RubyGems - sinatra - Versions diffs - 0.9.1 → 0.9.1.1 - Mend

sinatra 0.9.1 → 0.9.1.1

This version of sinatra might be problematic. Click here for more details.

Files changed (5) hide show

data/CHANGES CHANGED

@@ -1,3 +1,8 @@
+= 0.9.1.1 / 2009-03-09
+ * Fix directory traversal vulnerability in default static files
+   route. See [#177] for more info.
 = 0.9.1 / 2009-03-01
  * Sinatra now runs under Ruby 1.9.1 [#61]

data/lib/sinatra/base.rb CHANGED

@@ -5,7 +5,7 @@ require 'rack'
 require 'rack/builder'
 module Sinatra
-  VERSION = '0.9.1'
+  VERSION = '0.9.1.1'
   # The request object. See Rack::Request for more info:
   # http://rack.rubyforge.org/doc/classes/Rack/Request.html
@@ -884,7 +884,9 @@ module Sinatra
     # static files route
     get(/.*[^\/]$/) do
       pass unless options.static? && options.public?
-      path = options.public + unescape(request.path_info)
+      public_dir = File.expand_path(options.public)
+      path = File.expand_path(public_dir + unescape(request.path_info))
+      pass if path[0, public_dir.length] != public_dir
       pass unless File.file?(path)
       send_file path, :disposition => nil
     end

data/sinatra.gemspec CHANGED

@@ -3,8 +3,8 @@ Gem::Specification.new do |s|
   s.required_rubygems_version = Gem::Requirement.new(">= 0") if s.respond_to? :required_rubygems_version=
   s.name = 'sinatra'
-  s.version = '0.9.1'
-  s.date = '2009-03-02'
+  s.version = '0.9.1.1'
+  s.date = '2009-03-09'
   s.description = "Classy web-development dressed in a DSL"
   s.summary     = "Classy web-development dressed in a DSL"

data/test/static_test.rb CHANGED

@@ -62,4 +62,19 @@ describe 'Static' do
     get "/foobarbaz.txt"
     assert not_found?
   end
+  it 'serves files when .. path traverses within public directory' do
+    get "/data/../#{File.basename(__FILE__)}"
+    assert ok?
+    assert_equal File.read(__FILE__), body
+  end
+  it '404s when .. path traverses outside of public directory' do
+    mock_app {
+      set :static, true
+      set :public, File.dirname(__FILE__) + '/data'
+    }
+    get "/../#{File.basename(__FILE__)}"
+    assert not_found?
+  end
 end

metadata CHANGED

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: sinatra
 version: !ruby/object:Gem::Version
-  version: 0.9.1
+  version: 0.9.1.1
 platform: ruby
 authors:
 - Blake Mizerany
@@ -9,7 +9,7 @@ autorequire:
 bindir: bin
 cert_chain: []
-date: 2009-03-02 00:00:00 -08:00
+date: 2009-03-09 00:00:00 -07:00
 default_executable:
 dependencies:
 - !ruby/object:Gem::Dependency