ruby-changes:5002
From: ko1@a...
Date: Wed, 21 May 2008 01:35:56 +0900 (JST)
Subject: [ruby-changes:5002] gotoyuzo - Ruby:r16495 (ruby_1_8_6, ruby_1_8_5): * lib/webrick/httpservlet/filehandler.rb: should normalize path
gotoyuzo 2008-05-21 01:35:25 +0900 (Wed, 21 May 2008) New Revision: 16495 Added files: branches/ruby_1_8_5/test/webrick/.htaccess branches/ruby_1_8_5/test/webrick/webrick_long_filename.cgi branches/ruby_1_8_6/test/webrick/.htaccess branches/ruby_1_8_6/test/webrick/webrick_long_filename.cgi Modified files: branches/ruby_1_8_5/ChangeLog branches/ruby_1_8_5/lib/webrick/httpservlet/abstract.rb branches/ruby_1_8_5/lib/webrick/httpservlet/cgi_runner.rb branches/ruby_1_8_5/lib/webrick/httpservlet/filehandler.rb branches/ruby_1_8_5/test/webrick/test_cgi.rb branches/ruby_1_8_5/test/webrick/test_filehandler.rb branches/ruby_1_8_5/test/webrick/utils.rb branches/ruby_1_8_5/version.h branches/ruby_1_8_6/ChangeLog branches/ruby_1_8_6/lib/webrick/httpservlet/abstract.rb branches/ruby_1_8_6/lib/webrick/httpservlet/cgi_runner.rb branches/ruby_1_8_6/lib/webrick/httpservlet/filehandler.rb branches/ruby_1_8_6/test/webrick/test_cgi.rb branches/ruby_1_8_6/test/webrick/test_filehandler.rb branches/ruby_1_8_6/test/webrick/utils.rb branches/ruby_1_8_6/version.h Log: * lib/webrick/httpservlet/filehandler.rb: should normalize path name in path_info to prevent script disclosure vulnerability on DOSISH filesystems. (fix: CVE-2008-1891) Note: NTFS/FAT filesystem should not be published by the platforms other than Windows. Pathname interpretation (including short filename) is less than perfect. * lib/webrick/httpservlet/abstract.rb (WEBrick::HTTPServlet::AbstracServlet#redirect_to_directory_uri): should escape the value of Location: header. * lib/webrick/httpservlet/cgi_runner.rb: accept interpreter command line arguments. http://svn.ruby-lang.org/cgi-bin/viewvc.cgi/branches/ruby_1_8_6/test/webrick/utils.rb?r1=16495&r2=16494&diff_format=u http://svn.ruby-lang.org/cgi-bin/viewvc.cgi/branches/ruby_1_8_6/ChangeLog?r1=16495&r2=16494&diff_format=u http://svn.ruby-lang.org/cgi-bin/viewvc.cgi/branches/ruby_1_8_5/lib/webrick/httpservlet/cgi_runner.rb?r1=16495&r2=16494&diff_format=u http://svn.ruby-lang.org/cgi-bin/viewvc.cgi/branches/ruby_1_8_6/version.h?r1=16495&r2=16494&diff_format=u http://svn.ruby-lang.org/cgi-bin/viewvc.cgi/branches/ruby_1_8_6/lib/webrick/httpservlet/cgi_runner.rb?r1=16495&r2=16494&diff_format=u http://svn.ruby-lang.org/cgi-bin/viewvc.cgi/branches/ruby_1_8_6/test/webrick/.htaccess?revision=16495&view=markup http://svn.ruby-lang.org/cgi-bin/viewvc.cgi/branches/ruby_1_8_5/test/webrick/test_filehandler.rb?r1=16495&r2=16494&diff_format=u http://svn.ruby-lang.org/cgi-bin/viewvc.cgi/branches/ruby_1_8_6/test/webrick/webrick_long_filename.cgi?revision=16495&view=markup http://svn.ruby-lang.org/cgi-bin/viewvc.cgi/branches/ruby_1_8_6/test/webrick/webrick_long_filename.cgi?r1=16495&r2=16494&diff_format=u http://svn.ruby-lang.org/cgi-bin/viewvc.cgi/branches/ruby_1_8_6/test/webrick/test_cgi.rb?r1=16495&r2=16494&diff_format=u http://svn.ruby-lang.org/cgi-bin/viewvc.cgi/branches/ruby_1_8_6/test/webrick/test_filehandler.rb?r1=16495&r2=16494&diff_format=u