Skip to content
Permalink
Browse files

[close #94] Security Update

Prevent specially crafted url strings from being used to access unintended files via an escaped slash character `%2e`
  • Loading branch information...
schneems committed Oct 8, 2013
1 parent 6b8189e commit fe31bb2533fffc9d098c69ebeb7afc3b80509f53
Showing with 31 additions and 2 deletions.
  1. +4 −0 CHANGELOG.md
  2. +1 −1 VERSION
  3. +2 −0 lib/wicked.rb
  4. +1 −1 lib/wicked/controller/concerns/render_redirect.rb
  5. +23 −0 test/integration/security_test.rb
@@ -1,3 +1,7 @@
## 1.0.1 (8/08/2013)

* Fix security issue #94

## 1.0.0 (8/03/2013)

* Rails 4 compatible tested version released
@@ -1 +1 @@
1.0.0
1.0.1
@@ -1,3 +1,5 @@
require 'erb'

module Wicked
FINISH_STEP = "wicked_finish"
FIRST_STEP = "wicked_first"
@@ -26,7 +26,7 @@ def render_step(the_step, options = {})
if the_step.nil? || the_step.to_s == Wicked::FINISH_STEP
redirect_to_finish_wizard options
else
render the_step, options
render ERB::Util.url_encode(the_step), options
end
end

@@ -0,0 +1,23 @@
require 'test_helper'

class SecurityTest < ActiveSupport::IntegrationCase

test 'does not show database.yml' do
step = "%2E%2F%2E%2E%2F%2E%2E%2Fconfig%2Fdatabase%2Eyml"
assert_raise ActionView::MissingTemplate do
visit(bar_path(step))
end
refute has_content?('sqlite3')
end

# only works on *nix systems
test 'does not show arbitrary system file' do
root = '%2E%2F%2E' * 100 # root of system
step = root + '%2Fusr%2Fshare%2Fdict%2Fwords'

assert_raise ActionView::MissingTemplate do
visit(bar_path(step))
end
refute has_content?('aardvark')
end
end

0 comments on commit fe31bb2

Please sign in to comment.
You can’t perform that action at this time.