* lib/webrick/httpservlet/filehandler.rb: should normalize path

separators in path_info to prevent directory traversal attacks on DOSISH platforms. reported by Digital Security Research Group [DSECRG-08-026]. * lib/webrick/httpservlet/filehandler.rb: pathnames which have not to be published should be checked case-insensitively. git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_1_8@15677 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
2022-11-09 12:17:21 -05:00 · 2008-03-03 14:32:03 +00:00 · 2008-03-03 14:32:03 +00:00 · d3557aa349
commit d3557aa349
parent 58ee1e54b0
3 changed files with 88 additions and 2 deletions
--- a/lib/webrick/httpservlet/filehandler.rb
+++ b/lib/webrick/httpservlet/filehandler.rb
@ -163,6 +163,7 @@ module WEBrick
            end
          end
        end
+        prevent_directory_traversal(req, res)
        super(req, res)
      end

@ -198,6 +199,22 @@ module WEBrick

      private

+      def prevent_directory_traversal(req, res)
+        # Preventing directory traversal on DOSISH platforms;
+        # Backslashes (0x5c) in path_info are not interpreted as special
+        # character in URI notation. So the value of path_info should be
+        # normalize before accessing to the filesystem.
+        if File::ALT_SEPARATOR
+          # File.expand_path removes the trailing path separator.
+          # Adding a character is a workaround to save it.
+          #  File.expand_path("/aaa/")        #=> "/aaa"
+          #  File.expand_path("/aaa/" + "x")  #=> "/aaa/x"
+          expanded = File.expand_path(req.path_info + "x")
+          expanded[-1, 1] = ""  # remove trailing "x"
+          req.path_info = expanded
+        end
+      end
+
      def exec_handler(req, res)
        raise HTTPStatus::NotFound, "`#{req.path}' not found" unless @root
        if set_filename(req, res)
@ -256,7 +273,7 @@ module WEBrick

      def check_filename(req, res, name)
        @options[:NondisclosureName].each{|pattern|
-          if File.fnmatch("/#{pattern}", name)
+          if File.fnmatch("/#{pattern}", name, File::FNM_CASEFOLD)
            @logger.warn("the request refers nondisclosure name `#{name}'.")
            raise HTTPStatus::NotFound, "`#{req.path}' not found."
          end
@ -310,7 +327,7 @@ module WEBrick

      def nondisclosure_name?(name)
        @options[:NondisclosureName].each{|pattern|
-          if File.fnmatch(pattern, name)
+          if File.fnmatch(pattern, name, File::FNM_CASEFOLD)
            return true
          end
        }