diff options
| -rw-r--r-- | ChangeLog | 6 | ||||
| -rw-r--r-- | lib/webrick/httpservlet/filehandler.rb | 8 |
2 files changed, 12 insertions, 2 deletions
@@ -1,3 +1,9 @@ +Fri Jun 18 01:22:55 2010 Yusuke Endoh <mame@tsg.ne.jp> + + * lib/webrick/httpservlet/filehandler.rb + (prevent_directory_traversal): apply filesystem encoding to path + only during calling File.expand_path. [ruby-dev:41423] + Thu Jun 17 23:20:14 2010 Yusuke Endoh <mame@tsg.ne.jp> * load.c (rb_load_internal): remove call to rb_realpath_internal diff --git a/lib/webrick/httpservlet/filehandler.rb b/lib/webrick/httpservlet/filehandler.rb index 32c19651e7..daad8abd27 100644 --- a/lib/webrick/httpservlet/filehandler.rb +++ b/lib/webrick/httpservlet/filehandler.rb @@ -214,16 +214,20 @@ module WEBrick # character in URI notation. So the value of path_info should be # normalize before accessing to the filesystem. + # dirty hack for filesystem encoding; in nature, File.expand_path + # should not be used for path normalization. [Bug #3345] + path = req.path_info.dup.force_encoding(Encoding.find("filesystem")) if trailing_pathsep?(req.path_info) # File.expand_path removes the trailing path separator. # Adding a character is a workaround to save it. # File.expand_path("/aaa/") #=> "/aaa" # File.expand_path("/aaa/" + "x") #=> "/aaa/x" - expanded = File.expand_path(req.path_info + "x") + expanded = File.expand_path(path + "x") expanded.chop! # remove trailing "x" else - expanded = File.expand_path(req.path_info) + expanded = File.expand_path(path) end + expanded.force_encoding(req.path_info.encoding) req.path_info = expanded end |