kotovalexarian-likes-github/sinatra
1
0
Fork 0
mirror of https://github.com/sinatra/sinatra synced 2023-03-27 23:18:01 -04:00
Code Releases Activity

Fix PathTraversal to work against PATH_INFO in capitals

Browse source
This commit is contained in:
ITO Nobuaki 2013-04-16 10:52:19 +09:00
parent 34f13c082d
commit 88cd2f0456
2 changed files with 3 additions and 3 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
rack-protection/lib/rack/protection/path_traversal.rb
View file

@ -20,7 +20,7 @@ module Rack
def cleanup(path)
parts = []
unescaped = path.gsub('%2e', '.').gsub('%2f', '/')
unescaped = path.gsub(/%2e/i, '.').gsub(/%2f/i, '/')
unescaped.split('/').each do |part|
next if part.empty? or part == '.'

4
rack-protection/spec/path_traversal_spec.rb
View file

@ -14,8 +14,8 @@ describe Rack::Protection::PathTraversal do
{ # yes, this is ugly, feel free to change that
'/..' => '/', '/a/../b' => '/b', '/a/../b/' => '/b/', '/a/.' => '/a/',
'/%2e.' => '/', '/a/%2e%2e/b' => '/b', '/a%2f%2e%2e%2fb/' => '/b/',
'//' => '/', '/%2fetc%2fpasswd' => '/etc/passwd'
'/%2e.' => '/', '/a/%2E%2e/b' => '/b', '/a%2f%2E%2e%2Fb/' => '/b/',
'//' => '/', '/%2fetc%2Fpasswd' => '/etc/passwd'
}.each do |a, b|
it("replaces #{a.inspect} with #{b.inspect}") { get(a).body.should == b }
end