sinatra 0.9.1 → 0.9.1.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Potentially problematic release.
This version of sinatra might be problematic. Click here for more details.
- data/CHANGES +5 -0
- data/lib/sinatra/base.rb +4 -2
- data/sinatra.gemspec +2 -2
- data/test/static_test.rb +15 -0
- metadata +2 -2
data/CHANGES
CHANGED
data/lib/sinatra/base.rb
CHANGED
|
@@ -5,7 +5,7 @@ require 'rack'
|
|
|
5
5
|
require 'rack/builder'
|
|
6
6
|
|
|
7
7
|
module Sinatra
|
|
8
|
-
VERSION = '0.9.1'
|
|
8
|
+
VERSION = '0.9.1.1'
|
|
9
9
|
|
|
10
10
|
# The request object. See Rack::Request for more info:
|
|
11
11
|
# http://rack.rubyforge.org/doc/classes/Rack/Request.html
|
|
@@ -884,7 +884,9 @@ module Sinatra
|
|
|
884
884
|
# static files route
|
|
885
885
|
get(/.*[^\/]$/) do
|
|
886
886
|
pass unless options.static? && options.public?
|
|
887
|
-
|
|
887
|
+
public_dir = File.expand_path(options.public)
|
|
888
|
+
path = File.expand_path(public_dir + unescape(request.path_info))
|
|
889
|
+
pass if path[0, public_dir.length] != public_dir
|
|
888
890
|
pass unless File.file?(path)
|
|
889
891
|
send_file path, :disposition => nil
|
|
890
892
|
end
|
data/sinatra.gemspec
CHANGED
|
@@ -3,8 +3,8 @@ Gem::Specification.new do |s|
|
|
|
3
3
|
s.required_rubygems_version = Gem::Requirement.new(">= 0") if s.respond_to? :required_rubygems_version=
|
|
4
4
|
|
|
5
5
|
s.name = 'sinatra'
|
|
6
|
-
s.version = '0.9.1'
|
|
7
|
-
s.date = '2009-03-
|
|
6
|
+
s.version = '0.9.1.1'
|
|
7
|
+
s.date = '2009-03-09'
|
|
8
8
|
|
|
9
9
|
s.description = "Classy web-development dressed in a DSL"
|
|
10
10
|
s.summary = "Classy web-development dressed in a DSL"
|
data/test/static_test.rb
CHANGED
|
@@ -62,4 +62,19 @@ describe 'Static' do
|
|
|
62
62
|
get "/foobarbaz.txt"
|
|
63
63
|
assert not_found?
|
|
64
64
|
end
|
|
65
|
+
|
|
66
|
+
it 'serves files when .. path traverses within public directory' do
|
|
67
|
+
get "/data/../#{File.basename(__FILE__)}"
|
|
68
|
+
assert ok?
|
|
69
|
+
assert_equal File.read(__FILE__), body
|
|
70
|
+
end
|
|
71
|
+
|
|
72
|
+
it '404s when .. path traverses outside of public directory' do
|
|
73
|
+
mock_app {
|
|
74
|
+
set :static, true
|
|
75
|
+
set :public, File.dirname(__FILE__) + '/data'
|
|
76
|
+
}
|
|
77
|
+
get "/../#{File.basename(__FILE__)}"
|
|
78
|
+
assert not_found?
|
|
79
|
+
end
|
|
65
80
|
end
|
metadata
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: sinatra
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.9.1
|
|
4
|
+
version: 0.9.1.1
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Blake Mizerany
|
|
@@ -9,7 +9,7 @@ autorequire:
|
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
11
|
|
|
12
|
-
date: 2009-03-
|
|
12
|
+
date: 2009-03-09 00:00:00 -07:00
|
|
13
13
|
default_executable:
|
|
14
14
|
dependencies:
|
|
15
15
|
- !ruby/object:Gem::Dependency
|