kotovalexarian-likes-github/ruby--ruby
1
0
Fork 0
mirror of https://github.com/ruby/ruby.git synced 2022-11-09 12:17:21 -05:00
Code Releases Activity

* lib/webrick/httpservlet/filehandler.rb: should normalize path

Browse source 
separators in path_info to prevent directory traversal
  attacks on DOSISH platforms.
  reported by Digital Security Research Group [DSECRG-08-026].

* lib/webrick/httpservlet/filehandler.rb: pathnames which have
  not to be published should be checked case-insensitively.


git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_1_8@15677 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
This commit is contained in:
gotoyuzo 2008-03-03 14:32:03 +00:00
parent 58ee1e54b0
commit d3557aa349
3 changed files with 88 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

10
ChangeLog
View file

@ -1,3 +1,13 @@
Mon Mar 3 23:28:34 2008 GOTOU Yuuzou <gotoyuzo@notwork.org>
* lib/webrick/httpservlet/filehandler.rb: should normalize path
separators in path_info to prevent directory traversal attacks
on DOSISH platforms.
reported by Digital Security Research Group [DSECRG-08-026].
* lib/webrick/httpservlet/filehandler.rb: pathnames which have
not to be published should be checked case-insensitively.
Mon Mar 3 16:14:24 2008 Nobuyoshi Nakada <nobu@ruby-lang.org> Mon Mar 3 16:14:24 2008 Nobuyoshi Nakada <nobu@ruby-lang.org>
* hash.c (rb_any_hash): shrinks all results in Fixnum range. * hash.c (rb_any_hash): shrinks all results in Fixnum range.

21
lib/webrick/httpservlet/filehandler.rb
View file

@ -163,6 +163,7 @@ module WEBrick
end end
end end
end end
prevent_directory_traversal(req, res)
super(req, res) super(req, res)
end end
@ -198,6 +199,22 @@ module WEBrick
private private
def prevent_directory_traversal(req, res)
# Preventing directory traversal on DOSISH platforms;
# Backslashes (0x5c) in path_info are not interpreted as special
# character in URI notation. So the value of path_info should be
# normalize before accessing to the filesystem.
if File::ALT_SEPARATOR
# File.expand_path removes the trailing path separator.
# Adding a character is a workaround to save it.
# File.expand_path("/aaa/") #=> "/aaa"
# File.expand_path("/aaa/" + "x") #=> "/aaa/x"
expanded = File.expand_path(req.path_info + "x")
expanded[-1, 1] = "" # remove trailing "x"
req.path_info = expanded
end
end
def exec_handler(req, res) def exec_handler(req, res)
raise HTTPStatus::NotFound, "`#{req.path}' not found" unless @root raise HTTPStatus::NotFound, "`#{req.path}' not found" unless @root
if set_filename(req, res) if set_filename(req, res)
@ -256,7 +273,7 @@ module WEBrick
def check_filename(req, res, name) def check_filename(req, res, name)
@options[:NondisclosureName].each{|pattern| @options[:NondisclosureName].each{|pattern|
if File.fnmatch("/#{pattern}", name) if File.fnmatch("/#{pattern}", name, File::FNM_CASEFOLD)
@logger.warn("the request refers nondisclosure name `#{name}'.") @logger.warn("the request refers nondisclosure name `#{name}'.")
raise HTTPStatus::NotFound, "`#{req.path}' not found." raise HTTPStatus::NotFound, "`#{req.path}' not found."
end end
@ -310,7 +327,7 @@ module WEBrick
def nondisclosure_name?(name) def nondisclosure_name?(name)
@options[:NondisclosureName].each{|pattern| @options[:NondisclosureName].each{|pattern|
if File.fnmatch(pattern, name) if File.fnmatch(pattern, name, File::FNM_CASEFOLD)
return true return true
end end
} }

59
test/webrick/test_filehandler.rb
View file

@ -1,6 +1,7 @@
require "test/unit" require "test/unit"
require "webrick" require "webrick"
require "stringio" require "stringio"
require File.join(File.dirname(__FILE__), "utils.rb")
class WEBrick::TestFileHandler < Test::Unit::TestCase class WEBrick::TestFileHandler < Test::Unit::TestCase
def default_file_handler(filename) def default_file_handler(filename)
@ -62,4 +63,62 @@ class WEBrick::TestFileHandler < Test::Unit::TestCase
res = make_range_response(filename, "bytes=0-0, -2") res = make_range_response(filename, "bytes=0-0, -2")
assert_match(%r{^multipart/byteranges}, res["content-type"]) assert_match(%r{^multipart/byteranges}, res["content-type"])
end end
def test_filehandler
config = { :DocumentRoot => File.dirname(__FILE__), }
this_file = File.basename(__FILE__)
TestWEBrick.start_httpserver(config) do |server, addr, port|
http = Net::HTTP.new(addr, port)
req = Net::HTTP::Get.new("/")
http.request(req){|res|
assert_equal("200", res.code)
assert_equal("text/html", res.content_type)
assert_match(/HREF="#{this_file}"/, res.body)
}
req = Net::HTTP::Get.new("/#{this_file}")
http.request(req){|res|
assert_equal("200", res.code)
assert_equal("text/plain", res.content_type)
assert_equal(File.read(__FILE__), res.body)
}
end
end
def test_non_disclosure_name
config = { :DocumentRoot => File.dirname(__FILE__), }
this_file = File.basename(__FILE__)
TestWEBrick.start_httpserver(config) do |server, addr, port|
http = Net::HTTP.new(addr, port)
doc_root_opts = server[:DocumentRootOptions]
doc_root_opts[:NondisclosureName] = %w(.ht* *~ test_*)
req = Net::HTTP::Get.new("/")
http.request(req){|res|
assert_equal("200", res.code)
assert_equal("text/html", res.content_type)
assert_no_match(/HREF="#{File.basename(__FILE__)}"/, res.body)
}
req = Net::HTTP::Get.new("/#{this_file}")
http.request(req){|res|
assert_equal("404", res.code)
}
doc_root_opts[:NondisclosureName] = %w(.ht* *~ TEST_*)
http.request(req){|res|
assert_equal("404", res.code)
}
end
end
def test_directory_traversal
config = { :DocumentRoot => File.dirname(__FILE__), }
this_file = File.basename(__FILE__)
TestWEBrick.start_httpserver(config) do |server, addr, port|
http = Net::HTTP.new(addr, port)
req = Net::HTTP::Get.new("/../../")
http.request(req){|res| assert_equal("400", res.code) }
req = Net::HTTP::Get.new(
"/..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5cboot.ini"
)
http.request(req){|res| assert_equal("404", res.code) }
end
end
end end