Applied Zed's patch to fix a vulnerability recently introduced whereby url's like "/.%252e/.%252e/.%252e/.%252e/.%252e/.%252e/.%252e/etc/passwd" could serve the password file.

git-svn-id: svn+ssh://rubyforge.org/var/svn/mongrel/branches/stable_1-1@927 19e92222-5c0b-0410-8929-a290d50e31e9

1 files changed, 7 insertions, 3 deletions

diff --git a/lib/mongrel/handlers.rb b/lib/mongrel/handlers.rb
index ee76179..9b9798e 100644
--- a/lib/mongrel/handlers.rb
+++ b/lib/mongrel/handlers.rb
@@ -132,8 +132,12 @@ module Mongrel
       # Add the drive letter or root path
       req_path = File.join(@path, req_path) if @path
       req_path = File.expand_path req_path
-      
-      if File.exist? req_path
+     
+      # do not remove the check for @path at the beginning, it's what prevents
+      # the serving of arbitrary files (and good programmer Rule #1 Says: If
+      # you don't understand something, it's not because I'm stupid, it's
+      # because you are).
+      if req_path.index(@path) == 0 and File.exist? req_path
         # It exists and it's in the right location
         if File.directory? req_path
           # The request is for a directory
@@ -153,7 +157,7 @@ module Mongrel
           return req_path
         end
       else
-        # does not exist or isn't in the right spot
+        # does not exist or isn't in the right spot or isn't valid because not start with @path
         return nil
       end
     end