Fix directory traversal vulnerability in static file route [sinatra#177]

smtlaissezfaire · Mar 9, 2009 · ed98aed · ed98aed
1 parent 01b1f49
commit ed98aed
Show file tree

Hide file tree

Showing 2 changed files with 18 additions and 1 deletion.
diff --git a/lib/sinatra/base.rb b/lib/sinatra/base.rb
@@ -884,7 +884,9 @@ def metadef(message, &block)
     # static files route
     get(/.*[^\/]$/) do
       pass unless options.static? && options.public?
-      path = options.public + unescape(request.path_info)
+      public_dir = File.expand_path(options.public)
+      path = File.expand_path(public_dir + unescape(request.path_info))
+      pass if path[0, public_dir.length] != public_dir
       pass unless File.file?(path)
       send_file path, :disposition => nil
     end

diff --git a/test/static_test.rb b/test/static_test.rb
@@ -62,4 +62,19 @@
     get "/foobarbaz.txt"
     assert not_found?
   end
+
+  it 'serves files when .. path traverses within public directory' do
+    get "/data/../#{File.basename(__FILE__)}"
+    assert ok?
+    assert_equal File.read(__FILE__), body
+  end
+
+  it '404s when .. path traverses outside of public directory' do
+    mock_app {
+      set :static, true
+      set :public, File.dirname(__FILE__) + '/data'
+    }
+    get "/../#{File.basename(__FILE__)}"
+    assert not_found?
+  end
 end