http://svn.ruby-lang.org/cgi-bin/viewvc.cgi/branches/ruby_1_8_5/test/webrick/utils.rb?r1=16495&r2=16494&diff_format=u http://svn.ruby-lang.org/cgi-bin/viewvc.cgi/branches/ruby_1_8_5/test/webrick/test_cgi.rb?r1=16495&r2=16494&diff_format=u http://svn.ruby-lang.org/cgi-bin/viewvc.cgi/branches/ruby_1_8_5/version.h?r1=16495&r2=16494&diff_format=u http://svn.ruby-lang.org/cgi-bin/viewvc.cgi/branches/ruby_1_8_5/lib/webrick/httpservlet/filehandler.rb?r1=16495&r2=16494&diff_format=u http://svn.ruby-lang.org/cgi-bin/viewvc.cgi/branches/ruby_1_8_5/test/webrick/.htaccess?revision=16495&view=markup http://svn.ruby-lang.org/cgi-bin/viewvc.cgi/branches/ruby_1_8_5/lib/webrick/httpservlet/abstract.rb?r1=16495&r2=16494&diff_format=u http://svn.ruby-lang.org/cgi-bin/viewvc.cgi/branches/ruby_1_8_6/lib/webrick/httpservlet/abstract.rb?r1=16495&r2=16494&diff_format=u http://svn.ruby-lang.org/cgi-bin/viewvc.cgi/branches/ruby_1_8_5/ChangeLog?r1=16495&r2=16494&diff_format=u http://svn.ruby-lang.org/cgi-bin/viewvc.cgi/branches/ruby_1_8_6/lib/webrick/httpservlet/filehandler.rb?r1=16495&r2=16494&diff_format=u http://svn.ruby-lang.org/cgi-bin/viewvc.cgi/branches/ruby_1_8_5/test/webrick/webrick_long_filename.cgi?revision=16495&view=markup http://svn.ruby-lang.org/cgi-bin/viewvc.cgi/branches/ruby_1_8_5/test/webrick/webrick_long_filename.cgi?r1=16495&r2=16494&diff_format=u Index: ruby_1_8_5/ChangeLog =================================================================== --- ruby_1_8_5/ChangeLog (revision 16494) +++ ruby_1_8_5/ChangeLog (revision 16495) @@ -1,3 +1,19 @@ +Wed May 21 01:32:56 2008 GOTOU Yuuzou <gotoyuzo@n...> + + * lib/webrick/httpservlet/filehandler.rb: should normalize path + name in path_info to prevent script disclosure vulnerability on + DOSISH filesystems. (fix: CVE-2008-1891) + Note: NTFS/FAT filesystem should not be published by the platforms + other than Windows. Pathname interpretation (including short + filename) is less than perfect. + + * lib/webrick/httpservlet/abstract.rb + (WEBrick::HTTPServlet::AbstracServlet#redirect_to_directory_uri): + should escape the value of Location: header. + + * lib/webrick/httpservlet/cgi_runner.rb: accept interpreter + command line arguments. + Sun May 18 01:57:44 2008 Nobuyoshi Nakada <nobu@r...> * file.c (isdirsep): backslash is valid path separator on cygwin too. Index: ruby_1_8_5/version.h =================================================================== --- ruby_1_8_5/version.h (revision 16494) +++ ruby_1_8_5/version.h (revision 16495) @@ -2,14 +2,14 @@ #define RUBY_RELEASE_DATE "2008-05-18" #define RUBY_VERSION_CODE 185 #define RUBY_RELEASE_CODE 20080518 -#define RUBY_PATCHLEVEL 119 +#define RUBY_PATCHLEVEL 120 #define RUBY_VERSION_MAJOR 1 #define RUBY_VERSION_MINOR 8 #define RUBY_VERSION_TEENY 5 #define RUBY_RELEASE_YEAR 2008 #define RUBY_RELEASE_MONTH 5 -#define RUBY_RELEASE_DAY 18 +#define RUBY_RELEASE_DAY 21 #ifdef RUBY_EXTERN RUBY_EXTERN const char ruby_version[]; Index: ruby_1_8_5/lib/webrick/httpservlet/filehandler.rb =================================================================== --- ruby_1_8_5/lib/webrick/httpservlet/filehandler.rb (revision 16494) +++ ruby_1_8_5/lib/webrick/httpservlet/filehandler.rb (revision 16495) @@ -199,26 +199,38 @@ private + def trailing_pathsep?