ruby-changes:16388
From: tarui <ko1@a...>
Date: Tue, 22 Jun 2010 01:35:01 +0900 (JST)
Subject: [ruby-changes:16388] Ruby:r28372 (ruby_1_9_2): merge from trunk (r28354)
tarui 2010-06-22 01:34:42 +0900 (Tue, 22 Jun 2010) New Revision: 28372 http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=rev&revision=28372 Log: merge from trunk (r28354) * lib/webrick/httpservlet/filehandler.rb (prevent_directory_traversal): apply filesystem encoding to path only during calling File.expand_path. [ruby-dev:41423] Modified files: branches/ruby_1_9_2/ChangeLog branches/ruby_1_9_2/lib/webrick/httpservlet/filehandler.rb Index: ruby_1_9_2/ChangeLog =================================================================== --- ruby_1_9_2/ChangeLog (revision 28371) +++ ruby_1_9_2/ChangeLog (revision 28372) @@ -1,3 +1,9 @@ +Tue Jun 22 00:57:57 2010 Yusuke Endoh <mame@t...> + + * lib/webrick/httpservlet/filehandler.rb + (prevent_directory_traversal): apply filesystem encoding to path + only during calling File.expand_path. [ruby-dev:41423] + Mon Jun 21 23:41:08 2010 wanabe <s.wanabe@g...> * eval_error.c (error_print): clear raised_flag while error-printing Index: ruby_1_9_2/lib/webrick/httpservlet/filehandler.rb =================================================================== --- ruby_1_9_2/lib/webrick/httpservlet/filehandler.rb (revision 28371) +++ ruby_1_9_2/lib/webrick/httpservlet/filehandler.rb (revision 28372) @@ -214,16 +214,20 @@ # character in URI notation. So the value of path_info should be # normalize before accessing to the filesystem. + # dirty hack for filesystem encoding; in nature, File.expand_path + # should not be used for path normalization. [Bug #3345] + path = req.path_info.dup.force_encoding(Encoding.find("filesystem")) if trailing_pathsep?(req.path_info) # File.expand_path removes the trailing path separator. # Adding a character is a workaround to save it. # File.expand_path("/aaa/") #=> "/aaa" # File.expand_path("/aaa/" + "x") #=> "/aaa/x" - expanded = File.expand_path(req.path_info + "x") + expanded = File.expand_path(path + "x") expanded.chop! # remove trailing "x" else - expanded = File.expand_path(req.path_info) + expanded = File.expand_path(path) end + expanded.force_encoding(req.path_info.encoding) req.path_info = expanded end -- ML: ruby-changes@q... Info: http://www.atdot.net/~ko1/quickml/