Sinatra 1.3 will follow RFC 2616 for matching patterns to URLs. This introduces a path traversal vulnerability in all applications that use params directly in rendering methods (like erb(params[:template].to_sym)). A counter measure is implemented in rack-protection. I think either Sinatra or sinatra-contrib should depend on it. I would favor sinatra-contrib, but that means we can't release Sinatra 1.3 until we finish sinatra-contrib.
@sr, @bmizerany, @rtomayko opinions? also, directory traversal seems to be the most common attack.
As an aside: If you're calling params[:template].to_sym then you should be aware you'll be leaking memory as symbols are never GCd. One could just try a lot of different templates ...
I'd favour sinatra depending on it, or VERY clear warnings about this in the readme.
There is a third option: Basically copying the path traversal code from rack-protection into Sinatra.
I added this to sinatra-contrib for now, but (esp. after a discussion with Sinatra users at Rocky Mountain Ruby) tend to actually include it into Sinatra proper.
add rack-protection, fixes #310
People really do erb(params[:template].to_sym) ?
what about people that like to: redirect params[:return_to] ?
@jacobo: I will disable escaped_params by default, either in Sinatra or rack-protection. Then both scenarios should work.
Don't escape parameters by default in included rack-protection. relat…
…es to issue #310