* lib/webrick/httpservlet/filehandler.rb: should normalize path

  name in path_info to prevent script disclosure vulnerability on
  DOSISH filesystems. (fix: CVE-2008-1891)
  Note: NTFS/FAT filesystem should not be published by the platforms
  other than Windows. Pathname interpretation (including short
  filename) is less than perfect.

* lib/webrick/httpservlet/abstract.rb
  (WEBrick::HTTPServlet::AbstracServlet#redirect_to_directory_uri):
  should escape the value of Location: header.

* lib/webrick/httpservlet/cgi_runner.rb: accept interpreter
  command line arguments.


git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_1_8_6@16495 b2dd03c8-39d4-4d8f-98ff-823fe69b080e

1 files changed, 36 insertions, 0 deletions

diff --git a/test/webrick/webrick_long_filename.cgi b/test/webrick/webrick_long_filename.cgi
new file mode 100755
index 0000000000..73ba729407
--- /dev/null
+++ b/test/webrick/webrick_long_filename.cgi
@@ -0,0 +1,36 @@
+#!ruby -d
+require "webrick/cgi"
+
+class TestApp < WEBrick::CGI
+  def do_GET(req, res)
+    res["content-type"] = "text/plain"
+    if (p = req.path_info) && p.length > 0
+      res.body = p
+    elsif (q = req.query).size > 0
+      res.body = q.keys.sort.collect{|key|
+        q[key].list.sort.collect{|v|
+          "#{key}=#{v}"
+        }.join(", ")
+      }.join(", ")
+    elsif %r{/$} =~ req.request_uri.to_s
+      res.body = ""
+      res.body << req.request_uri.to_s  << "\n"
+      res.body << req.script_name
+    elsif !req.cookies.empty?
+      res.body = req.cookies.inject(""){|result, cookie|
+        result << "%s=%s\n" % [cookie.name, cookie.value]
+      }
+      res.cookies << WEBrick::Cookie.new("Customer", "WILE_E_COYOTE")
+      res.cookies << WEBrick::Cookie.new("Shipping", "FedEx")
+    else
+      res.body = req.script_name
+    end
+  end
+
+  def do_POST(req, res)
+    do_GET(req, res)
+  end
+end
+
+cgi = TestApp.new
+cgi.start