Permalink
Browse files

merge revision(s) 15677:

	* lib/webrick/httpservlet/filehandler.rb: should normalize path
	  separators in path_info to prevent directory traversal attacks
	  on DOSISH platforms.
	  reported by Digital Security Research Group [DSECRG-08-026].
	* lib/webrick/httpservlet/filehandler.rb: pathnames which have
	  not to be published should be checked case-insensitively.


git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_1_8_5@15680 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
  • Loading branch information...
1 parent e7daebf commit 76efd3551c856a6b359282ae5e02b18295d6cf97 @shyouhei shyouhei committed Mar 3, 2008
Showing with 94 additions and 8 deletions.
  1. +10 −0 ChangeLog
  2. +19 −2 lib/webrick/httpservlet/filehandler.rb
  3. +59 −0 test/webrick/test_filehandler.rb
  4. +6 −6 version.h
View
10 ChangeLog
@@ -1,3 +1,13 @@
+Mon Mar 3 23:36:41 2008 GOTOU Yuuzou <gotoyuzo@notwork.org>
+
+ * lib/webrick/httpservlet/filehandler.rb: should normalize path
+ separators in path_info to prevent directory traversal attacks
+ on DOSISH platforms.
+ reported by Digital Security Research Group [DSECRG-08-026].
+
+ * lib/webrick/httpservlet/filehandler.rb: pathnames which have
+ not to be published should be checked case-insensitively.
+
Sun Sep 23 21:57:25 2007 GOTOU Yuuzou <gotoyuzo@notwork.org>
* lib/net/http.rb: an SSL verification (the server hostname should
View
21 lib/webrick/httpservlet/filehandler.rb
@@ -163,6 +163,7 @@ def service(req, res)
end
end
end
+ prevent_directory_traversal(req, res)
super(req, res)
end
@@ -198,6 +199,22 @@ def do_OPTIONS(req, res)
private
+ def prevent_directory_traversal(req, res)
+ # Preventing directory traversal on DOSISH platforms;
+ # Backslashes (0x5c) in path_info are not interpreted as special
+ # character in URI notation. So the value of path_info should be
+ # normalize before accessing to the filesystem.
+ if File::ALT_SEPARATOR
+ # File.expand_path removes the trailing path separator.
+ # Adding a character is a workaround to save it.
+ # File.expand_path("/aaa/") #=> "/aaa"
+ # File.expand_path("/aaa/" + "x") #=> "/aaa/x"
+ expanded = File.expand_path(req.path_info + "x")
+ expanded[-1, 1] = "" # remove trailing "x"
+ req.path_info = expanded
+ end
+ end
+
def exec_handler(req, res)
raise HTTPStatus::NotFound, "`#{req.path}' not found" unless @root
if set_filename(req, res)
@@ -256,7 +273,7 @@ def set_filename(req, res)
def check_filename(req, res, name)
@options[:NondisclosureName].each{|pattern|
- if File.fnmatch("/#{pattern}", name)
+ if File.fnmatch("/#{pattern}", name, File::FNM_CASEFOLD)
@logger.warn("the request refers nondisclosure name `#{name}'.")
raise HTTPStatus::NotFound, "`#{req.path}' not found."
end
@@ -310,7 +327,7 @@ def call_callback(callback_name, req, res)
def nondisclosure_name?(name)
@options[:NondisclosureName].each{|pattern|
- if File.fnmatch(pattern, name)
+ if File.fnmatch(pattern, name, File::FNM_CASEFOLD)
return true
end
}
View
59 test/webrick/test_filehandler.rb
@@ -1,6 +1,7 @@
require "test/unit"
require "webrick"
require "stringio"
+require File.join(File.dirname(__FILE__), "utils.rb")
class WEBrick::TestFileHandler < Test::Unit::TestCase
def default_file_handler(filename)
@@ -62,4 +63,62 @@ def test_make_partial_content
res = make_range_response(filename, "bytes=0-0, -2")
assert_match(%r{^multipart/byteranges}, res["content-type"])
end
+
+ def test_filehandler
+ config = { :DocumentRoot => File.dirname(__FILE__), }
+ this_file = File.basename(__FILE__)
+ TestWEBrick.start_httpserver(config) do |server, addr, port|
+ http = Net::HTTP.new(addr, port)
+ req = Net::HTTP::Get.new("/")
+ http.request(req){|res|
+ assert_equal("200", res.code)
+ assert_equal("text/html", res.content_type)
+ assert_match(/HREF="#{this_file}"/, res.body)
+ }
+ req = Net::HTTP::Get.new("/#{this_file}")
+ http.request(req){|res|
+ assert_equal("200", res.code)
+ assert_equal("text/plain", res.content_type)
+ assert_equal(File.read(__FILE__), res.body)
+ }
+ end
+ end
+
+ def test_non_disclosure_name
+ config = { :DocumentRoot => File.dirname(__FILE__), }
+ this_file = File.basename(__FILE__)
+ TestWEBrick.start_httpserver(config) do |server, addr, port|
+ http = Net::HTTP.new(addr, port)
+ doc_root_opts = server[:DocumentRootOptions]
+ doc_root_opts[:NondisclosureName] = %w(.ht* *~ test_*)
+ req = Net::HTTP::Get.new("/")
+ http.request(req){|res|
+ assert_equal("200", res.code)
+ assert_equal("text/html", res.content_type)
+ assert_no_match(/HREF="#{File.basename(__FILE__)}"/, res.body)
+ }
+ req = Net::HTTP::Get.new("/#{this_file}")
+ http.request(req){|res|
+ assert_equal("404", res.code)
+ }
+ doc_root_opts[:NondisclosureName] = %w(.ht* *~ TEST_*)
+ http.request(req){|res|
+ assert_equal("404", res.code)
+ }
+ end
+ end
+
+ def test_directory_traversal
+ config = { :DocumentRoot => File.dirname(__FILE__), }
+ this_file = File.basename(__FILE__)
+ TestWEBrick.start_httpserver(config) do |server, addr, port|
+ http = Net::HTTP.new(addr, port)
+ req = Net::HTTP::Get.new("/../../")
+ http.request(req){|res| assert_equal("400", res.code) }
+ req = Net::HTTP::Get.new(
+ "/..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5cboot.ini"
+ )
+ http.request(req){|res| assert_equal("404", res.code) }
+ end
+ end
end
View
12 version.h
@@ -1,15 +1,15 @@
#define RUBY_VERSION "1.8.5"
-#define RUBY_RELEASE_DATE "2007-09-24"
+#define RUBY_RELEASE_DATE "2008-03-03"
#define RUBY_VERSION_CODE 185
-#define RUBY_RELEASE_CODE 20070924
-#define RUBY_PATCHLEVEL 114
+#define RUBY_RELEASE_CODE 20080303
+#define RUBY_PATCHLEVEL 115
#define RUBY_VERSION_MAJOR 1
#define RUBY_VERSION_MINOR 8
#define RUBY_VERSION_TEENY 5
-#define RUBY_RELEASE_YEAR 2007
-#define RUBY_RELEASE_MONTH 9
-#define RUBY_RELEASE_DAY 24
+#define RUBY_RELEASE_YEAR 2008
+#define RUBY_RELEASE_MONTH 3
+#define RUBY_RELEASE_DAY 3
#ifdef RUBY_EXTERN
RUBY_EXTERN const char ruby_version[];

0 comments on commit 76efd35

Please sign in to comment.