Skip to content

Commit fe31bb2

Browse files
committed
[close #94] Security Update
Prevent specially crafted url strings from being used to access unintended files via an escaped slash character `%2e`
1 parent 6b8189e commit fe31bb2

File tree

5 files changed

+31
-2
lines changed

5 files changed

+31
-2
lines changed

Diff for: CHANGELOG.md

+4
Original file line numberDiff line numberDiff line change
@@ -1,3 +1,7 @@
1+
## 1.0.1 (8/08/2013)
2+
3+
* Fix security issue #94
4+
15
## 1.0.0 (8/03/2013)
26

37
* Rails 4 compatible tested version released

Diff for: VERSION

+1-1
Original file line numberDiff line numberDiff line change
@@ -1 +1 @@
1-
1.0.0
1+
1.0.1

Diff for: lib/wicked.rb

+2
Original file line numberDiff line numberDiff line change
@@ -1,3 +1,5 @@
1+
require 'erb'
2+
13
module Wicked
24
FINISH_STEP = "wicked_finish"
35
FIRST_STEP = "wicked_first"

Diff for: lib/wicked/controller/concerns/render_redirect.rb

+1-1
Original file line numberDiff line numberDiff line change
@@ -26,7 +26,7 @@ def render_step(the_step, options = {})
2626
if the_step.nil? || the_step.to_s == Wicked::FINISH_STEP
2727
redirect_to_finish_wizard options
2828
else
29-
render the_step, options
29+
render ERB::Util.url_encode(the_step), options
3030
end
3131
end
3232

Diff for: test/integration/security_test.rb

+23
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,23 @@
1+
require 'test_helper'
2+
3+
class SecurityTest < ActiveSupport::IntegrationCase
4+
5+
test 'does not show database.yml' do
6+
step = "%2E%2F%2E%2E%2F%2E%2E%2Fconfig%2Fdatabase%2Eyml"
7+
assert_raise ActionView::MissingTemplate do
8+
visit(bar_path(step))
9+
end
10+
refute has_content?('sqlite3')
11+
end
12+
13+
# only works on *nix systems
14+
test 'does not show arbitrary system file' do
15+
root = '%2E%2F%2E' * 100 # root of system
16+
step = root + '%2Fusr%2Fshare%2Fdict%2Fwords'
17+
18+
assert_raise ActionView::MissingTemplate do
19+
visit(bar_path(step))
20+
end
21+
refute has_content?('aardvark')
22+
end
23+
end

0 commit comments

Comments
 (0)