[前][次][番号順一覧][スレッド一覧]

ruby-changes:4189

From: ko1@a...
Date: Mon, 3 Mar 2008 23:36:28 +0900 (JST)
Subject: [ruby-changes:4189] shyouhei - Ruby:r15678 (ruby_1_8_6): merge revision(s) 15677:

shyouhei	2008-03-03 23:36:04 +0900 (Mon, 03 Mar 2008)

  New Revision: 15678

  Modified files:
    branches/ruby_1_8_6/ChangeLog
    branches/ruby_1_8_6/lib/webrick/httpservlet/filehandler.rb
    branches/ruby_1_8_6/test/webrick/test_filehandler.rb
    branches/ruby_1_8_6/version.h

  Log:
    merge revision(s) 15677:
    * lib/webrick/httpservlet/filehandler.rb: should normalize path
      separators in path_info to prevent directory traversal attacks
      on DOSISH platforms.
      reported by Digital Security Research Group [DSECRG-08-026].
    * lib/webrick/httpservlet/filehandler.rb: pathnames which have
      not to be published should be checked case-insensitively.


  http://svn.ruby-lang.org/cgi-bin/viewvc.cgi/branches/ruby_1_8_6/ChangeLog?r1=15678&r2=15677&diff_format=u
  http://svn.ruby-lang.org/cgi-bin/viewvc.cgi/branches/ruby_1_8_6/version.h?r1=15678&r2=15677&diff_format=u
  http://svn.ruby-lang.org/cgi-bin/viewvc.cgi/branches/ruby_1_8_6/test/webrick/test_filehandler.rb?r1=15678&r2=15677&diff_format=u
  http://svn.ruby-lang.org/cgi-bin/viewvc.cgi/branches/ruby_1_8_6/lib/webrick/httpservlet/filehandler.rb?r1=15678&r2=15677&diff_format=u

Index: ruby_1_8_6/ChangeLog
===================================================================
--- ruby_1_8_6/ChangeLog	(revision 15677)
+++ ruby_1_8_6/ChangeLog	(revision 15678)
@@ -1,3 +1,13 @@
+Mon Mar  3 23:34:13 2008  GOTOU Yuuzou  <gotoyuzo@n...>
+
+	* lib/webrick/httpservlet/filehandler.rb: should normalize path
+	  separators in path_info to prevent directory traversal attacks
+	  on DOSISH platforms.
+	  reported by Digital Security Research Group [DSECRG-08-026].
+
+	* lib/webrick/httpservlet/filehandler.rb: pathnames which have
+	  not to be published should be checked case-insensitively.
+
 Mon Dec  3 08:13:52 2007  Kouhei Sutou  <kou@c...>
 
 	* test/rss/test_taxonomy.rb, test/rss/test_parser_1.0.rb,
Index: ruby_1_8_6/version.h
===================================================================
--- ruby_1_8_6/version.h	(revision 15677)
+++ ruby_1_8_6/version.h	(revision 15678)
@@ -1,14 +1,14 @@
 #define RUBY_VERSION "1.8.6"
-#define RUBY_RELEASE_DATE "2007-12-03"
+#define RUBY_RELEASE_DATE "2008-03-03"
 #define RUBY_VERSION_CODE 186
-#define RUBY_RELEASE_CODE 20071203
-#define RUBY_PATCHLEVEL 113
+#define RUBY_RELEASE_CODE 20080303
+#define RUBY_PATCHLEVEL 114
 
 #define RUBY_VERSION_MAJOR 1
 #define RUBY_VERSION_MINOR 8
 #define RUBY_VERSION_TEENY 6
-#define RUBY_RELEASE_YEAR 2007
-#define RUBY_RELEASE_MONTH 12
+#define RUBY_RELEASE_YEAR 2008
+#define RUBY_RELEASE_MONTH 3
 #define RUBY_RELEASE_DAY 3
 
 #ifdef RUBY_EXTERN
Index: ruby_1_8_6/lib/webrick/httpservlet/filehandler.rb
===================================================================
--- ruby_1_8_6/lib/webrick/httpservlet/filehandler.rb	(revision 15677)
+++ ruby_1_8_6/lib/webrick/httpservlet/filehandler.rb	(revision 15678)
@@ -163,6 +163,7 @@
             end
           end
         end
+        prevent_directory_traversal(req, res)
         super(req, res)
       end
 
