sinatra 0.9.0.4 → 0.9.0.5
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- data/lib/sinatra/base.rb +4 -2
- data/sinatra.gemspec +2 -2
- data/test/static_test.rb +15 -0
- metadata +2 -2
data/lib/sinatra/base.rb
CHANGED
|
@@ -4,7 +4,7 @@ require 'rack'
|
|
|
4
4
|
require 'rack/builder'
|
|
5
5
|
|
|
6
6
|
module Sinatra
|
|
7
|
-
VERSION = '0.9.0.
|
|
7
|
+
VERSION = '0.9.0.5'
|
|
8
8
|
|
|
9
9
|
class Request < Rack::Request
|
|
10
10
|
def user_agent
|
|
@@ -741,7 +741,9 @@ module Sinatra
|
|
|
741
741
|
# static files route
|
|
742
742
|
get(/.*[^\/]$/) do
|
|
743
743
|
pass unless options.static? && options.public?
|
|
744
|
-
|
|
744
|
+
public_dir = File.expand_path(options.public)
|
|
745
|
+
path = File.expand_path(public_dir + unescape(request.path_info))
|
|
746
|
+
pass if path[0, public_dir.length] != public_dir
|
|
745
747
|
pass unless File.file?(path)
|
|
746
748
|
send_file path, :disposition => nil
|
|
747
749
|
end
|
data/sinatra.gemspec
CHANGED
|
@@ -3,8 +3,8 @@ Gem::Specification.new do |s|
|
|
|
3
3
|
s.required_rubygems_version = Gem::Requirement.new(">= 0") if s.respond_to? :required_rubygems_version=
|
|
4
4
|
|
|
5
5
|
s.name = 'sinatra'
|
|
6
|
-
s.version = '0.9.0.
|
|
7
|
-
s.date = '2009-
|
|
6
|
+
s.version = '0.9.0.5'
|
|
7
|
+
s.date = '2009-03-09'
|
|
8
8
|
|
|
9
9
|
s.description = "Classy web-development dressed in a DSL"
|
|
10
10
|
s.summary = "Classy web-development dressed in a DSL"
|
data/test/static_test.rb
CHANGED
|
@@ -64,4 +64,19 @@ describe 'Static' do
|
|
|
64
64
|
get "/foobarbaz.txt"
|
|
65
65
|
assert not_found?
|
|
66
66
|
end
|
|
67
|
+
|
|
68
|
+
it 'serves files when .. path traverses within public directory' do
|
|
69
|
+
get "/data/../#{File.basename(__FILE__)}"
|
|
70
|
+
assert ok?
|
|
71
|
+
assert_equal File.read(__FILE__), body
|
|
72
|
+
end
|
|
73
|
+
|
|
74
|
+
it '404s when .. path traverses outside of public directory' do
|
|
75
|
+
mock_app {
|
|
76
|
+
set :static, true
|
|
77
|
+
set :public, File.dirname(__FILE__) + '/data'
|
|
78
|
+
}
|
|
79
|
+
get "/../#{File.basename(__FILE__)}"
|
|
80
|
+
assert not_found?
|
|
81
|
+
end
|
|
67
82
|
end
|
metadata
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: sinatra
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.9.0.
|
|
4
|
+
version: 0.9.0.5
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Blake Mizerany
|
|
@@ -9,7 +9,7 @@ autorequire:
|
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
11
|
|
|
12
|
-
date: 2009-
|
|
12
|
+
date: 2009-03-09 00:00:00 -07:00
|
|
13
13
|
default_executable:
|
|
14
14
|
dependencies:
|
|
15
15
|
- !ruby/object:Gem::Dependency
|