Permalink
Browse files

Whitelist of characters for file names

  • Loading branch information...
1 parent a1c1fad commit ab89c6d610646a1677906a7b17b5b413db0bc2f9 @mike-burns mike-burns committed Aug 18, 2012
Showing with 11 additions and 1 deletion.
  1. +5 −1 app/controllers/high_voltage/pages_controller.rb
  2. +6 −0 spec/controllers/pages_controller_spec.rb
@@ -1,4 +1,5 @@
class HighVoltage::PagesController < ApplicationController
+ VALID_CHARACTERS = "a-zA-Z0-9~!@$%^&*()#`_+-=<>\"{}|[];',?".freeze
unloadable
layout Proc.new { |_| HighVoltage.layout }
@@ -22,12 +23,15 @@ def current_page
end
def clean_path
- path = Pathname.new "/#{params[:id]}"
+ path = Pathname.new("/#{clean_id}")
path.cleanpath.to_s[1..-1]
end
def content_path
HighVoltage.content_path
end
+ def clean_id
+ params[:id].tr("^#{VALID_CHARACTERS}", '')
+ end
end
@@ -1,3 +1,5 @@
+# encoding: UTF-8
+
require 'spec_helper'
describe HighVoltage::PagesController do
@@ -97,6 +99,10 @@
lambda { get :show, :id => "../other/wrong" }.should raise_error(ActionController::RoutingError)
end
+ it "should raise a routing error for a page in another directory when using a Unicode exploit" do
+ lambda { get :show, :id => "/\\../other/wrong" }.should raise_error(ActionController::RoutingError)
+ end
+
it "should raise missing template error for valid page with invalid partial" do
lambda { get :show, :id => "also_exists_but_references_nonexistent_partial" }.should raise_error(ActionView::MissingTemplate)
end

0 comments on commit ab89c6d

Please sign in to comment.