gotoyuzo	2008-05-18 22:33:57 +0900 (Sun, 18 May 2008)

  New Revision: 16454

  Modified files:
    branches/ruby_1_8/ChangeLog
    branches/ruby_1_8/lib/webrick/httpservlet/abstract.rb
    branches/ruby_1_8/lib/webrick/httpservlet/cgi_runner.rb
    branches/ruby_1_8/lib/webrick/httpservlet/filehandler.rb
    branches/ruby_1_8/test/webrick/test_cgi.rb
    branches/ruby_1_8/test/webrick/test_filehandler.rb
    branches/ruby_1_8/test/webrick/utils.rb

  Log:
    * lib/webrick/httpservlet/filehandler.rb: should normalize path
      name in path_info to prevent script disclosure vulnerability on
      DOSISH filesystems. (fix: CVE-2008-1891)
      Note: NTFS/FAT filesystem should not be published by the platforms
      other than Windows. Pathname interpretation (including short
      filename) is less than perfect.
    
    * lib/webrick/httpservlet/abstract.rb
      (WEBrick::HTTPServlet::AbstracServlet#redirect_to_directory_uri):
      should escape the value of Location: header. 
    
    * lib/webrick/httpservlet/cgi_runner.rb: accept interpreter
      command line arguments.


  http://svn.ruby-lang.org/cgi-bin/viewvc.cgi/branches/ruby_1_8/test/webrick/test_cgi.rb?r1=16454&r2=16453&diff_format=u
  http://svn.ruby-lang.org/cgi-bin/viewvc.cgi/branches/ruby_1_8/ChangeLog?r1=16454&r2=16453&diff_format=u
  http://svn.ruby-lang.org/cgi-bin/viewvc.cgi/branches/ruby_1_8/test/webrick/test_filehandler.rb?r1=16454&r2=16453&diff_format=u
  http://svn.ruby-lang.org/cgi-bin/viewvc.cgi/branches/ruby_1_8/test/webrick/utils.rb?r1=16454&r2=16453&diff_format=u
  http://svn.ruby-lang.org/cgi-bin/viewvc.cgi/branches/ruby_1_8/lib/webrick/httpservlet/abstract.rb?r1=16454&r2=16453&diff_format=u
  http://svn.ruby-lang.org/cgi-bin/viewvc.cgi/branches/ruby_1_8/lib/webrick/httpservlet/filehandler.rb?r1=16454&r2=16453&diff_format=u
  http://svn.ruby-lang.org/cgi-bin/viewvc.cgi/branches/ruby_1_8/lib/webrick/httpservlet/cgi_runner.rb?r1=16454&r2=16453&diff_format=u