2.1.x releases vulnerable to directory traversal #304

meder opened this Issue Mar 14, 2012 · 1 comment

3 participants


It seems like the following commit addressed the issue of checking for traversal before unescaping the URL:


but the author thought it wasn't exploitable and thus (i am assuming) new version of the 2.1.x branch hasn't been released, which afaict Rails depends on.

To exploit this vulnerability the following URL must be sent via curl, webscarab or any other tool that doesn't unescape the URL before sending. NOTE: browser will unescape the URL and it will not work if you access it via browser. This URL assumes that your app is in /usr/local/blah/MyRails/


Also, please not that the code in server.rb tries to remove leading slash too, but assumes that only 1 leading slash is present, which isn't true, that regexp needs to be corrected too.


@josh josh closed this May 16, 2012

While such a request doesn't return forbidden, it does raise Sprockets::FileOutsidePaths when trying to compile.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment