS in path_info
dd2d7d5
@snyff snyff Update lib/rack/directory.rb
fix XSS
66b41c8
@snyff snyff Update lib/rack/file.rb
prevent symlink usage to access files outside of the "mounted" directory
a9abcc7
@snyff snyff Encoding issue
Can lead to XSS
7367a70
@snyff snyff Update lib/rack/auth/digest/md5.rb
secure_compare for digest authentication
df06eb2
@snyff snyff Update example/protectedlobster.rb
More secure example
b8168b5

@rkh rkh commented on the diff Apr 12, 2013

lib/rack/auth/digest/md5.rb
@@ -96,7 +96,7 @@ def valid_nonce?(auth)
def valid_digest?(auth)
pw = @authenticator.call(auth.username)
- pw && digest(auth, pw) == auth.response
+ pw && Rack::Utils.secure_compare(digest(auth, pw), auth.response)
@rkh

rkh Apr 12, 2013

Member

Could you do this in a separate PR? I'd like to merge that.

@rkh rkh commented on the diff Apr 12, 2013

lib/rack/directory.rb
@@ -98,7 +98,7 @@ def list_directory
url << '/' if stat.directory?
basename << '/' if stat.directory?
- @files << [ url, basename, size, type, mtime ]
+ @files << [ url, Utils.escape_html(basename), size, type, mtime ]
@rkh

rkh Apr 12, 2013

Member

This one is good.

@rkh rkh commented on the diff Apr 12, 2013

lib/rack/directory.rb
@@ -127,7 +127,7 @@ def list_path
end
def entity_not_found
- body = "Entity not found: #{@path_info}\n"
+ body = "Entity not found: #{Utils.escape_html(@path_info)}\n"
@rkh

rkh Apr 12, 2013

Member

Again, HTML escaping in a text document?

@rkh rkh commented on the diff Apr 12, 2013

lib/rack/file.rb
@@ -51,7 +51,7 @@ def _call(env)
@path = F.join(@root, *clean)
available = begin
- F.file?(@path) && F.readable?(@path)
+ F.file?(@path) && F.readable?(@path) && !F.symlink?(@path)
@rkh

rkh Apr 12, 2013

Member

This is actually changed behavior. I'm not sure we don't want to follow symlinks. Maybe make this an option?

@raggi raggi closed this in ba98d5f Apr 21, 2013

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment