From 1ad355bd53653161e705e7d919b3ad1ea793a3f5 Mon Sep 17 00:00:00 2001 From: normal Date: Fri, 22 Dec 2017 01:08:00 +0000 Subject: [PATCH] webrick/httpservlet/*handler: use File.open This makes future code audits easier. None of these changes fix realistic remote code execution vulnerabilities because we stat(2) before attempting Kernel#open. * lib/webrick/httpservlet/erbhandler.rb (do_GET): use File.open * lib/webrick/httpservlet/filehandler.rb (do_GET): use File.open (make_partial_content): ditto [Misc #14216] git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@61401 b2dd03c8-39d4-4d8f-98ff-823fe69b080e --- lib/webrick/httpservlet/erbhandler.rb | 2 +- lib/webrick/httpservlet/filehandler.rb | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/lib/webrick/httpservlet/erbhandler.rb b/lib/webrick/httpservlet/erbhandler.rb index 9bcec69883..aa02ce8a1d 100644 --- a/lib/webrick/httpservlet/erbhandler.rb +++ b/lib/webrick/httpservlet/erbhandler.rb @@ -53,7 +53,7 @@ module WEBrick raise HTTPStatus::Forbidden, "ERBHandler cannot work." end begin - data = open(@script_filename){|io| io.read } + data = File.open(@script_filename, &:read) res.body = evaluate(ERB.new(data), req, res) res['content-type'] ||= HTTPUtils::mime_type(@script_filename, @config[:MimeTypes]) diff --git a/lib/webrick/httpservlet/filehandler.rb b/lib/webrick/httpservlet/filehandler.rb index 3ea1eec7d0..2c02d0ffe7 100644 --- a/lib/webrick/httpservlet/filehandler.rb +++ b/lib/webrick/httpservlet/filehandler.rb @@ -57,7 +57,7 @@ module WEBrick res['content-type'] = mtype res['content-length'] = st.size res['last-modified'] = mtime.httpdate - res.body = open(@local_path, "rb") + res.body = File.open(@local_path, "rb") end end @@ -92,7 +92,7 @@ module WEBrick raise HTTPStatus::BadRequest, "Unrecognized range-spec: \"#{req['range']}\"" end - open(filename, "rb"){|io| + File.open(filename, "rb"){|io| if ranges.size > 1 time = Time.now boundary = "#{time.sec}_#{time.usec}_#{Process::pid}"