* lib/webrick/httpservlet/filehandler.rb: should normalize path

separators in path_info to prevent directory traversal attacks on DOSISH platforms. reported by Digital Security Research Group [DSECRG-08-026]. * lib/webrick/httpservlet/filehandler.rb: pathnames which have not to be published should be checked case-insensitively. git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@15676 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
author: gotoyuzo <gotoyuzo@b2dd03c8-39d4-4d8f-98ff-823fe69b080e> 2008-03-03 14:31:30 +0000
committer: gotoyuzo <gotoyuzo@b2dd03c8-39d4-4d8f-98ff-823fe69b080e> 2008-03-03 14:31:30 +0000
commit: 10a0d4b61dd575be73c2e2b6223f1bf7d34c63ea (patch)
tree: d8dc28281572a27e3d7f438cfc9d2e4c1c107bdf /ChangeLog
parent: 7c9e815d940c0b8de7b4a212301c8b1cef62ae2d (diff)
download: ruby-10a0d4b61dd575be73c2e2b6223f1bf7d34c63ea.tar.gz
1 files changed, 10 insertions, 0 deletions
diff --git a/ChangeLog b/ChangeLog
index f92c516dbc..e1660f6b32 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,13 @@
+Mon Mar  3 23:28:37 2008  GOTOU Yuuzou  <gotoyuzo@notwork.org>
+
+	* lib/webrick/httpservlet/filehandler.rb: should normalize path
+	  separators in path_info to prevent directory traversal
+	  attacks on DOSISH platforms.
+	  reported by Digital Security Research Group [DSECRG-08-026].
+
+	* lib/webrick/httpservlet/filehandler.rb: pathnames which have
+	  not to be published should be checked case-insensitively.
+
 Mon Mar  3 17:25:45 2008  Yukihiro Matsumoto  <matz@ruby-lang.org>
 
 	* gc.c (add_heap): sort heaps array in ascending order to use
author	gotoyuzo <gotoyuzo@b2dd03c8-39d4-4d8f-98ff-823fe69b080e>	2008-03-03 14:31:30 +0000
committer	gotoyuzo <gotoyuzo@b2dd03c8-39d4-4d8f-98ff-823fe69b080e>	2008-03-03 14:31:30 +0000
commit	10a0d4b61dd575be73c2e2b6223f1bf7d34c63ea (patch)
tree	d8dc28281572a27e3d7f438cfc9d2e4c1c107bdf /ChangeLog
parent	7c9e815d940c0b8de7b4a212301c8b1cef62ae2d (diff)
download	ruby-10a0d4b61dd575be73c2e2b6223f1bf7d34c63ea.tar.gz