diff options
author | Thomas <ts@tcare.fr> | 2019-11-25 22:52:44 +0100 |
---|---|---|
committer | Samuel Williams <samuel.williams@oriontransfer.co.nz> | 2020-02-05 18:09:25 +1300 |
commit | 64f53e4a8c6dce5da0b7f81c0aa6629cf926cc5a (patch) | |
tree | 13eb49e4181873a1c1f5bf0f03719418fb1ba3b1 | |
parent | f43537ac70d29b7ef6572c9c16dc717aa3eaa319 (diff) | |
download | rack-64f53e4a8c6dce5da0b7f81c0aa6629cf926cc5a.tar.gz |
Rack::Directory : allow directory trasversal inside root directory
-rw-r--r-- | lib/rack/directory.rb | 1 | ||||
-rw-r--r-- | test/spec_directory.rb | 16 |
2 files changed, 15 insertions, 2 deletions
diff --git a/lib/rack/directory.rb b/lib/rack/directory.rb index d7a44e8b..34c76676 100644 --- a/lib/rack/directory.rb +++ b/lib/rack/directory.rb @@ -92,6 +92,7 @@ table { width:100%%; } def check_forbidden(path_info) return unless path_info.include? ".." + return if ::File.expand_path(::File.join(@root, path_info)).start_with?(@root) body = "Forbidden\n" size = body.bytesize diff --git a/test/spec_directory.rb b/test/spec_directory.rb index 9b913c85..0e4d501f 100644 --- a/test/spec_directory.rb +++ b/test/spec_directory.rb @@ -95,14 +95,26 @@ describe Rack::Directory do res.must_be :bad_request? end + it "allow directory traversal inside root directory" do + res = Rack::MockRequest.new(Rack::Lint.new(app)). + get("/cgi/../rackup") + + res.must_be :ok? + + res = Rack::MockRequest.new(Rack::Lint.new(app)). + get("/cgi/%2E%2E/rackup") + + res.must_be :ok? + end + it "not allow directory traversal" do res = Rack::MockRequest.new(Rack::Lint.new(app)). - get("/cgi/../test") + get("/cgi/../../lib") res.must_be :forbidden? res = Rack::MockRequest.new(Rack::Lint.new(app)). - get("/cgi/%2E%2E/test") + get("/cgi/%2E%2E/%2E%2E/lib") res.must_be :forbidden? end |