mirror of
https://github.com/ruby/ruby.git
synced 2022-11-09 12:17:21 -05:00
8ee3267d26
name in path_info to prevent script disclosure vulnerability on DOSISH filesystems. (fix: CVE-2008-1891) Note: NTFS/FAT filesystem should not be published by the platforms other than Windows. Pathname interpretation (including short filename) is less than perfect. * lib/webrick/httpservlet/abstract.rb (WEBrick::HTTPServlet::AbstracServlet#redirect_to_directory_uri): should escape the value of Location: header. * lib/webrick/httpservlet/cgi_runner.rb: accept interpreter command line arguments. git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@16453 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
47 lines
993 B
Ruby
47 lines
993 B
Ruby
#
|
|
# cgi_runner.rb -- CGI launcher.
|
|
#
|
|
# Author: IPR -- Internet Programming with Ruby -- writers
|
|
# Copyright (c) 2000 TAKAHASHI Masayoshi, GOTOU YUUZOU
|
|
# Copyright (c) 2002 Internet Programming with Ruby writers. All rights
|
|
# reserved.
|
|
#
|
|
# $IPR: cgi_runner.rb,v 1.9 2002/09/25 11:33:15 gotoyuzo Exp $
|
|
|
|
def sysread(io, size)
|
|
buf = ""
|
|
while size > 0
|
|
tmp = io.sysread(size)
|
|
buf << tmp
|
|
size -= tmp.size
|
|
end
|
|
return buf
|
|
end
|
|
|
|
STDIN.binmode
|
|
|
|
buf = ""
|
|
len = sysread(STDIN, 8).to_i
|
|
out = sysread(STDIN, len)
|
|
STDOUT.reopen(open(out, "w"))
|
|
|
|
len = sysread(STDIN, 8).to_i
|
|
err = sysread(STDIN, len)
|
|
STDERR.reopen(open(err, "w"))
|
|
|
|
len = sysread(STDIN, 8).to_i
|
|
dump = sysread(STDIN, len)
|
|
hash = Marshal.restore(dump)
|
|
ENV.keys.each{|name| ENV.delete(name) }
|
|
hash.each{|k, v| ENV[k] = v if v }
|
|
|
|
dir = File::dirname(ENV["SCRIPT_FILENAME"])
|
|
Dir::chdir dir
|
|
|
|
if interpreter = ARGV[0]
|
|
argv = ARGV.dup
|
|
argv << ENV["SCRIPT_FILENAME"]
|
|
exec(*argv)
|
|
# NOTREACHED
|
|
end
|
|
exec ENV["SCRIPT_FILENAME"]
|