webrick/httpservlet/*handler: use File.open

This makes future code audits easier. None of these changes fix realistic remote code execution vulnerabilities because we stat(2) before attempting Kernel#open. * lib/webrick/httpservlet/erbhandler.rb (do_GET): use File.open * lib/webrick/httpservlet/filehandler.rb (do_GET): use File.open (make_partial_content): ditto [Misc #14216] git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@61401 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
2022-11-09 12:17:21 -05:00 · 2017-12-22 01:08:00 +00:00 · 2017-12-22 01:08:00 +00:00 · 1ad355bd53
commit 1ad355bd53
parent 1989371d10
2 changed files with 3 additions and 3 deletions
--- a/lib/webrick/httpservlet/erbhandler.rb
+++ b/lib/webrick/httpservlet/erbhandler.rb
@ -53,7 +53,7 @@ module WEBrick
          raise HTTPStatus::Forbidden, "ERBHandler cannot work."
        end
        begin
-          data = open(@script_filename){|io| io.read }
+          data = File.open(@script_filename, &:read)
          res.body = evaluate(ERB.new(data), req, res)
          res['content-type'] ||=
            HTTPUtils::mime_type(@script_filename, @config[:MimeTypes])
--- a/lib/webrick/httpservlet/filehandler.rb
+++ b/lib/webrick/httpservlet/filehandler.rb
@ -57,7 +57,7 @@ module WEBrick
          res['content-type'] = mtype
          res['content-length'] = st.size
          res['last-modified'] = mtime.httpdate
-          res.body = open(@local_path, "rb")
+          res.body = File.open(@local_path, "rb")
        end
      end

@ -92,7 +92,7 @@ module WEBrick
          raise HTTPStatus::BadRequest,
            "Unrecognized range-spec: \"#{req['range']}\""
        end
-        open(filename, "rb"){|io|
+        File.open(filename, "rb"){|io|
          if ranges.size > 1
            time = Time.now
            boundary = "#{time.sec}_#{time.usec}_#{Process::pid}"