Handle null byte when serving static files (#1574)
Handle null byte when serving requests for paths with null bytes.
This commit is contained in:
parent
1f29a6d3e3
commit
3cc2394a12
|
@ -1058,8 +1058,11 @@ module Sinatra
|
||||||
# Attempt to serve static files from public directory. Throws :halt when
|
# Attempt to serve static files from public directory. Throws :halt when
|
||||||
# a matching file is found, returns nil otherwise.
|
# a matching file is found, returns nil otherwise.
|
||||||
def static!(options = {})
|
def static!(options = {})
|
||||||
return if (public_dir = settings.public_folder).nil?
|
return if (public_dir = settings.public_folder).nil?
|
||||||
path = File.expand_path("#{public_dir}#{URI_INSTANCE.unescape(request.path_info)}" )
|
path = "#{public_dir}#{URI_INSTANCE.unescape(request.path_info)}"
|
||||||
|
return unless valid_path?(path)
|
||||||
|
|
||||||
|
path = File.expand_path(path)
|
||||||
return unless File.file?(path)
|
return unless File.file?(path)
|
||||||
|
|
||||||
env['sinatra.static_file'] = path
|
env['sinatra.static_file'] = path
|
||||||
|
|
|
@ -59,6 +59,11 @@ class StaticTest < Minitest::Test
|
||||||
assert not_found?
|
assert not_found?
|
||||||
end
|
end
|
||||||
|
|
||||||
|
it 'passes to the next handler when the path contains null bytes' do
|
||||||
|
get "/foo%00"
|
||||||
|
assert not_found?
|
||||||
|
end
|
||||||
|
|
||||||
it 'passes to the next handler when the static option is disabled' do
|
it 'passes to the next handler when the static option is disabled' do
|
||||||
@app.set :static, false
|
@app.set :static, false
|
||||||
get "/#{File.basename(__FILE__)}"
|
get "/#{File.basename(__FILE__)}"
|
||||||
|
|
Loading…
Reference in New Issue