sinatra 0.9.0.4 → 0.9.0.5
Sign up to get free protection for your applications and to get access to all the features.
Potentially problematic release.
This version of sinatra might be problematic. Click here for more details.
- data/lib/sinatra/base.rb +4 -2
- data/sinatra.gemspec +2 -2
- data/test/static_test.rb +15 -0
- metadata +2 -2
data/lib/sinatra/base.rb
CHANGED
|
@@ -4,7 +4,7 @@ require 'rack'
|
|
|
4
4
|
require 'rack/builder'
|
|
5
5
|
|
|
6
6
|
module Sinatra
|
|
7
|
-
VERSION = '0.9.0.
|
|
7
|
+
VERSION = '0.9.0.5'
|
|
8
8
|
|
|
9
9
|
class Request < Rack::Request
|
|
10
10
|
def user_agent
|
|
@@ -741,7 +741,9 @@ module Sinatra
|
|
|
741
741
|
# static files route
|
|
742
742
|
get(/.*[^\/]$/) do
|
|
743
743
|
pass unless options.static? && options.public?
|
|
744
|
-
|
|
744
|
+
public_dir = File.expand_path(options.public)
|
|
745
|
+
path = File.expand_path(public_dir + unescape(request.path_info))
|
|
746
|
+
pass if path[0, public_dir.length] != public_dir
|
|
745
747
|
pass unless File.file?(path)
|
|
746
748
|
send_file path, :disposition => nil
|
|
747
749
|
end
|
data/sinatra.gemspec
CHANGED
|
@@ -3,8 +3,8 @@ Gem::Specification.new do |s|
|
|
|
3
3
|
s.required_rubygems_version = Gem::Requirement.new(">= 0") if s.respond_to? :required_rubygems_version=
|
|
4
4
|
|
|
5
5
|
s.name = 'sinatra'
|
|
6
|
-
s.version = '0.9.0.
|
|
7
|
-
s.date = '2009-
|
|
6
|
+
s.version = '0.9.0.5'
|
|
7
|
+
s.date = '2009-03-09'
|
|
8
8
|
|
|
9
9
|
s.description = "Classy web-development dressed in a DSL"
|
|
10
10
|
s.summary = "Classy web-development dressed in a DSL"
|
data/test/static_test.rb
CHANGED
|
@@ -64,4 +64,19 @@ describe 'Static' do
|
|
|
64
64
|
get "/foobarbaz.txt"
|
|
65
65
|
assert not_found?
|
|
66
66
|
end
|
|
67
|
+
|
|
68
|
+
it 'serves files when .. path traverses within public directory' do
|
|
69
|
+
get "/data/../#{File.basename(__FILE__)}"
|
|
70
|
+
assert ok?
|
|
71
|
+
assert_equal File.read(__FILE__), body
|
|
72
|
+
end
|
|
73
|
+
|
|
74
|
+
it '404s when .. path traverses outside of public directory' do
|
|
75
|
+
mock_app {
|
|
76
|
+
set :static, true
|
|
77
|
+
set :public, File.dirname(__FILE__) + '/data'
|
|
78
|
+
}
|
|
79
|
+
get "/../#{File.basename(__FILE__)}"
|
|
80
|
+
assert not_found?
|
|
81
|
+
end
|
|
67
82
|
end
|
metadata
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: sinatra
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.9.0.
|
|
4
|
+
version: 0.9.0.5
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Blake Mizerany
|
|
@@ -9,7 +9,7 @@ autorequire:
|
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
11
|
|
|
12
|
-
date: 2009-
|
|
12
|
+
date: 2009-03-09 00:00:00 -07:00
|
|
13
13
|
default_executable:
|
|
14
14
|
dependencies:
|
|
15
15
|
- !ruby/object:Gem::Dependency
|