diff options
author | gotoyuzo <gotoyuzo@b2dd03c8-39d4-4d8f-98ff-823fe69b080e> | 2008-05-18 13:33:24 +0000 |
---|---|---|
committer | gotoyuzo <gotoyuzo@b2dd03c8-39d4-4d8f-98ff-823fe69b080e> | 2008-05-18 13:33:24 +0000 |
commit | 8ee3267d26b4f87a9797573caa3dafb28e6945ee (patch) | |
tree | ab207c998e2a68cf76acf734851bc00aa14d7d46 /lib/webrick/httpservlet/abstract.rb | |
parent | a0e236f6065e5dfd68ac8a45ad1ca690042d47b9 (diff) | |
download | ruby-8ee3267d26b4f87a9797573caa3dafb28e6945ee.tar.gz |
* lib/webrick/httpservlet/filehandler.rb: should normalize path
name in path_info to prevent script disclosure vulnerability on
DOSISH filesystems. (fix: CVE-2008-1891)
Note: NTFS/FAT filesystem should not be published by the platforms
other than Windows. Pathname interpretation (including short
filename) is less than perfect.
* lib/webrick/httpservlet/abstract.rb
(WEBrick::HTTPServlet::AbstracServlet#redirect_to_directory_uri):
should escape the value of Location: header.
* lib/webrick/httpservlet/cgi_runner.rb: accept interpreter
command line arguments.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@16453 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
Diffstat (limited to 'lib/webrick/httpservlet/abstract.rb')
-rw-r--r-- | lib/webrick/httpservlet/abstract.rb | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/lib/webrick/httpservlet/abstract.rb b/lib/webrick/httpservlet/abstract.rb index 03861e8fc7..5375c4622d 100644 --- a/lib/webrick/httpservlet/abstract.rb +++ b/lib/webrick/httpservlet/abstract.rb @@ -58,7 +58,7 @@ module WEBrick def redirect_to_directory_uri(req, res) if req.path[-1] != ?/ - location = req.path + "/" + location = WEBrick::HTTPUtils.escape_path(req.path + "/") if req.query_string && req.query_string.size > 0 location << "?" << req.query_string end |