Permalink
Browse files

Properly escape glob characters.

  • Loading branch information...
tenderlove committed Aug 16, 2011
1 parent c238ba0 commit 09ad48f22e0b32b6485bc122f7f220045aed1198
@@ -149,8 +149,12 @@ def query(path, details, formats)
# Helper for building query glob string based on resolver's pattern.
def build_query(path, details)
query = @pattern.dup
- query.gsub!(/\:prefix(\/)?/, path.prefix.empty? ? "" : "#{path.prefix}\\1") # prefix can be empty...
- query.gsub!(/\:action/, path.partial? ? "_#{path.name}" : path.name)
+
+ prefix = path.prefix.empty? ? "" : "#{escape_entry(path.prefix)}\\1"
+ query.gsub!(/\:prefix(\/)?/, prefix)
+
+ partial = escape_entry(path.partial? ? "_#{path.name}" : path.name)
+ query.gsub!(/\:action/, partial)
details.each do |ext, variants|
query.gsub!(/\:#{ext}/, "{#{variants.compact.uniq.join(',')}}")
@@ -159,6 +163,10 @@ def build_query(path, details)
File.expand_path(query, @path)
end
+ def escape_entry(entry)
+ entry.gsub(/(\*|\[|\]|\{|\}|\?)/, "\\\\\\1")
+ end
+
# Returns the file mtime from the filesystem.
def mtime(p)
File.stat(p).mtime
@@ -235,7 +243,7 @@ def eql?(resolver)
class OptimizedFileSystemResolver < FileSystemResolver #:nodoc:
def build_query(path, details)
exts = EXTENSIONS.map { |ext| details[ext] }
- query = File.join(@path, path)
+ query = escape_entry(File.join(@path, path))
exts.each do |ext|
query << "{"
@@ -405,6 +405,14 @@ def render_with_explicit_template
render :template => "test/hello_world"
end
+ def render_with_explicit_unescaped_template
+ render :template => "test/h*llo_world"
+ end
+
+ def render_with_explicit_escaped_template
+ render :template => "test/hello_w*rld"
+ end
+
def render_with_explicit_string_template
render "test/hello_world"
end
@@ -1062,6 +1070,12 @@ def test_render_with_explicit_template
assert_response :success
end
+ def test_render_with_explicit_unescaped_template
+ assert_raise(ActionView::MissingTemplate) { get :render_with_explicit_unescaped_template }
+ get :render_with_explicit_escaped_template
+ assert_equal "Hello w*rld!", @response.body
+ end
+
def test_render_with_explicit_string_template
get :render_with_explicit_string_template
assert_equal "<html>Hello world!</html>", @response.body
@@ -0,0 +1 @@
+Hello w*rld!

3 comments on commit 09ad48f

@cfis

This comment has been minimized.

Show comment Hide comment
@cfis

cfis Aug 23, 2011

This commit breaks windows. See #2666. Could it be reverted?

Thanks - Charlie

cfis replied Aug 23, 2011

This commit breaks windows. See #2666. Could it be reverted?

Thanks - Charlie

@tenderlove

This comment has been minimized.

Show comment Hide comment
@tenderlove

tenderlove Aug 23, 2011

Owner

@cfis no. This is in response to a filter skipping vulnerability. We need to fix the test for windows, not revert the commit.

Owner

tenderlove replied Aug 23, 2011

@cfis no. This is in response to a filter skipping vulnerability. We need to fix the test for windows, not revert the commit.

@cfis

This comment has been minimized.

Show comment Hide comment
@cfis

cfis Aug 23, 2011

Ok, but there can't be a file with a * in it that is in git. Otherwise this happens:

Updating git://github.com/rails/rails.git
error: unable to create file actionpack/test/fixtures/test/hello_w*rld.erb (Invalid argument)
Checking out files: 100% (2210/2210), done.
fatal: Could not reset index file to revision '94a780356cd2ea6c7cb1ce75525596b28857870b'.
Git error: command git reset --hard 94a780356cd2ea6c7cb1ce75525596b28857870b in directory C:/MinGW/local/ruby/lib/ruby/gems/1.9.1/bundler/gems/rails-94a780356cd2 has failed.
If this error persists you could try removing the cache directory 'C:/MinGW/local/ruby/lib/ruby/gems/1.9.1/cache/bundler/git/rails-16a5e918a06649ffac24fd5873b875daf66212ad'

And that's it - you can't check out rails.

Could the test dynamically try and create such a file? Or maybe rename a file? Or do something else?

Charlie

cfis replied Aug 23, 2011

Ok, but there can't be a file with a * in it that is in git. Otherwise this happens:

Updating git://github.com/rails/rails.git
error: unable to create file actionpack/test/fixtures/test/hello_w*rld.erb (Invalid argument)
Checking out files: 100% (2210/2210), done.
fatal: Could not reset index file to revision '94a780356cd2ea6c7cb1ce75525596b28857870b'.
Git error: command git reset --hard 94a780356cd2ea6c7cb1ce75525596b28857870b in directory C:/MinGW/local/ruby/lib/ruby/gems/1.9.1/bundler/gems/rails-94a780356cd2 has failed.
If this error persists you could try removing the cache directory 'C:/MinGW/local/ruby/lib/ruby/gems/1.9.1/cache/bundler/git/rails-16a5e918a06649ffac24fd5873b875daf66212ad'

And that's it - you can't check out rails.

Could the test dynamically try and create such a file? Or maybe rename a file? Or do something else?

Charlie

Please sign in to comment.