merge revision(s) 15677:

* lib/webrick/httpservlet/filehandler.rb: should normalize path
	  separators in path_info to prevent directory traversal attacks
	  on DOSISH platforms.
	  reported by Digital Security Research Group [DSECRG-08-026].
	* lib/webrick/httpservlet/filehandler.rb: pathnames which have
	  not to be published should be checked case-insensitively.


git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_1_8_6@15678 b2dd03c8-39d4-4d8f-98ff-823fe69b080e

ChangeLog

@@ -1,3 +1,13 @@
+Mon Mar  3 23:34:13 2008  GOTOU Yuuzou  <gotoyuzo@notwork.org>
+
+	* lib/webrick/httpservlet/filehandler.rb: should normalize path
+	  separators in path_info to prevent directory traversal attacks
+	  on DOSISH platforms.
+	  reported by Digital Security Research Group [DSECRG-08-026].
+
+	* lib/webrick/httpservlet/filehandler.rb: pathnames which have
+	  not to be published should be checked case-insensitively.
+
 Mon Dec  3 08:13:52 2007  Kouhei Sutou  <kou@cozmixng.org>
 
 	* test/rss/test_taxonomy.rb, test/rss/test_parser_1.0.rb,

lib/webrick/httpservlet/filehandler.rb

@@ -163,6 +163,7 @@ module WEBrick
             end
           end
         end
+        prevent_directory_traversal(req, res)
         super(req, res)
       end
 
@@ -198,6 +199,22 @@ module WEBrick
 
       private
 
+      def prevent_directory_traversal(req, res)
+        # Preventing directory traversal on DOSISH platforms;
+        # Backslashes (0x5c) in path_info are not interpreted as special
+        # character in URI notation. So the value of path_info should be
+        # normalize before accessing to the filesystem.
+        if File::ALT_SEPARATOR
+          # File.expand_path removes the trailing path separator.
+          # Adding a character is a workaround to save it.
+          #  File.expand_path("/aaa/")        #=> "/aaa"
+          #  File.expand_path("/aaa/" + "x")  #=> "/aaa/x"
+          expanded = File.expand_path(req.path_info + "x")
+          expanded[-1, 1] = ""  # remove trailing "x"
+          req.path_info = expanded
+        end
+      end
+
       def exec_handler(req, res)
         raise HTTPStatus::NotFound, "`#{req.path}' not found" unless @root
         if set_filename(req, res)
@@ -256,7 +273,7 @@ module WEBrick
 
       def check_filename(req, res, name)
         @options[:NondisclosureName].each{|pattern|
-          if File.fnmatch("/#{pattern}", name)
+          if File.fnmatch("/#{pattern}", name, File::FNM_CASEFOLD)
             @logger.warn("the request refers nondisclosure name `#{name}'.")
             raise HTTPStatus::NotFound, "`#{req.path}' not found."
           end
@@ -310,7 +327,7 @@ module WEBrick
 
       def nondisclosure_name?(name)
         @options[:NondisclosureName].each{|pattern|
-          if File.fnmatch(pattern, name)
+          if File.fnmatch(pattern, name, File::FNM_CASEFOLD)
             return true
           end
         }

test/webrick/test_filehandler.rb

@@ -1,6 +1,7 @@
 require "test/unit"
 require "webrick"
 require "stringio"
+require File.join(File.dirname(__FILE__), "utils.rb")
 
 class WEBrick::TestFileHandler < Test::Unit::TestCase
   def default_file_handler(filename)
@@ -62,4 +63,62 @@ class WEBrick::TestFileHandler < Test::Unit::TestCase
     res = make_range_response(filename, "bytes=0-0, -2")
     assert_match(%r{^multipart/byteranges}, res["content-type"])
   end
+
+  def test_filehandler
+    config = { :DocumentRoot => File.dirname(__FILE__), }
+    this_file = File.basename(__FILE__)
+    TestWEBrick.start_httpserver(config) do |server, addr, port|
+      http = Net::HTTP.new(addr, port)
+      req = Net::HTTP::Get.new("/")
+      http.request(req){|res|
+        assert_equal("200", res.code)
+        assert_equal("text/html", res.content_type)
+        assert_match(/HREF="#{this_file}"/, res.body)
+      }
+      req = Net::HTTP::Get.new("/#{this_file}")
+      http.request(req){|res|
+        assert_equal("200", res.code)
+        assert_equal("text/plain", res.content_type)
+        assert_equal(File.read(__FILE__), res.body)
+      }
+    end
+  end
+
+  def test_non_disclosure_name
+    config = { :DocumentRoot => File.dirname(__FILE__), }
+    this_file = File.basename(__FILE__)
+    TestWEBrick.start_httpserver(config) do |server, addr, port|
+      http = Net::HTTP.new(addr, port)
+      doc_root_opts = server[:DocumentRootOptions]
+      doc_root_opts[:NondisclosureName] = %w(.ht* *~ test_*)
+      req = Net::HTTP::Get.new("/")
+      http.request(req){|res|
+        assert_equal("200", res.code)
+        assert_equal("text/html", res.content_type)
+        assert_no_match(/HREF="#{File.basename(__FILE__)}"/, res.body)
+      }
+      req = Net::HTTP::Get.new("/#{this_file}")
+      http.request(req){|res|
+        assert_equal("404", res.code)
+      }
+      doc_root_opts[:NondisclosureName] = %w(.ht* *~ TEST_*)
+      http.request(req){|res|
+        assert_equal("404", res.code)
+      }
+    end
+  end
+
+  def test_directory_traversal
+    config = { :DocumentRoot => File.dirname(__FILE__), }
+    this_file = File.basename(__FILE__)
+    TestWEBrick.start_httpserver(config) do |server, addr, port|
+      http = Net::HTTP.new(addr, port)
+      req = Net::HTTP::Get.new("/../../")
+      http.request(req){|res| assert_equal("400", res.code) }
+      req = Net::HTTP::Get.new(
+        "/..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5cboot.ini"
+      )
+      http.request(req){|res| assert_equal("404", res.code) }
+    end
+  end
 end

version.h

@@ -1,14 +1,14 @@
 #define RUBY_VERSION "1.8.6"
-#define RUBY_RELEASE_DATE "2007-12-03"
+#define RUBY_RELEASE_DATE "2008-03-03"
 #define RUBY_VERSION_CODE 186
-#define RUBY_RELEASE_CODE 20071203
+#define RUBY_RELEASE_CODE 20080303
-#define RUBY_PATCHLEVEL 113
+#define RUBY_PATCHLEVEL 114
 
 #define RUBY_VERSION_MAJOR 1
 #define RUBY_VERSION_MINOR 8
 #define RUBY_VERSION_TEENY 6
-#define RUBY_RELEASE_YEAR 2007
+#define RUBY_RELEASE_YEAR 2008
-#define RUBY_RELEASE_MONTH 12
+#define RUBY_RELEASE_MONTH 3
 #define RUBY_RELEASE_DAY 3
 
 #ifdef RUBY_EXTERN