From ab408009fcca4b8b0d307857e1b7116ad1f4ff10 Mon Sep 17 00:00:00 2001 From: mame Date: Thu, 17 Jun 2010 16:26:00 +0000 Subject: * lib/webrick/httpservlet/filehandler.rb (prevent_directory_traversal): apply filesystem encoding to path only during calling File.expand_path. [ruby-dev:41423] git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@28354 b2dd03c8-39d4-4d8f-98ff-823fe69b080e --- ChangeLog | 6 ++++++ lib/webrick/httpservlet/filehandler.rb | 8 ++++++-- 2 files changed, 12 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index 310d760e97..7696f91a5e 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,9 @@ +Fri Jun 18 01:22:55 2010 Yusuke Endoh + + * lib/webrick/httpservlet/filehandler.rb + (prevent_directory_traversal): apply filesystem encoding to path + only during calling File.expand_path. [ruby-dev:41423] + Thu Jun 17 23:20:14 2010 Yusuke Endoh * load.c (rb_load_internal): remove call to rb_realpath_internal diff --git a/lib/webrick/httpservlet/filehandler.rb b/lib/webrick/httpservlet/filehandler.rb index 32c19651e7..daad8abd27 100644 --- a/lib/webrick/httpservlet/filehandler.rb +++ b/lib/webrick/httpservlet/filehandler.rb @@ -214,16 +214,20 @@ module WEBrick # character in URI notation. So the value of path_info should be # normalize before accessing to the filesystem. + # dirty hack for filesystem encoding; in nature, File.expand_path + # should not be used for path normalization. [Bug #3345] + path = req.path_info.dup.force_encoding(Encoding.find("filesystem")) if trailing_pathsep?(req.path_info) # File.expand_path removes the trailing path separator. # Adding a character is a workaround to save it. # File.expand_path("/aaa/") #=> "/aaa" # File.expand_path("/aaa/" + "x") #=> "/aaa/x" - expanded = File.expand_path(req.path_info + "x") + expanded = File.expand_path(path + "x") expanded.chop! # remove trailing "x" else - expanded = File.expand_path(req.path_info) + expanded = File.expand_path(path) end + expanded.force_encoding(req.path_info.encoding) req.path_info = expanded end -- cgit v1.2.3