* lib/webrick/httpservlet/filehandler.rb: should normalize path

name in path_info to prevent script disclosure vulnerability on DOSISH filesystems. (fix: CVE-2008-1891) Note: NTFS/FAT filesystem should not be published by the platforms other than Windows. Pathname interpretation (including short filename) is less than perfect. * lib/webrick/httpservlet/abstract.rb (WEBrick::HTTPServlet::AbstracServlet#redirect_to_directory_uri): should escape the value of Location: header. * lib/webrick/httpservlet/cgi_runner.rb: accept interpreter command line arguments. git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@16453 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
author: gotoyuzo <gotoyuzo@b2dd03c8-39d4-4d8f-98ff-823fe69b080e> 2008-05-18 13:33:24 +0000
committer: gotoyuzo <gotoyuzo@b2dd03c8-39d4-4d8f-98ff-823fe69b080e> 2008-05-18 13:33:24 +0000
commit: 8ee3267d26b4f87a9797573caa3dafb28e6945ee (patch)
tree: ab207c998e2a68cf76acf734851bc00aa14d7d46 /lib/webrick/httpservlet/cgi_runner.rb
parent: a0e236f6065e5dfd68ac8a45ad1ca690042d47b9 (diff)
1 files changed, 3 insertions, 1 deletions
diff --git a/lib/webrick/httpservlet/cgi_runner.rb b/lib/webrick/httpservlet/cgi_runner.rb
index 1069a68d58..006abd458e 100644
--- a/lib/webrick/httpservlet/cgi_runner.rb
+++ b/lib/webrick/httpservlet/cgi_runner.rb
@@ -39,7 +39,9 @@ dir = File::dirname(ENV["SCRIPT_FILENAME"])
 Dir::chdir dir
 
 if interpreter = ARGV[0]
-  exec(interpreter, ENV["SCRIPT_FILENAME"])
+  argv = ARGV.dup
+  argv << ENV["SCRIPT_FILENAME"]
+  exec(*argv)
   # NOTREACHED
 end
 exec ENV["SCRIPT_FILENAME"]
author	gotoyuzo <gotoyuzo@b2dd03c8-39d4-4d8f-98ff-823fe69b080e>	2008-05-18 13:33:24 +0000
committer	gotoyuzo <gotoyuzo@b2dd03c8-39d4-4d8f-98ff-823fe69b080e>	2008-05-18 13:33:24 +0000
commit	8ee3267d26b4f87a9797573caa3dafb28e6945ee (patch)
tree	ab207c998e2a68cf76acf734851bc00aa14d7d46 /lib/webrick/httpservlet/cgi_runner.rb
parent	a0e236f6065e5dfd68ac8a45ad1ca690042d47b9 (diff)