diff options
author | Aaron Patterson <aaron.patterson@gmail.com> | 2016-05-04 12:26:27 -0500 |
---|---|---|
committer | Aaron Patterson <aaron.patterson@gmail.com> | 2016-05-04 12:26:27 -0500 |
commit | 4faf2c4e46cac2038feab722609ddaa983a54c2f (patch) | |
tree | 788d565b102a74bfa4b127aa9d805e94062ed5b2 /lib/rack/directory.rb | |
parent | 790edb18f501b13346e85aed480858399f76010a (diff) | |
parent | 4a6e0bc42c3e0dab34f02253089096d9e9004cd0 (diff) | |
download | rack-4faf2c4e46cac2038feab722609ddaa983a54c2f.tar.gz |
Merge pull request #1065 from jkowens/fix-null-byte
Return 400 if Rack::File or Rack::Directory path contains null byte
Diffstat (limited to 'lib/rack/directory.rb')
-rw-r--r-- | lib/rack/directory.rb | 14 |
1 files changed, 13 insertions, 1 deletions
diff --git a/lib/rack/directory.rb b/lib/rack/directory.rb index c026c42a..89cfe807 100644 --- a/lib/rack/directory.rb +++ b/lib/rack/directory.rb @@ -71,7 +71,9 @@ table { width:100%%; } script_name = env[SCRIPT_NAME] path_info = Utils.unescape_path(env[PATH_INFO]) - if forbidden = check_forbidden(path_info) + if bad_request = check_bad_request(path_info) + bad_request + elsif forbidden = check_forbidden(path_info) forbidden else path = ::File.join(@root, path_info) @@ -79,6 +81,16 @@ table { width:100%%; } end end + def check_bad_request(path_info) + return if Utils.valid_path?(path_info) + + body = "Bad Request\n" + size = body.bytesize + return [400, {CONTENT_TYPE => "text/plain", + CONTENT_LENGTH => size.to_s, + "X-Cascade" => "pass"}, [body]] + end + def check_forbidden(path_info) return unless path_info.include? ".." |