Merge pull request #23035 from jkowens/fix-null-byte

Prevent static middleware from attempting to serve a request with a null byte
rails · Jan 12, 2016 · 89f7093 · 89f7093
2 parents 5d41cb3 + 918f0ee
commit 89f7093
Show file tree

Hide file tree

Showing 2 changed files with 9 additions and 1 deletion.
diff --git a/actionpack/lib/action_dispatch/middleware/static.rb b/actionpack/lib/action_dispatch/middleware/static.rb
@@ -27,7 +27,7 @@ def initialize(root, index: 'index', headers: {})
     # in the server's `public/` directory (see Static#call).
     def match?(path)
       path = ::Rack::Utils.unescape_path path
-      return false unless path.valid_encoding?
+      return false unless valid_path?(path)
       path = Rack::Utils.clean_path_info path
 
       paths = [path, "#{path}#{ext}", "#{path}/#{@index}#{ext}"]
@@ -94,6 +94,10 @@ def gzip_file_path(path)
           false
         end
       end
+
+      def valid_path?(path)
+        path.valid_encoding? && !path.include?("\0")
+      end
   end
 
   # This middleware will attempt to return the contents of a file's body from

diff --git a/actionpack/test/dispatch/static_test.rb b/actionpack/test/dispatch/static_test.rb
@@ -40,6 +40,10 @@ def test_handles_urls_with_ascii_8bit_on_win_31j
     assert_equal "Hello, World!", get("/doorkeeper%E3E4".force_encoding('ASCII-8BIT')).body
   end
 
+  def test_handles_urls_with_null_byte
+    assert_equal "Hello, World!", get("/doorkeeper%00").body
+  end
+
   def test_sets_cache_control
     app = assert_deprecated do
       ActionDispatch::Static.new(DummyApp, @root, "public, max-age=60")