summaryrefslogtreecommitdiff
path: root/test/webrick
diff options
context:
space:
mode:
authorgotoyuzo <gotoyuzo@b2dd03c8-39d4-4d8f-98ff-823fe69b080e>2008-03-03 14:31:30 +0000
committergotoyuzo <gotoyuzo@b2dd03c8-39d4-4d8f-98ff-823fe69b080e>2008-03-03 14:31:30 +0000
commit10a0d4b61dd575be73c2e2b6223f1bf7d34c63ea (patch)
treed8dc28281572a27e3d7f438cfc9d2e4c1c107bdf /test/webrick
parent7c9e815d940c0b8de7b4a212301c8b1cef62ae2d (diff)
* lib/webrick/httpservlet/filehandler.rb: should normalize path
separators in path_info to prevent directory traversal attacks on DOSISH platforms. reported by Digital Security Research Group [DSECRG-08-026]. * lib/webrick/httpservlet/filehandler.rb: pathnames which have not to be published should be checked case-insensitively. git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@15676 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
Diffstat (limited to 'test/webrick')
-rw-r--r--test/webrick/test_filehandler.rb59
1 files changed, 59 insertions, 0 deletions
diff --git a/test/webrick/test_filehandler.rb b/test/webrick/test_filehandler.rb
index 64b2fcf..4c4a615 100644
--- a/test/webrick/test_filehandler.rb
+++ b/test/webrick/test_filehandler.rb
@@ -1,6 +1,7 @@
require "test/unit"
require "webrick"
require "stringio"
+require File.join(File.dirname(__FILE__), "utils.rb")
class WEBrick::TestFileHandler < Test::Unit::TestCase
def default_file_handler(filename)
@@ -66,4 +67,62 @@ class WEBrick::TestFileHandler < Test::Unit::TestCase
res = make_range_response(filename, "bytes=0-0, -2")
assert_match(%r{^multipart/byteranges}, res["content-type"])
end
+
+ def test_filehandler
+ config = { :DocumentRoot => File.dirname(__FILE__), }
+ this_file = File.basename(__FILE__)
+ TestWEBrick.start_httpserver(config) do |server, addr, port|
+ http = Net::HTTP.new(addr, port)
+ req = Net::HTTP::Get.new("/")
+ http.request(req){|res|
+ assert_equal("200", res.code)
+ assert_equal("text/html", res.content_type)
+ assert_match(/HREF="#{this_file}"/, res.body)
+ }
+ req = Net::HTTP::Get.new("/#{this_file}")
+ http.request(req){|res|
+ assert_equal("200", res.code)
+ assert_equal("text/plain", res.content_type)
+ assert_equal(File.read(__FILE__), res.body)
+ }
+ end
+ end
+
+ def test_non_disclosure_name
+ config = { :DocumentRoot => File.dirname(__FILE__), }
+ this_file = File.basename(__FILE__)
+ TestWEBrick.start_httpserver(config) do |server, addr, port|
+ http = Net::HTTP.new(addr, port)
+ doc_root_opts = server[:DocumentRootOptions]
+ doc_root_opts[:NondisclosureName] = %w(.ht* *~ test_*)
+ req = Net::HTTP::Get.new("/")
+ http.request(req){|res|
+ assert_equal("200", res.code)
+ assert_equal("text/html", res.content_type)
+ assert_no_match(/HREF="#{File.basename(__FILE__)}"/, res.body)
+ }
+ req = Net::HTTP::Get.new("/#{this_file}")
+ http.request(req){|res|
+ assert_equal("404", res.code)
+ }
+ doc_root_opts[:NondisclosureName] = %w(.ht* *~ TEST_*)
+ http.request(req){|res|
+ assert_equal("404", res.code)
+ }
+ end
+ end
+
+ def test_directory_traversal
+ config = { :DocumentRoot => File.dirname(__FILE__), }
+ this_file = File.basename(__FILE__)
+ TestWEBrick.start_httpserver(config) do |server, addr, port|
+ http = Net::HTTP.new(addr, port)
+ req = Net::HTTP::Get.new("/../../")
+ http.request(req){|res| assert_equal("400", res.code) }
+ req = Net::HTTP::Get.new(
+ "/..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5cboot.ini"
+ )
+ http.request(req){|res| assert_equal("404", res.code) }
+ end
+ end
end