Skip to content

Commit 70cb322

Browse files
committed
Use a fully resolved file path when confirming if a file can be served by Rack::Static.
1 parent c827c33 commit 70cb322

File tree

2 files changed

+8
-1
lines changed

2 files changed

+8
-1
lines changed

lib/rack/static.rb

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -124,8 +124,9 @@ def can_serve(path)
124124

125125
def call(env)
126126
path = env[PATH_INFO]
127+
actual_path = Utils.clean_path_info(Utils.unescape_path(path))
127128

128-
if can_serve(path)
129+
if can_serve(actual_path)
129130
if overwrite_file_path(path)
130131
env[PATH_INFO] = (add_index_root?(path) ? path + @index : @urls[path])
131132
elsif @gzip && env['HTTP_ACCEPT_ENCODING'] && /\bgzip\b/.match?(env['HTTP_ACCEPT_ENCODING'])

test/spec_static.rb

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -49,6 +49,12 @@ def static(app, *args)
4949
res.body.must_match(/ruby/)
5050
end
5151

52+
it "does not serve files outside :urls" do
53+
res = @request.get("/cgi/../#{File.basename(__FILE__)}")
54+
res.must_be :ok?
55+
res.body.must_equal "Hello World"
56+
end
57+
5258
it "404s if url root is known but it can't find the file" do
5359
res = @request.get("/cgi/foo")
5460
res.must_be :not_found?

0 commit comments

Comments
 (0)