(path) + # check for trailing path separator: + # File.dirname("/aaaa/bbbb/") #=> "/aaaa") + # File.dirname("/aaaa/bbbb/x") #=> "/aaaa/bbbb") + # File.dirname("/aaaa/bbbb") #=> "/aaaa") + # File.dirname("/aaaa/bbbbx") #=> "/aaaa") + return File.dirname(path) != File.dirname(path+"x") + end + def prevent_directory_traversal(req, res) - # Preventing directory traversal on DOSISH platforms; + # Preventing directory traversal on Windows platforms; # Backslashes (0x5c) in path_info are not interpreted as special # character in URI notation. So the value of path_info should be # normalize before accessing to the filesystem. - if File::ALT_SEPARATOR + + if trailing_pathsep?(req.path_info) # File.expand_path removes the trailing path separator. # Adding a character is a workaround to save it. # File.expand_path("/aaa/") #=> "/aaa" # File.expand_path("/aaa/" + "x") #=> "/aaa/x" expanded = File.expand_path(req.path_info + "x") - expanded[-1, 1] = "" # remove trailing "x" - req.path_info = expanded + expanded.chop! # remove trailing "x" + else + expanded = File.expand_path(req.path_info) end + req.path_info = expanded end def exec_handler(req, res) raise HTTPStatus::NotFound, "`#{req.path}' not found" unless @root if set_filename(req, res) - handler = get_handler(req) + handler = get_handler(req, res) call_callback(:HandlerCallback, req, res) h = handler.get_instance(@config, res.filename) h.service(req, res) @@ -228,9 +240,13 @@ return false end - def get_handler(req) - suffix1 = (/\.(\w+)$/ =~ req.script_name) && $1.downcase - suffix2 = (/\.(\w+)\.[\w\-]+$/ =~ req.script_name) && $1.downcase + def get_handler(req, res) + suffix1 = (/\.(\w+)\z/ =~ res.filename) && $1.downcase + if /\.(\w+)\.([\w\-]+)\z/ =~ res.filename + if @options[:AcceptableLanguages].include?($2.downcase) + suffix2 = $1.downcase + end + end handler_table = @options[:HandlerTable] return handler_table[suffix1] || handler_table[suffix2] || HandlerTable[suffix1] || HandlerTable[suffix2] || @@ -243,15 +259,13 @@ path_info.unshift("") # dummy for checking @root dir while base = path_info.first - check_filename(req, res, base) break if base == "/" - break unless File.directory?(res.filename + base) + break unless File.directory?(File.expand_path(res.filename + base)) shift_path_info(req, res, path_info) call_callback(:DirectoryCallback, req, res) end if base = path_info.first - check_filename(req, res, base) if base == "/" if file = search_index_file(req, res) shift_path_info(req, res, path_info, file) @@ -272,12 +286,10 @@ end def check_filename(req, res, name) - @options[:NondisclosureName].each{|pattern| - if File.fnmatch("/#{pattern}", name, File::FNM_CASEFOLD) - @logger.warn("the request refers nondisclosure name `#{name}'.") - raise HTTPStatus::NotFound, "`#{req.path}' not found." - end - } + if nondisclosure_name?(name) || windows_ambiguous_name?