mirror of
https://github.com/rails/rails.git
synced 2022-11-09 12:12:34 -05:00
Merge branch 'master-sec'
* master-sec: FileHandler should not be called for files outside the root
This commit is contained in:
Aaron Patterson
commit
c6f9518e24
2 changed files with 32 additions and 4 deletions
|
|
@ -24,9 +24,19 @@ module ActionDispatch
|
||||||
path = URI.parser.unescape(path)
|
path = URI.parser.unescape(path)
|
||||||
return false unless path.valid_encoding?
|
return false unless path.valid_encoding?
|
||||||
|
|
||||||
paths = [path, "#{path}#{ext}", "#{path}/index#{ext}"]
|
paths = [path, "#{path}#{ext}", "#{path}/index#{ext}"].map { |v|
|
||||||
|
Rack::Utils.clean_path_info v
|
||||||
|
}
|
||||||
|
|
||||||
if match = paths.detect {|p| File.file?(File.join(@root, p)) }
|
if match = paths.detect { |p|
|
||||||
|
path = File.join(@root, p)
|
||||||
|
begin
|
||||||
|
File.file?(path) && File.readable?(path)
|
||||||
|
rescue SystemCallError
|
||||||
|
false
|
||||||
|
end
|
||||||
|
|
||||||
|
}
|
||||||
return ::Rack::Utils.escape(match)
|
return ::Rack::Utils.escape(match)
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
|
||||||
|
|
@ -200,7 +200,8 @@ class StaticTest < ActiveSupport::TestCase
|
||||||
}
|
}
|
||||||
|
|
||||||
def setup
|
def setup
|
||||||
@app = ActionDispatch::Static.new(DummyApp, "#{FIXTURE_LOAD_PATH}/public", "public, max-age=60")
|
@root = "#{FIXTURE_LOAD_PATH}/public"
|
||||||
|
@app = ActionDispatch::Static.new(DummyApp, @root, "public, max-age=60")
|
||||||
end
|
end
|
||||||
|
|
||||||
def public_path
|
def public_path
|
||||||
|
|
@ -208,11 +209,28 @@ class StaticTest < ActiveSupport::TestCase
|
||||||
end
|
end
|
||||||
|
|
||||||
include StaticTests
|
include StaticTests
|
||||||
|
|
||||||
|
def test_custom_handler_called_when_file_is_outside_root
|
||||||
|
filename = 'shared.html.erb'
|
||||||
|
assert File.exist?(File.join(@root, '..', filename))
|
||||||
|
env = {
|
||||||
|
"REQUEST_METHOD"=>"GET",
|
||||||
|
"REQUEST_PATH"=>"/..%2F#{filename}",
|
||||||
|
"PATH_INFO"=>"/..%2F#{filename}",
|
||||||
|
"REQUEST_URI"=>"/..%2F#{filename}",
|
||||||
|
"HTTP_VERSION"=>"HTTP/1.1",
|
||||||
|
"SERVER_NAME"=>"localhost",
|
||||||
|
"SERVER_PORT"=>"8080",
|
||||||
|
"QUERY_STRING"=>""
|
||||||
|
}
|
||||||
|
assert_equal(DummyApp.call(nil), @app.call(env))
|
||||||
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
class StaticEncodingTest < StaticTest
|
class StaticEncodingTest < StaticTest
|
||||||
def setup
|
def setup
|
||||||
@app = ActionDispatch::Static.new(DummyApp, "#{FIXTURE_LOAD_PATH}/公共", "public, max-age=60")
|
@root = "#{FIXTURE_LOAD_PATH}/公共"
|
||||||
|
@app = ActionDispatch::Static.new(DummyApp, @root, "public, max-age=60")
|
||||||
end
|
end
|
||||||
|
|
||||||
def public_path
|
def public_path
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue