ruby-changes:4187
From: ko1@a...
Date: Mon, 3 Mar 2008 23:32:31 +0900 (JST)
Subject: [ruby-changes:4187] gotoyuzo - Ruby:r15677 (ruby_1_8): * lib/webrick/httpservlet/filehandler.rb: should normalize path
gotoyuzo 2008-03-03 23:32:03 +0900 (Mon, 03 Mar 2008) New Revision: 15677 Modified files: branches/ruby_1_8/ChangeLog branches/ruby_1_8/lib/webrick/httpservlet/filehandler.rb branches/ruby_1_8/test/webrick/test_filehandler.rb Log: * lib/webrick/httpservlet/filehandler.rb: should normalize path separators in path_info to prevent directory traversal attacks on DOSISH platforms. reported by Digital Security Research Group [DSECRG-08-026]. * lib/webrick/httpservlet/filehandler.rb: pathnames which have not to be published should be checked case-insensitively. http://svn.ruby-lang.org/cgi-bin/viewvc.cgi/branches/ruby_1_8/ChangeLog?r1=15677&r2=15676&diff_format=u http://svn.ruby-lang.org/cgi-bin/viewvc.cgi/branches/ruby_1_8/test/webrick/test_filehandler.rb?r1=15677&r2=15676&diff_format=u http://svn.ruby-lang.org/cgi-bin/viewvc.cgi/branches/ruby_1_8/lib/webrick/httpservlet/filehandler.rb?r1=15677&r2=15676&diff_format=u Index: ruby_1_8/ChangeLog =================================================================== --- ruby_1_8/ChangeLog (revision 15676) +++ ruby_1_8/ChangeLog (revision 15677) @@ -1,3 +1,13 @@ +Mon Mar 3 23:28:34 2008 GOTOU Yuuzou <gotoyuzo@n...> + + * lib/webrick/httpservlet/filehandler.rb: should normalize path + separators in path_info to prevent directory traversal attacks + on DOSISH platforms. + reported by Digital Security Research Group [DSECRG-08-026]. + + * lib/webrick/httpservlet/filehandler.rb: pathnames which have + not to be published should be checked case-insensitively. + Mon Mar 3 16:14:24 2008 Nobuyoshi Nakada <nobu@r...> * hash.c (rb_any_hash): shrinks all results in Fixnum range. Index: ruby_1_8/lib/webrick/httpservlet/filehandler.rb =================================================================== --- ruby_1_8/lib/webrick/httpservlet/filehandler.rb (revision 15676) +++ ruby_1_8/lib/webrick/httpservlet/filehandler.rb (revision 15677) @@ -163,6 +163,7 @@ end end end + prevent_directory_traversal(req, res) super(req, res) end @@ -198,6 +199,22 @@ private + def prevent_directory_traversal(req, res) + # Preventing directory traversal on DOSISH platforms; + # Backslashes (0x5c) in path_info are not interpreted as special + # character in URI notation. So the value of path_info should be + # normalize before accessing to the filesystem. + if File::ALT_SEPARATOR + # File.expand_path removes the trailing path separator. + # Adding a character is a workaround to save it. + # File.expand_path("/aaa/") #=> "/aaa" + # File.expand_path("/aaa/" + "x") #=> "/aaa/x" + expanded = File.expand_path(req.path_info + "x") + expanded[-1, 1] = "" # remove trailing "x" + req.path_info = expanded + end + end + def exec_handler(req, res) raise HTTPStatus::NotFound, "`#{req.path}' not found" unless @root if set_filename(req, res) @@ -256,7 +273,7 @@ def check_filename(req, res, name) @options[:NondisclosureName].each{|pattern| - if File.fnmatch("/#{pattern}", name) + if File.fnmatch("/#{pattern}", name, File::FNM_CASEFOLD) @logger.warn("the request refers nondisclosure name `#{name}'.") raise HTTPStatus::NotFound, "`#{req.path}' not found." end @@ -310,7 +327,7 @@ def nondisclosure_name?(name) @options[:NondisclosureName].each{|pattern| - if File.fnmatch(pattern, name) + if File.fnmatch(pattern, name, File::FNM_CASEFOLD) return true end } Index: ruby_1_8/test/webrick/test_filehandler.rb =================================================================== --- ruby_1_8/test/webrick/test_filehandler.rb (revision 15676) +++ ruby_1_8/test/webrick/test_filehandler.rb (revision 15677) @@ -1,6 +1,7 @@ require "test/unit" require "webrick" require "stringio" +require File.join(File.dirname(__FILE__), "utils.rb") class WEBrick::TestFileHandler < Test::Unit::TestCase def default_file_handler(filename) @@ -62,4 +63,62 @@ res = make_range_response(filename, "bytes=0-0, -2") assert_match(%r{^multipart/byteranges}, res["content-type"]) end + + def test_filehandler + config = { :DocumentRoot => File.dirname(__FILE__), } + this_file = File.basename(__FILE__) + TestWEBrick.start_httpserver(config) do |server, addr, port| + http = Net::HTTP.new(addr, port) + req = Net::HTTP::Get.new("/") + http.request(req){|res| + assert_equal("200", res.code) + assert_equal("text/html", res.content_type) + assert_match(/HREF="#{this_file}"/, res.body) + } + req = Net::HTTP::Get.new("/#{this_file}") + http.request(req){|res| + assert_equal("200", res.code) + assert_equal("text/plain", res.content_type) + assert_equal(File.read(__FILE__), res.body) + } + end + end + + def test_non_disclosure_name + config = { :DocumentRoot => File.dirname(__FILE__), } + this_file = File.basename(__FILE__) + TestWEBrick.start_httpserver(config) do |server, addr, port| + http = Net::HTTP.new(addr, port) + doc_root_opts = server[:DocumentRootOptions] + doc_root_opts[:NondisclosureName] = %w(.ht* *~ test_*) + req = Net::HTTP::Get.new("/") + http.request(req){|res| + assert_equal("200", res.code) + assert_equal("text/html", res.content_type) + assert_no_match(/HREF="#{File.basename(__FILE__)}"/, res.body) + } + req = Net::HTTP::Get.new("/#{this_file}") + http.request(req){|res| + assert_equal("404", res.code) + } + doc_root_opts[:NondisclosureName] = %w(.ht* *~ TEST_*) + http.request(req){|res| + assert_equal("404", res.code) + } + end + end + + def test_directory_traversal + config = { :DocumentRoot => File.dirname(__FILE__), } + this_file = File.basename(__FILE__) + TestWEBrick.start_httpserver(config) do |server, addr, port| + http = Net::HTTP.new(addr, port) + req = Net::HTTP::Get.new("/../../") + http.request(req){|res| assert_equal("400", res.code) } + req = Net::HTTP::Get.new( + "/..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5cboot.ini" + ) + http.request(req){|res| assert_equal("404", res.code) } + end + end end -- ML: ruby-changes@q... Info: http://www.atdot.net/~ko1/quickml/