validate expanded path matches public_dir when serving static files
This commit is contained in:
parent
ed2add3785
commit
462c3ca1db
|
@ -1090,6 +1090,7 @@ module Sinatra
|
||||||
return unless valid_path?(path)
|
return unless valid_path?(path)
|
||||||
|
|
||||||
path = File.expand_path(path)
|
path = File.expand_path(path)
|
||||||
|
return unless path.start_with?(File.expand_path(public_dir) + '/')
|
||||||
return unless File.file?(path)
|
return unless File.file?(path)
|
||||||
|
|
||||||
env['sinatra.static_file'] = path
|
env['sinatra.static_file'] = path
|
||||||
|
|
|
@ -97,6 +97,7 @@ class StaticTest < Minitest::Test
|
||||||
mock_app do
|
mock_app do
|
||||||
set :static, true
|
set :static, true
|
||||||
set :public_folder, __dir__ + '/data'
|
set :public_folder, __dir__ + '/data'
|
||||||
|
disable :protection
|
||||||
end
|
end
|
||||||
get "/../#{File.basename(__FILE__)}"
|
get "/../#{File.basename(__FILE__)}"
|
||||||
assert not_found?
|
assert not_found?
|
||||||
|
|
Loading…
Reference in New Issue