webrick/httpservlet/*handler: use File.open

This makes future code audits easier.  None of these changes
fix realistic remote code execution vulnerabilities because
we stat(2) before attempting Kernel#open.

* lib/webrick/httpservlet/erbhandler.rb (do_GET): use File.open
* lib/webrick/httpservlet/filehandler.rb (do_GET): use File.open
  (make_partial_content): ditto
  [Misc #14216]

git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@61401 b2dd03c8-39d4-4d8f-98ff-823fe69b080e

2 files changed, 3 insertions, 3 deletions

diff --git a/lib/webrick/httpservlet/erbhandler.rb b/lib/webrick/httpservlet/erbhandler.rb
index 9bcec69883..aa02ce8a1d 100644
--- a/lib/webrick/httpservlet/erbhandler.rb
+++ b/lib/webrick/httpservlet/erbhandler.rb
@@ -53,7 +53,7 @@ module WEBrick
           raise HTTPStatus::Forbidden, "ERBHandler cannot work."
         end
         begin
-          data = open(@script_filename){|io| io.read }
+          data = File.open(@script_filename, &:read)
           res.body = evaluate(ERB.new(data), req, res)
           res['content-type'] ||=
             HTTPUtils::mime_type(@script_filename, @config[:MimeTypes])
diff --git a/lib/webrick/httpservlet/filehandler.rb b/lib/webrick/httpservlet/filehandler.rb
index 3ea1eec7d0..2c02d0ffe7 100644
--- a/lib/webrick/httpservlet/filehandler.rb
+++ b/lib/webrick/httpservlet/filehandler.rb
@@ -57,7 +57,7 @@ module WEBrick
           res['content-type'] = mtype
           res['content-length'] = st.size
           res['last-modified'] = mtime.httpdate
-          res.body = open(@local_path, "rb")
+          res.body = File.open(@local_path, "rb")
         end
       end
 
@@ -92,7 +92,7 @@ module WEBrick
           raise HTTPStatus::BadRequest,
             "Unrecognized range-spec: \"#{req['range']}\""
         end
-        open(filename, "rb"){|io|
+        File.open(filename, "rb"){|io|
           if ranges.size > 1
             time = Time.now
             boundary = "#{time.sec}_#{time.usec}_#{Process::pid}"