Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP
Browse files

Encoding issue

Can lead to XSS
  • Loading branch information...
commit 7367a7065eade64d30690c34ab067351db5e900a 1 parent a9abcc7
@snyff authored
Showing with 2 additions and 2 deletions.
  1. +2 −2 lib/rack/directory.rb
View
4 lib/rack/directory.rb
@@ -98,7 +98,7 @@ def list_directory
url << '/' if stat.directory?
basename << '/' if stat.directory?
- @files << [ url, basename, size, type, mtime ]
+ @files << [ url, Utils.escape_html(basename), size, type, mtime ]
end
return [ 200, {'Content-Type'=>'text/html; charset=utf-8'}, self ]
@@ -135,7 +135,7 @@ def entity_not_found
end
def each
- show_path = @path.sub(/^#{@root}/,'')
+ show_path = Utils.escape_html(@path.sub(/^#{@root}/,''))
files = @files.map{|f| DIR_FILE % f }*"\n"
page = DIR_PAGE % [ show_path, show_path , files ]
page.each_line{|l| yield l }
Please sign in to comment.
Something went wrong with that request. Please try again.