From 4dacedf983257aef38a8ebedb2d9a9c8fead8238 Mon Sep 17 00:00:00 2001 From: Aaron Patterson Date: Wed, 5 Nov 2014 15:37:36 -0800 Subject: [PATCH] correctly escape backslashes in request path globs Conflicts: actionpack/lib/action_dispatch/middleware/static.rb make sure that unreadable files are also not leaked CVE-2014-7829 Conflicts: actionpack/lib/action_dispatch/middleware/static.rb --- .../lib/action_dispatch/middleware/static.rb | 6 ++-- actionpack/test/dispatch/static_test.rb | 41 ++++++++++++++++++++++ 2 files changed, 45 insertions(+), 2 deletions(-) diff --git a/actionpack/lib/action_dispatch/middleware/static.rb b/actionpack/lib/action_dispatch/middleware/static.rb index 4c46283..0276be3 100644 --- a/actionpack/lib/action_dispatch/middleware/static.rb +++ b/actionpack/lib/action_dispatch/middleware/static.rb @@ -15,7 +15,7 @@ module ActionDispatch paths = "#{full_path}#{ext}" matches = Dir[paths] - match = matches.detect { |m| File.file?(m) } + match = matches.detect { |m| File.file?(m) && File.readable?(m) } if match match.sub!(@compiled_root, '') ::Rack::Utils.escape(match) @@ -38,7 +38,8 @@ module ActionDispatch end def escape_glob_chars(path) - path.gsub(/[*?{}\[\]]/, "\\\\\\&") + path.force_encoding('binary') if path.respond_to? :force_encoding + path.gsub(/[*?{}\[\]\\]/, "\\\\\\&") end private @@ -46,6 +47,7 @@ module ActionDispatch PATH_SEPS = Regexp.union(*[::File::SEPARATOR, ::File::ALT_SEPARATOR].compact) def clean_path_info(path_info) + path_info.force_encoding('binary') if path_info.respond_to? :force_encoding parts = path_info.split PATH_SEPS clean = [] diff --git a/actionpack/test/dispatch/static_test.rb b/actionpack/test/dispatch/static_test.rb index f225b02..c5bb406 100644 --- a/actionpack/test/dispatch/static_test.rb +++ b/actionpack/test/dispatch/static_test.rb @@ -1,4 +1,5 @@ require 'abstract_unit' +require 'fileutils' require 'rbconfig' module StaticTests @@ -145,6 +146,46 @@ class StaticTest < ActiveSupport::TestCase include StaticTests + def test_custom_handler_called_when_file_is_not_readable + filename = 'unreadable.html.erb' + target = File.join(@root, filename) + FileUtils.touch target + File.chmod 0200, target + assert File.exist? target + assert !File.readable?(target) + path = "/#{filename}" + env = { + "REQUEST_METHOD"=>"GET", + "REQUEST_PATH"=> path, + "PATH_INFO"=> path, + "REQUEST_URI"=> path, + "HTTP_VERSION"=>"HTTP/1.1", + "SERVER_NAME"=>"localhost", + "SERVER_PORT"=>"8080", + "QUERY_STRING"=>"" + } + assert_equal(DummyApp.call(nil), @app.call(env)) + ensure + File.unlink target + end + + def test_custom_handler_called_when_file_is_outside_root_backslash + filename = 'shared.html.erb' + assert File.exist?(File.join(@root, '..', filename)) + path = "/%5C..%2F#{filename}" + env = { + "REQUEST_METHOD"=>"GET", + "REQUEST_PATH"=> path, + "PATH_INFO"=> path, + "REQUEST_URI"=> path, + "HTTP_VERSION"=>"HTTP/1.1", + "SERVER_NAME"=>"localhost", + "SERVER_PORT"=>"8080", + "QUERY_STRING"=>"" + } + assert_equal(DummyApp.call(nil), @app.call(env)) + end + def test_custom_handler_called_when_file_is_outside_root filename = 'shared.html.erb' assert File.exist?(File.join(@root, '..', filename)) -- 1.9.3 (Apple Git-50)