From 584819a270c8d25f2bc2a40ed508844949bd2eee Mon Sep 17 00:00:00 2001
From: Eric Wong <e@80x24.org>
Date: Fri, 14 Aug 2015 21:18:20 +0000
Subject: extras/try_gzip_static: require readability on HEAD requests

Files may exist and be stat-able, but not readable.  Return
a 403 response for non-readable files.
---
 extras/try_gzip_static.rb | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

(limited to 'extras')

diff --git a/extras/try_gzip_static.rb b/extras/try_gzip_static.rb
index d562957..4279e65 100644
--- a/extras/try_gzip_static.rb
+++ b/extras/try_gzip_static.rb
@@ -92,7 +92,9 @@ class TryGzipStatic
     path = fspath(env) or return r(403)
     begin
       st = File.stat(path)
-      st.file? ? [ path, st ] : r(404)
+      return r(404) unless st.file?
+      return r(403) unless st.readable?
+      [ path, st ]
     rescue Errno::ENOENT, Errno::ENOTDIR
       r(404)
     rescue Errno::EACCES
-- 
cgit v1.2.3-24-ge0c7