diff options
| author | gotoyuzo <gotoyuzo@b2dd03c8-39d4-4d8f-98ff-823fe69b080e> | 2008-03-03 14:31:30 +0000 |
|---|---|---|
| committer | gotoyuzo <gotoyuzo@b2dd03c8-39d4-4d8f-98ff-823fe69b080e> | 2008-03-03 14:31:30 +0000 |
| commit | 10a0d4b61dd575be73c2e2b6223f1bf7d34c63ea (patch) | |
| tree | d8dc28281572a27e3d7f438cfc9d2e4c1c107bdf /test/webrick | |
| parent | 7c9e815d940c0b8de7b4a212301c8b1cef62ae2d (diff) | |
* lib/webrick/httpservlet/filehandler.rb: should normalize path
separators in path_info to prevent directory traversal
attacks on DOSISH platforms.
reported by Digital Security Research Group [DSECRG-08-026].
* lib/webrick/httpservlet/filehandler.rb: pathnames which have
not to be published should be checked case-insensitively.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@15676 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
Diffstat (limited to 'test/webrick')
| -rw-r--r-- | test/webrick/test_filehandler.rb | 59 |
1 files changed, 59 insertions, 0 deletions
diff --git a/test/webrick/test_filehandler.rb b/test/webrick/test_filehandler.rb index 64b2fcf231..4c4a615f4a 100644 --- a/test/webrick/test_filehandler.rb +++ b/test/webrick/test_filehandler.rb @@ -1,6 +1,7 @@ require "test/unit" require "webrick" require "stringio" +require File.join(File.dirname(__FILE__), "utils.rb") class WEBrick::TestFileHandler < Test::Unit::TestCase def default_file_handler(filename) @@ -66,4 +67,62 @@ class WEBrick::TestFileHandler < Test::Unit::TestCase res = make_range_response(filename, "bytes=0-0, -2") assert_match(%r{^multipart/byteranges}, res["content-type"]) end + + def test_filehandler + config = { :DocumentRoot => File.dirname(__FILE__), } + this_file = File.basename(__FILE__) + TestWEBrick.start_httpserver(config) do |server, addr, port| + http = Net::HTTP.new(addr, port) + req = Net::HTTP::Get.new("/") + http.request(req){|res| + assert_equal("200", res.code) + assert_equal("text/html", res.content_type) + assert_match(/HREF="#{this_file}"/, res.body) + } + req = Net::HTTP::Get.new("/#{this_file}") + http.request(req){|res| + assert_equal("200", res.code) + assert_equal("text/plain", res.content_type) + assert_equal(File.read(__FILE__), res.body) + } + end + end + + def test_non_disclosure_name + config = { :DocumentRoot => File.dirname(__FILE__), } + this_file = File.basename(__FILE__) + TestWEBrick.start_httpserver(config) do |server, addr, port| + http = Net::HTTP.new(addr, port) + doc_root_opts = server[:DocumentRootOptions] + doc_root_opts[:NondisclosureName] = %w(.ht* *~ test_*) + req = Net::HTTP::Get.new("/") + http.request(req){|res| + assert_equal("200", res.code) + assert_equal("text/html", res.content_type) + assert_no_match(/HREF="#{File.basename(__FILE__)}"/, res.body) + } + req = Net::HTTP::Get.new("/#{this_file}") + http.request(req){|res| + assert_equal("404", res.code) + } + doc_root_opts[:NondisclosureName] = %w(.ht* *~ TEST_*) + http.request(req){|res| + assert_equal("404", res.code) + } + end + end + + def test_directory_traversal + config = { :DocumentRoot => File.dirname(__FILE__), } + this_file = File.basename(__FILE__) + TestWEBrick.start_httpserver(config) do |server, addr, port| + http = Net::HTTP.new(addr, port) + req = Net::HTTP::Get.new("/../../") + http.request(req){|res| assert_equal("400", res.code) } + req = Net::HTTP::Get.new( + "/..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5cboot.ini" + ) + http.request(req){|res| assert_equal("404", res.code) } + end + end end |