ruby-cvs:23693

gotoyuzo	2008-05-18 22:33:24 +0900 (Sun, 18 May 2008)

  New Revision: 16453

  Modified files:
    trunk/ChangeLog
    trunk/lib/webrick/httpservlet/abstract.rb
    trunk/lib/webrick/httpservlet/cgi_runner.rb
    trunk/lib/webrick/httpservlet/filehandler.rb
    trunk/test/webrick/test_cgi.rb
    trunk/test/webrick/test_filehandler.rb
    trunk/test/webrick/utils.rb

  Log:
    * lib/webrick/httpservlet/filehandler.rb: should normalize path
      name in path_info to prevent script disclosure vulnerability on
      DOSISH filesystems. (fix: CVE-2008-1891)
      Note: NTFS/FAT filesystem should not be published by the platforms
      other than Windows. Pathname interpretation (including short
      filename) is less than perfect.
    
    * lib/webrick/httpservlet/abstract.rb
      (WEBrick::HTTPServlet::AbstracServlet#redirect_to_directory_uri):
      should escape the value of Location: header.
    
    * lib/webrick/httpservlet/cgi_runner.rb: accept interpreter
      command line arguments.


  http://svn.ruby-lang.org/cgi-bin/viewvc.cgi/trunk/test/webrick/test_cgi.rb?r1=16453&r2=16452&diff_format=u
  http://svn.ruby-lang.org/cgi-bin/viewvc.cgi/trunk/test/webrick/test_filehandler.rb?r1=16453&r2=16452&diff_format=u
  http://svn.ruby-lang.org/cgi-bin/viewvc.cgi/trunk/ChangeLog?r1=16453&r2=16452&diff_format=u
  http://svn.ruby-lang.org/cgi-bin/viewvc.cgi/trunk/test/webrick/utils.rb?r1=16453&r2=16452&diff_format=u
  http://svn.ruby-lang.org/cgi-bin/viewvc.cgi/trunk/lib/webrick/httpservlet/cgi_runner.rb?r1=16453&r2=16452&diff_format=u
  http://svn.ruby-lang.org/cgi-bin/viewvc.cgi/trunk/lib/webrick/httpservlet/filehandler.rb?r1=16453&r2=16452&diff_format=u
  http://svn.ruby-lang.org/cgi-bin/viewvc.cgi/trunk/lib/webrick/httpservlet/abstract.rb?r1=16453&r2=16452&diff_format=u