Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP
Browse files

Ensure render is case sensitive even on systems with case-insensitive…

… filesystems.

This fixes CVE-2011-0449
  • Loading branch information...
commit b93c590297ba65a6c5b18655a7790163abcb06f1 1 parent 3ddd7f7
@josevalim josevalim authored tenderlove committed
View
15 actionpack/lib/action_view/template/resolver.rb
@@ -113,14 +113,23 @@ def query(path, exts, formats)
query << '{' << ext.map {|e| e && ".#{e}" }.join(',') << ',}'
end
- Dir[query].reject { |p| File.directory?(p) }.map do |p|
- handler, format = extract_handler_and_format(p, formats)
+ query.gsub!(/\{\.html,/, "{.html,.text.html,")
+ query.gsub!(/\{\.text,/, "{.text,.text.plain,")
+
+ templates = []
+ sanitizer = Hash.new { |h,k| h[k] = Dir["#{File.dirname(k)}/*"] }
+
+ Dir[query].each do |p|
+ next if File.directory?(p) || !sanitizer[p].include?(p)
+ handler, format = extract_handler_and_format(p, formats)
contents = File.open(p, "rb") {|io| io.read }
- Template.new(contents, File.expand_path(p), handler,
+ templates << Template.new(contents, File.expand_path(p), handler,
:virtual_path => path, :format => format, :updated_at => mtime(p))
end
+
+ templates
end
# Returns the file mtime from the filesystem.
View
10 actionpack/test/controller/render_test.rb
@@ -125,6 +125,10 @@ def render_action_hello_world
render :action => "hello_world"
end
+ def render_action_upcased_hello_world
+ render :action => "Hello_world"
+ end
+
def render_action_hello_world_as_string
render "hello_world"
end
@@ -742,6 +746,12 @@ def test_render_action
assert_template "test/hello_world"
end
+ def test_render_action_upcased
+ assert_raise ActionView::MissingTemplate do
+ get :render_action_upcased_hello_world
+ end
+ end
+
# :ported:
def test_render_action_hello_world_as_string
get :render_action_hello_world_as_string
Please sign in to comment.
Something went wrong with that request. Please try again.