diff options
author | James Tucker <jftucker@gmail.com> | 2013-02-06 16:25:22 -0800 |
---|---|---|
committer | James Tucker <jftucker@gmail.com> | 2013-02-07 18:36:04 -0800 |
commit | 8de3c1d9902f8e64a385f38cf5711f26ffba19db (patch) | |
tree | b8ba4c0b67ba713edf2c52cf4682e8d80ebc5bb5 | |
parent | 3316749e3cd0b2bf43400e215f62b06499f00dbc (diff) | |
download | rack-8de3c1d9902f8e64a385f38cf5711f26ffba19db.tar.gz |
Prevent symlink path traversals
* Closes CVE-2013-0262
-rw-r--r-- | lib/rack/file.rb | 17 |
1 files changed, 6 insertions, 11 deletions
diff --git a/lib/rack/file.rb b/lib/rack/file.rb index 090a0015..ee58a1a7 100644 --- a/lib/rack/file.rb +++ b/lib/rack/file.rb @@ -41,19 +41,14 @@ module Rack path_info = Utils.unescape(env["PATH_INFO"]) parts = path_info.split SEPS - parts.inject(0) do |depth, part| - case part - when '', '.' - depth - when '..' - return fail(404, "Not Found") if depth - 1 < 0 - depth - 1 - else - depth + 1 - end + clean = [] + + parts.each do |part| + next if part.empty? || part == '.' + part == '..' ? clean.pop : clean << part end - @path = F.join(@root, *parts) + @path = F.join(@root, *clean) available = begin F.file?(@path) && F.readable?(@path) |