From 10a0d4b61dd575be73c2e2b6223f1bf7d34c63ea Mon Sep 17 00:00:00 2001
From: gotoyuzo <gotoyuzo@b2dd03c8-39d4-4d8f-98ff-823fe69b080e>
Date: Mon, 3 Mar 2008 14:31:30 +0000
Subject: * lib/webrick/httpservlet/filehandler.rb: should normalize path  
 separators in path_info to prevent directory traversal   attacks on DOSISH
 platforms.   reported by Digital Security Research Group [DSECRG-08-026].

* lib/webrick/httpservlet/filehandler.rb: pathnames which have
  not to be published should be checked case-insensitively.


git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@15676 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
---
 test/webrick/test_filehandler.rb | 59 ++++++++++++++++++++++++++++++++++++++++
 1 file changed, 59 insertions(+)

(limited to 'test/webrick')

diff --git a/test/webrick/test_filehandler.rb b/test/webrick/test_filehandler.rb
index 64b2fcf231..4c4a615f4a 100644
--- a/test/webrick/test_filehandler.rb
+++ b/test/webrick/test_filehandler.rb
@@ -1,6 +1,7 @@
 require "test/unit"
 require "webrick"
 require "stringio"
+require File.join(File.dirname(__FILE__), "utils.rb")
 
 class WEBrick::TestFileHandler < Test::Unit::TestCase
   def default_file_handler(filename)
@@ -66,4 +67,62 @@ class WEBrick::TestFileHandler < Test::Unit::TestCase
     res = make_range_response(filename, "bytes=0-0, -2")
     assert_match(%r{^multipart/byteranges}, res["content-type"])
   end
+
+  def test_filehandler
+    config = { :DocumentRoot => File.dirname(__FILE__), }
+    this_file = File.basename(__FILE__)
+    TestWEBrick.start_httpserver(config) do |server, addr, port|
+      http = Net::HTTP.new(addr, port)
+      req = Net::HTTP::Get.new("/")
+      http.request(req){|res|
+        assert_equal("200", res.code)
+        assert_equal("text/html", res.content_type)
+        assert_match(/HREF="#{this_file}"/, res.body)
+      }
+      req = Net::HTTP::Get.new("/#{this_file}")
+      http.request(req){|res|
+        assert_equal("200", res.code)
+        assert_equal("text/plain", res.content_type)
+        assert_equal(File.read(__FILE__), res.body)
+      }
+    end
+  end
+
+  def test_non_disclosure_name
+    config = { :DocumentRoot => File.dirname(__FILE__), }
+    this_file = File.basename(__FILE__)
+    TestWEBrick.start_httpserver(config) do |server, addr, port|
+      http = Net::HTTP.new(addr, port)
+      doc_root_opts = server[:DocumentRootOptions]
+      doc_root_opts[:NondisclosureName] = %w(.ht* *~ test_*)
+      req = Net::HTTP::Get.new("/")
+      http.request(req){|res|
+        assert_equal("200", res.code)
+        assert_equal("text/html", res.content_type)
+        assert_no_match(/HREF="#{File.basename(__FILE__)}"/, res.body)
+      }
+      req = Net::HTTP::Get.new("/#{this_file}")
+      http.request(req){|res|
+        assert_equal("404", res.code)
+      }
+      doc_root_opts[:NondisclosureName] = %w(.ht* *~ TEST_*)
+      http.request(req){|res|
+        assert_equal("404", res.code)
+      }
+    end
+  end
+
+  def test_directory_traversal
+    config = { :DocumentRoot => File.dirname(__FILE__), }
+    this_file = File.basename(__FILE__)
+    TestWEBrick.start_httpserver(config) do |server, addr, port|
+      http = Net::HTTP.new(addr, port)
+      req = Net::HTTP::Get.new("/../../")
+      http.request(req){|res| assert_equal("400", res.code) }
+      req = Net::HTTP::Get.new(
+        "/..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5cboot.ini"
+      )
+      http.request(req){|res| assert_equal("404", res.code) }
+    end
+  end
 end
-- 
cgit v1.2.3