Skip to content
Browse files

[close #94] Security Update

Prevent specially crafted url strings from being used to access unintended files via an escaped slash character `%2e`
  • Loading branch information...
1 parent 6b8189e commit fe31bb2533fffc9d098c69ebeb7afc3b80509f53 @schneems committed Oct 8, 2013
Showing with 31 additions and 2 deletions.
  1. +4 −0 CHANGELOG.md
  2. +1 −1 VERSION
  3. +2 −0 lib/wicked.rb
  4. +1 −1 lib/wicked/controller/concerns/render_redirect.rb
  5. +23 −0 test/integration/security_test.rb
View
4 CHANGELOG.md
@@ -1,3 +1,7 @@
+## 1.0.1 (8/08/2013)
+
+* Fix security issue #94
+
## 1.0.0 (8/03/2013)
* Rails 4 compatible tested version released
View
2 VERSION
@@ -1 +1 @@
-1.0.0
+1.0.1
View
2 lib/wicked.rb
@@ -1,3 +1,5 @@
+require 'erb'
+
module Wicked
FINISH_STEP = "wicked_finish"
FIRST_STEP = "wicked_first"
View
2 lib/wicked/controller/concerns/render_redirect.rb
@@ -26,7 +26,7 @@ def render_step(the_step, options = {})
if the_step.nil? || the_step.to_s == Wicked::FINISH_STEP
redirect_to_finish_wizard options
else
- render the_step, options
+ render ERB::Util.url_encode(the_step), options
end
end
View
23 test/integration/security_test.rb
@@ -0,0 +1,23 @@
+require 'test_helper'
+
+class SecurityTest < ActiveSupport::IntegrationCase
+
+ test 'does not show database.yml' do
+ step = "%2E%2F%2E%2E%2F%2E%2E%2Fconfig%2Fdatabase%2Eyml"
+ assert_raise ActionView::MissingTemplate do
+ visit(bar_path(step))
+ end
+ refute has_content?('sqlite3')
+ end
+
+ # only works on *nix systems
+ test 'does not show arbitrary system file' do
+ root = '%2E%2F%2E' * 100 # root of system
+ step = root + '%2Fusr%2Fshare%2Fdict%2Fwords'
+
+ assert_raise ActionView::MissingTemplate do
+ visit(bar_path(step))
+ end
+ refute has_content?('aardvark')
+ end
+end

0 comments on commit fe31bb2

Please sign in to comment.
Something went wrong with that request. Please try again.