diff options
Diffstat (limited to 'lib/mongrel/handlers.rb')
-rw-r--r-- | lib/mongrel/handlers.rb | 28 |
1 files changed, 12 insertions, 16 deletions
diff --git a/lib/mongrel/handlers.rb b/lib/mongrel/handlers.rb index bcee6a0..e643025 100644 --- a/lib/mongrel/handlers.rb +++ b/lib/mongrel/handlers.rb @@ -8,7 +8,6 @@ require 'mongrel/stats' require 'zlib' require 'yaml' - module Mongrel # You implement your application handler with this. It's very light giving @@ -102,7 +101,8 @@ module Mongrel # # If you pass nil as the root path, it will not check any locations or # expand any paths. This lets you serve files from multiple drives - # on win32. + # on win32. It should probably not be used in a public-facing way + # without additional checks. # # The default content type is "text/plain; charset=ISO-8859-1" but you # can change it anything you want using the DirHandler.default_content_type @@ -120,7 +120,7 @@ module Mongrel # You give it the path to the directory root and and optional listing_allowed and index_html def initialize(path, listing_allowed=true, index_html="index.html") @path = File.expand_path(path) if path - @listing_allowed=listing_allowed + @listing_allowed = listing_allowed @index_html = index_html @default_content_type = "application/octet-stream".freeze end @@ -132,12 +132,8 @@ module Mongrel # Add the drive letter or root path req_path = File.join(@path, req_path) if @path req_path = File.expand_path req_path - - # do not remove the check for @path at the beginning, it's what prevents - # the serving of arbitrary files (and good programmer Rule #1 Says: If - # you don't understand something, it's not because I'm stupid, it's - # because you are). - if req_path.index(@path) == 0 and File.exist? req_path + + if File.exist? req_path and (!@path or req_path.index(@path) == 0) # It exists and it's in the right location if File.directory? req_path # The request is for a directory @@ -157,7 +153,7 @@ module Mongrel return req_path end else - # does not exist or isn't in the right spot or isn't valid because not start with @path + # does not exist or isn't in the right spot return nil end end @@ -209,11 +205,11 @@ module Mongrel # test to see if this is a conditional request, and test if # the response would be identical to the last response same_response = case - when modified_since && !last_response_time = Time.httpdate(modified_since) rescue nil then false - when modified_since && last_response_time > Time.now then false - when modified_since && mtime > last_response_time then false - when none_match && none_match == '*' then false - when none_match && !none_match.strip.split(/\s*,\s*/).include?(etag) then false + when modified_since && !last_response_time = Time.httpdate(modified_since) rescue nil : false + when modified_since && last_response_time > Time.now : false + when modified_since && mtime > last_response_time : false + when none_match && none_match == '*' : false + when none_match && !none_match.strip.split(/\s*,\s*/).include?(etag) : false else modified_since || none_match # validation successful if we get this far and at least one of the header exists end @@ -270,7 +266,7 @@ module Mongrel response.start(403) {|head,out| out.write(ONLY_HEAD_GET) } end rescue => details - STDERR.puts "#{Time.now.httpdate}: Error sending file #{req_path}: #{details}" + STDERR.puts "Error sending file #{req_path}: #{details}" end end end |