@@ -198,6 +199,22 @@
 
       private
 
+      def prevent_directory_traversal(req, res)
+        # Preventing directory traversal on DOSISH platforms;
+        # Backslashes (0x5c) in path_info are not interpreted as special
+        # character in URI notation. So the value of path_info should be
+        # normalize before accessing to the filesystem.
+        if File::ALT_SEPARATOR
+          # File.expand_path removes the trailing path separator.
+          # Adding a character is a workaround to save it.
+          #  File.expand_path("/aaa/")        #=> "/aaa"
+          #  File.expand_path("/aaa/" + "x")  #=> "/aaa/x"
+          expanded = File.expand_path(req.path_info + "x")
+          expanded[-1, 1] = ""  # remove trailing "x"
+          req.path_info = expanded
+        end
+      end
+
       def exec_handler(req, res)
         raise HTTPStatus::NotFound, "`#{req.path}' not found" unless @root
         if set_filename(req, res)
@@ -256,7 +273,7 @@
 
       def check_filename(req, res, name)
         @options[:NondisclosureName].each{|pattern|
-          if File.fnmatch("/#{pattern}", name)
+          if File.fnmatch("/#{pattern}", name, File::FNM_CASEFOLD)
             @logger.warn("the request refers nondisclosure name `#{name}'.")
             raise HTTPStatus::NotFound, "`#{req.path}' not found."
           end
@@ -310,7 +327,7 @@
 
       def nondisclosure_name?(name)
         @options[:NondisclosureName].each{|pattern|
-          if File.fnmatch(pattern, name)
+          if File.fnmatch(pattern, name, File::FNM_CASEFOLD)
             return true
           end
         }
Index: ruby_1_8_6/test/webrick/test_filehandler.rb
===================================================================
--- ruby_1_8_6/test/webrick/test_filehandler.rb	(revision 15677)
+++ ruby_1_8_6/test/webrick/test_filehandler.rb	(revision 15678)
@@ -1,6 +1,7 @@
 require "test/unit"
 require "webrick"
 require "stringio"
+require File.join(File.dirname(__FILE__), "utils.rb")
 
 class WEBrick::TestFileHandler < Test::Unit::TestCase
   def default_file_handler(filename)
@@ -62,4 +63,62 @@
     res = make_range_response(filename, "bytes=0-0, -2")
     assert_match(%r{^multipart/byteranges}, res["content-type"])
   end
+
+  def test_filehandler
+    config = { :DocumentRoot => File.dirname(__FILE__), }
+    this_file = File.basename(__FILE__)
+    TestWEBrick.start_httpserver(config) do |server, addr, port|
+      http = Net::HTTP.new(addr, port)
+      req = Net::HTTP::Get.new("/")
+      http.request(req){|res|
+        assert_equal("200", res.code)
+        assert_equal("text/html", res.content_type)
+        assert_match(/HREF="#{this_file}"/, res.body)
+      }
+      req = Net::HTTP::Get.new("/#{this_file}")
+      http.request(req){|res|
+        assert_equal("200", res.code)
+        assert_equal("text/plain", res.content_type)
+        assert_equal(File.read(__FILE__), res.body)
+      }
+    end
+  end
+
+  def test_non_disclosure_name
+    config = { :DocumentRoot => File.dirname(__FILE__), }
+    this_file = File.basename(__FILE__)
+    TestWEBrick.start_httpserver(config) do |server, addr, port|
+      http = Net::HTTP.new(addr, port)
+      doc_root_opts = server[:DocumentRootOptions]
+      doc_root_opts[:NondisclosureName] = %w(.ht* *~ test_*)
+      req = Net::HTTP::Get.new("/")
+      http.request(req){|res|
+        assert_equal("200", res.code)
+        assert_equal("text/html", res.content_type)
+        assert_no_match(/HREF="#{File.basename(__FILE__)}"/, res.body)
+      }
+      req = Net::HTTP::Get.new("/#{this_file}")
+      http.request(req){|res|
+        assert_equal("404", res.code)
+      }
+      doc_root_opts[:NondisclosureName] = %w(.ht* *~ TEST_*)
+      http.request(req){|res|
+        assert_equal("404", res.code)
+      }
+    end
+  end
+
+  def test_directory_traversal
+    config = { :DocumentRoot => File.dirname(__FILE__), }
+    this_file = File.basename(__FILE__)
+    TestWEBrick.start_httpserver(config) do |server, addr, port|
+      http = Net::HTTP.new(addr, port)
+      req = Net::HTTP::Get.new("/../../")
+      http.request(req){|res| assert_equal("400", res.code) }
+      req = Net::HTTP::Get.new(
+        "/..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5cboot.ini"
+      )
+      http.request(req){|res| assert_equal("404", res.code) }
+    end
+  end
 end

--
ML: ruby-changes@q...
Info: http://www.atdot.net/~ko1/quickml/

[前][次][番号順一覧][スレッド一覧]