(name) + @logger.warn("the request refers nondisclosure name `#{name}'.") + raise HTTPStatus::NotFound, "`#{req.path}' not found." + end end def shift_path_info(req, res, path_info, base=nil) @@ -285,7 +297,8 @@ base = base || tmp req.path_info = path_info.join req.script_name << base - res.filename << base + res.filename = File.expand_path(res.filename + base) + check_filename(req, res, File.basename(res.filename)) end def search_index_file(req, res) @@ -325,6 +338,12 @@ end end + def windows_ambiguous_name?(name) + return true if /[. ]+\z/ =~ name + return true if /::\$DATA\z/ =~ name + return false + end + def nondisclosure_name?(name) @options[:NondisclosureName].each{|pattern| if File.fnmatch(pattern, name, File::FNM_CASEFOLD) @@ -343,7 +362,8 @@ list = Dir::entries(local_path).collect{|name| next if name == "." || name == ".." next if nondisclosure_name?(name) - st = (File::stat(local_path + name) rescue nil) + next if windows_ambiguous_name?(name) + st = (File::stat(File.join(local_path, name)) rescue nil) if st.nil? [ name, nil, -1 ] elsif st.directory? @@ -383,7 +403,7 @@ res.body << "<A HREF=\"?S=#{d1}\">Size</A>\n" res.body << "<HR>\n" - list.unshift [ "..", File::mtime(local_path+".."), -1 ] + list.unshift [ "..", File::mtime(local_path+"/.."), -1 ] list.each{ |name, time, size| if name == ".." dname = "Parent Directory" Index: ruby_1_8_5/lib/webrick/httpservlet/abstract.rb =================================================================== --- ruby_1_8_5/lib/webrick/httpservlet/abstract.rb (revision 16494) +++ ruby_1_8_5/lib/webrick/httpservlet/abstract.rb (revision 16495) @@ -58,7 +58,7 @@ def redirect_to_directory_uri(req, res) if req.path[-1] != ?/ - location = req.path + "/" + location = WEBrick::HTTPUtils.escape_path(req.path + "/") if req.query_string && req.query_string.size > 0 location << "?" << req.query_string end Index: ruby_1_8_5/lib/webrick/httpservlet/cgi_runner.rb =================================================================== --- ruby_1_8_5/lib/webrick/httpservlet/cgi_runner.rb (revision 16494) +++ ruby_1_8_5/lib/webrick/httpservlet/cgi_runner.rb (revision 16495) @@ -39,7 +39,9 @@ Dir::chdir dir if interpreter = ARGV[0] - exec(interpreter, ENV["SCRIPT_FILENAME"]) + argv = ARGV.dup + argv << ENV["SCRIPT_FILENAME"] + exec(*argv) # NOTREACHED end exec ENV["SCRIPT_FILENAME"] Index: ruby_1_8_5/test/webrick/utils.rb =================================================================== --- ruby_1_8_5/test/webrick/utils.rb (revision 16494) +++ ruby_1_8_5/test/webrick/utils.rb (revision 16495) @@ -1,3 +1,10 @@ +begin + loadpath = $:.dup + $:.replace($: | [File.expand_path("../ruby", File.dirname(__FILE__))]) + require 'envutil' +ensure + $:.replace(loadpath) +end require "webrick" begin require "webrick/https" @@ -12,6 +19,11 @@ return self end + RubyBin = "\"#{EnvUtil.rubybin}\"" + RubyBin << " \"-I#{File.expand_path("../..", File.dirname(__FILE__))}/lib\"" + RubyBin << " \"-I#{File.dirname(EnvUtil.rubybin)}/.ext/common\"" + RubyBin << " \"-I#{File.dirname(EnvUtil.rubybin)}/.ext/#{RUBY_PLATFORM}\"" + module_function def start_server(klass, config={}, &block) Index: ruby_1_8_5/test/webrick/test_cgi.rb =================================================================== --- ruby_1_8_5/test/webrick/test_cgi.rb (revision 16494) +++ ruby_1_8_5/test/webrick/test_cgi.rb (revision 16495) @@ -1,20 +1,13 @@ require "webrick" require File.join(File.dirname(__FILE__), "utils.rb") require "test/unit" -begin - loadpath = $:.dup - $:.replace($: | [File.expand_path("../ruby", File.dirname(__FILE__))]) - require 'envutil' -ensure - $:.replace(loadpath) -end class TestWEBrickCGI < Test::Unit::TestCase def test_cgi accepted = started = stopped = 0 requested0 = requested1 = 0 config = { - :CGIInterpreter => EnvUtil.rubybin, + :CGIInterpreter => TestWEBrick::RubyBin, :DocumentRoot => File.dirname(__FILE__), :DirectoryIndex => ["webrick.cgi"], } Index: ruby_1_8_5/test/webrick/webrick_long_filename.cgi =================================================================== --- ruby_1_8_5/test/webrick/webrick_long_filename.cgi (revision 0) +++ ruby_1_8_5/test/webrick/webrick_long_filename.cgi (revision 16495) @@ -0,0 +1,36 @@ +#!ruby -d +require "webrick/cgi" + +class TestApp < WEBrick::CGI + def do_GET(req, res) + res["content-type"] = "text/plain" + if (p = req.path_info) && p.length > 0 + res.body = p + elsif (q = req.query).size > 0 + res.body = q.keys.sort.collect{|key| + q[key].list.sort.collect{|v| + "#{key}=#{v}" + }.join(", ") + }.join(", ") + elsif %r{/$} =~ req.request_uri.to_s + res.body = "" + res.body << req.request_uri.to_s << "\n" + res.body << req.script_name + elsif !req.cookies.empty? + res.body = req.cookies.inject(""){|result, cookie| + result << "%s=%s\n" % [cookie.name, cookie.value] + } + res.cookies << WEBrick::Cookie.new("Customer", "WILE_E_COYOTE") + res.cookies << WEBrick::Cookie.new("Shipping", "FedEx") + else + res.body = req.script_name + end + end + + def do_POST(req, res) + do_GET(req, res) + end +end + +cgi = TestApp.new +cgi.start Property changes on: ruby_1_8_5/test/webrick/webrick_long_filename.cgi ___________________________________________________________________ Name: svn:executable + * Index: ruby_1_8_5/test/webrick/.htaccess =================================================================== --- ruby_1_8_5/test/webrick/.htaccess (revision 0) +++ ruby_1_8_5/test/webrick/.htaccess (revision 16495) @@ -0,0 +1 @@ +this file should not be published. Index: ruby_1_8_5/test/webrick/test_filehandler.rb =================================================================== --- ruby_1_8_5/test/webrick/test_filehandler.rb (revision 16494) +++ ruby_1_8_5/test/webrick/test_filehandler.rb (revision 16495) @@ -9,6 +9,10 @@ klass.new(WEBrick::Config::HTTP, filename) end + def windows? + File.directory?("\\") + end + def get_res_body(res) return res.body.read rescue res.body end @@ -115,10 +119,82 @@ http = Net::HTTP.new(addr, port) req = Net::HTTP::Get.new("/../../") http.request(req){|res| assert_equal("400", res.code) } - req = Net::HTTP::Get.new( - "/..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5cboot.ini" - ) + req = Net::HTTP::Get.new("/..%5c../#{File.basename(__FILE__)}") + http.request(req){|res| assert_equal(windows? ? "200" : "404", res.code) } + req = Net::HTTP::Get.new("/..%5c..