Merge branch 'master-sec'

* master-sec: FileHandler should not be called for files outside the root
2022-11-09 12:12:34 -05:00 · 2014-10-30 11:39:46 -07:00 · 2014-10-30 11:39:46 -07:00 · c6f9518e24
commit c6f9518e24
parent d20f7b043a d1123f2056
2 changed files with 32 additions and 4 deletions
--- a/actionpack/lib/action_dispatch/middleware/static.rb
+++ b/actionpack/lib/action_dispatch/middleware/static.rb
@ -24,9 +24,19 @@ module ActionDispatch
      path = URI.parser.unescape(path)
      return false unless path.valid_encoding?

-      paths = [path, "#{path}#{ext}", "#{path}/index#{ext}"]
+      paths = [path, "#{path}#{ext}", "#{path}/index#{ext}"].map { |v|
+        Rack::Utils.clean_path_info v
+      }

-      if match = paths.detect {|p| File.file?(File.join(@root, p)) }
+      if match = paths.detect { |p|
+        path = File.join(@root, p)
+        begin
+          File.file?(path) && File.readable?(path)
+        rescue SystemCallError
+          false
+        end
+
+      }
        return ::Rack::Utils.escape(match)
      end
    end
--- a/actionpack/test/dispatch/static_test.rb
+++ b/actionpack/test/dispatch/static_test.rb
@ -200,7 +200,8 @@ class StaticTest < ActiveSupport::TestCase
  }

  def setup
-    @app = ActionDispatch::Static.new(DummyApp, "#{FIXTURE_LOAD_PATH}/public", "public, max-age=60")
+    @root = "#{FIXTURE_LOAD_PATH}/public"
+    @app = ActionDispatch::Static.new(DummyApp, @root, "public, max-age=60")
  end

  def public_path
@ -208,11 +209,28 @@ class StaticTest < ActiveSupport::TestCase
  end

  include StaticTests
+
+  def test_custom_handler_called_when_file_is_outside_root
+    filename = 'shared.html.erb'
+    assert File.exist?(File.join(@root, '..', filename))
+    env = {
+      "REQUEST_METHOD"=>"GET",
+      "REQUEST_PATH"=>"/..%2F#{filename}",
+      "PATH_INFO"=>"/..%2F#{filename}",
+      "REQUEST_URI"=>"/..%2F#{filename}",
+      "HTTP_VERSION"=>"HTTP/1.1",
+      "SERVER_NAME"=>"localhost",
+      "SERVER_PORT"=>"8080",
+      "QUERY_STRING"=>""
+    }
+    assert_equal(DummyApp.call(nil), @app.call(env))
+  end
 end

 class StaticEncodingTest < StaticTest
  def setup
-    @app = ActionDispatch::Static.new(DummyApp, "#{FIXTURE_LOAD_PATH}/公共", "public, max-age=60")
+    @root = "#{FIXTURE_LOAD_PATH}/公共"
+    @app = ActionDispatch::Static.new(DummyApp, @root, "public, max-age=60")
  end

  def public_path