ruby-cvs:22917
From: gotoyuzo ruby-lang.org
Date: Mon, 3 Mar 2008 23:32:04 +0900 (JST)
Subject: [ruby-cvs:22917] Ruby:r15677 (ruby_1_8): * lib/webrick/httpservlet/filehandler.rb: should normalize path
gotoyuzo 2008-03-03 23:32:03 +0900 (Mon, 03 Mar 2008)
New Revision: 15677
Modified files:
branches/ruby_1_8/ChangeLog
branches/ruby_1_8/lib/webrick/httpservlet/filehandler.rb
branches/ruby_1_8/test/webrick/test_filehandler.rb
Log:
* lib/webrick/httpservlet/filehandler.rb: should normalize path
separators in path_info to prevent directory traversal
attacks on DOSISH platforms.
reported by Digital Security Research Group [DSECRG-08-026].
* lib/webrick/httpservlet/filehandler.rb: pathnames which have
not to be published should be checked case-insensitively.
http://svn.ruby-lang.org/cgi-bin/viewvc.cgi/branches/ruby_1_8/ChangeLog?r1=15677&r2=15676&diff_format=u
http://svn.ruby-lang.org/cgi-bin/viewvc.cgi/branches/ruby_1_8/test/webrick/test_filehandler.rb?r1=15677&r2=15676&diff_format=u
http://svn.ruby-lang.org/cgi-bin/viewvc.cgi/branches/ruby_1_8/lib/webrick/httpservlet/filehandler.rb?r1=15677&r2=15676&diff_format=u