Rack::Directory : allow directory trasversal inside root directory

2 files changed, 15 insertions, 2 deletions

diff --git a/lib/rack/directory.rb b/lib/rack/directory.rb
index d7a44e8b..34c76676 100644
--- a/lib/rack/directory.rb
+++ b/lib/rack/directory.rb
@@ -92,6 +92,7 @@ table { width:100%%; }
 
     def check_forbidden(path_info)
       return unless path_info.include? ".."
+      return if ::File.expand_path(::File.join(@root, path_info)).start_with?(@root)
 
       body = "Forbidden\n"
       size = body.bytesize
diff --git a/test/spec_directory.rb b/test/spec_directory.rb
index 9b913c85..0e4d501f 100644
--- a/test/spec_directory.rb
+++ b/test/spec_directory.rb
@@ -95,14 +95,26 @@ describe Rack::Directory do
     res.must_be :bad_request?
   end
 
+  it "allow directory traversal inside root directory" do
+    res = Rack::MockRequest.new(Rack::Lint.new(app)).
+      get("/cgi/../rackup")
+
+    res.must_be :ok?
+
+    res = Rack::MockRequest.new(Rack::Lint.new(app)).
+      get("/cgi/%2E%2E/rackup")
+
+    res.must_be :ok?
+  end
+
   it "not allow directory traversal" do
     res = Rack::MockRequest.new(Rack::Lint.new(app)).
-      get("/cgi/../test")
+      get("/cgi/../../lib")
 
     res.must_be :forbidden?
 
     res = Rack::MockRequest.new(Rack::Lint.new(app)).
-      get("/cgi/%2E%2E/test")
+      get("/cgi/%2E%2E/%2E%2E/lib")
 
     res.must_be :forbidden?
   end