Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Already on GitHub? Sign in to your account

Update lib/rack/file.rb #522

Closed
wants to merge 6 commits into
from
@@ -4,7 +4,7 @@
lobster = Rack::Lobster.new
protected_lobster = Rack::Auth::Basic.new(lobster) do |username, password|
- 'secret' == password
+ Rack::Utils.secure_compare('secret', password)
end
protected_lobster.realm = 'Lobster 2.0'
@@ -96,7 +96,7 @@ def valid_nonce?(auth)
def valid_digest?(auth)
pw = @authenticator.call(auth.username)
- pw && digest(auth, pw) == auth.response
+ pw && Rack::Utils.secure_compare(digest(auth, pw), auth.response)
@rkh

rkh Apr 12, 2013

Member

Could you do this in a separate PR? I'd like to merge that.

end
def md5(data)
View
@@ -98,7 +98,7 @@ def list_directory
url << '/' if stat.directory?
basename << '/' if stat.directory?
- @files << [ url, basename, size, type, mtime ]
+ @files << [ url, Utils.escape_html(basename), size, type, mtime ]
@rkh

rkh Apr 12, 2013

Member

This one is good.

end
return [ 200, {'Content-Type'=>'text/html; charset=utf-8'}, self ]
@@ -127,15 +127,15 @@ def list_path
end
def entity_not_found
- body = "Entity not found: #{@path_info}\n"
+ body = "Entity not found: #{Utils.escape_html(@path_info)}\n"
@rkh

rkh Apr 12, 2013

Member

Again, HTML escaping in a text document?

size = Rack::Utils.bytesize(body)
return [404, {"Content-Type" => "text/plain",
"Content-Length" => size.to_s,
"X-Cascade" => "pass"}, [body]]
end
def each
- show_path = @path.sub(/^#{@root}/,'')
+ show_path = Utils.escape_html(@path.sub(/^#{@root}/,''))
files = @files.map{|f| DIR_FILE % f }*"\n"
page = DIR_PAGE % [ show_path, show_path , files ]
page.each_line{|l| yield l }
View
@@ -51,15 +51,15 @@ def _call(env)
@path = F.join(@root, *clean)
available = begin
- F.file?(@path) && F.readable?(@path)
+ F.file?(@path) && F.readable?(@path) && !F.symlink?(@path)
@rkh

rkh Apr 12, 2013

Member

This is actually changed behavior. I'm not sure we don't want to follow symlinks. Maybe make this an option?

rescue SystemCallError
false
end
if available
serving(env)
else
- fail(404, "File not found: #{path_info}")
+ fail(404, "File not found: #{Utils.escape_html(path_info)}")
end
end