ruby-changes:49286
From: normal <ko1@a...>
Date: Fri, 22 Dec 2017 10:33:06 +0900 (JST)
Subject: [ruby-changes:49286] normal:r61401 (trunk): webrick/httpservlet/*handler: use File.open
normal 2017-12-22 10:08:00 +0900 (Fri, 22 Dec 2017) New Revision: 61401 https://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=revision&revision=61401 Log: webrick/httpservlet/*handler: use File.open This makes future code audits easier. None of these changes fix realistic remote code execution vulnerabilities because we stat(2) before attempting Kernel#open. * lib/webrick/httpservlet/erbhandler.rb (do_GET): use File.open * lib/webrick/httpservlet/filehandler.rb (do_GET): use File.open (make_partial_content): ditto [Misc #14216] Modified files: trunk/lib/webrick/httpservlet/erbhandler.rb trunk/lib/webrick/httpservlet/filehandler.rb Index: lib/webrick/httpservlet/filehandler.rb =================================================================== --- lib/webrick/httpservlet/filehandler.rb (revision 61400) +++ lib/webrick/httpservlet/filehandler.rb (revision 61401) @@ -57,7 +57,7 @@ module WEBrick https://github.com/ruby/ruby/blob/trunk/lib/webrick/httpservlet/filehandler.rb#L57 res['content-type'] = mtype res['content-length'] = st.size res['last-modified'] = mtime.httpdate - res.body = open(@local_path, "rb") + res.body = File.open(@local_path, "rb") end end @@ -92,7 +92,7 @@ module WEBrick https://github.com/ruby/ruby/blob/trunk/lib/webrick/httpservlet/filehandler.rb#L92 raise HTTPStatus::BadRequest, "Unrecognized range-spec: \"#{req['range']}\"" end - open(filename, "rb"){|io| + File.open(filename, "rb"){|io| if ranges.size > 1 time = Time.now boundary = "#{time.sec}_#{time.usec}_#{Process::pid}" Index: lib/webrick/httpservlet/erbhandler.rb =================================================================== --- lib/webrick/httpservlet/erbhandler.rb (revision 61400) +++ lib/webrick/httpservlet/erbhandler.rb (revision 61401) @@ -53,7 +53,7 @@ module WEBrick https://github.com/ruby/ruby/blob/trunk/lib/webrick/httpservlet/erbhandler.rb#L53 raise HTTPStatus::Forbidden, "ERBHandler cannot work." end begin - data = open(@script_filename){|io| io.read } + data = File.open(@script_filename, &:read) res.body = evaluate(ERB.new(data), req, res) res['content-type'] ||= HTTPUtils::mime_type(@script_filename, @config[:MimeTypes]) -- ML: ruby-changes@q... Info: http://www.atdot.net/~ko1/quickml/