%5cruby.c") http.request(req){|res| assert_equal("404", res.code) } end end + + def test_unwise_in_path + if windows? + config = { :DocumentRoot => File.dirname(__FILE__), } + this_file = File.basename(__FILE__) + TestWEBrick.start_httpserver(config) do |server, addr, port| + http = Net::HTTP.new(addr, port) + req = Net::HTTP::Get.new("/..%5c..") + http.request(req){|res| assert_equal("301", res.code) } + end + end + end + + def test_short_filename + config = { + :CGIInterpreter => TestWEBrick::RubyBin, + :DocumentRoot => File.dirname(__FILE__), + :CGIPathEnv => ENV['PATH'], + } + TestWEBrick.start_httpserver(config) do |server, addr, port| + http = Net::HTTP.new(addr, port) + + req = Net::HTTP::Get.new("/webric~1.cgi/test") + http.request(req) do |res| + if windows? + assert_equal("200", res.code) + assert_equal("/test", res.body) + else + assert_equal("404", res.code) + end + end + + req = Net::HTTP::Get.new("/.htaccess") + http.request(req) {|res| assert_equal("404", res.code) } + req = Net::HTTP::Get.new("/htacce~1") + http.request(req) {|res| assert_equal("404", res.code) } + req = Net::HTTP::Get.new("/HTACCE~1") + http.request(req) {|res| assert_equal("404", res.code) } + end + end + + def test_script_disclosure + config = { + :CGIInterpreter => TestWEBrick::RubyBin, + :DocumentRoot => File.dirname(__FILE__), + :CGIPathEnv => ENV['PATH'], + } + TestWEBrick.start_httpserver(config) do |server, addr, port| + http = Net::HTTP.new(addr, port) + + req = Net::HTTP::Get.new("/webrick.cgi/test") + http.request(req) do |res| + assert_equal("200", res.code) + assert_equal("/test", res.body) + end + + response_assertion = Proc.new do |res| + if windows? + assert_equal("200", res.code) + assert_equal("/test", res.body) + else + assert_equal("404", res.code) + end + end + req = Net::HTTP::Get.new("/webrick.cgi%20/test") + http.request(req, &response_assertion) + req = Net::HTTP::Get.new("/webrick.cgi./test") + http.request(req, &response_assertion) + req = Net::HTTP::Get.new("/webrick.cgi::$DATA/test") + http.request(req, &response_assertion) + end + end end Index: ruby_1_8_6/ChangeLog =================================================================== --- ruby_1_8_6/ChangeLog (revision 16494) +++ ruby_1_8_6/ChangeLog (revision 16495) @@ -1,3 +1,19 @@ +Wed May 21 01:32:56 2008 GOTOU Yuuzou <gotoyuzo@n...> + + * lib/webrick/httpservlet/filehandler.rb: should normalize path + name in path_info to prevent script disclosure vulnerability on + DOSISH filesystems. (fix: CVE-2008-1891) + Note: NTFS/FAT filesystem should not be published by the platforms + other than Windows. Pathname interpretation (including short + filename) is less than perfect. + + * lib/webrick/httpservlet/abstract.rb + (WEBrick::HTTPServlet::AbstracServlet#redirect_to_directory_uri): + should escape the value of Location: header. + + * lib/webrick/httpservlet/cgi_runner.rb: accept interpreter + command line arguments. + Sun May 18 01:57:44 2008 Nobuyoshi Nakada <nobu@r...> * file.c (isdirsep): backslash is valid path separator on cygwin too. Index: ruby_1_8_6/version.h =================================================================== --- ruby_1_8_6/version.h (revision 16494) +++ ruby_1_8_6/version.h (revision 16495) @@ -2,14 +2,14 @@ #define RUBY_RELEASE_DATE "2008-05-18" #define RUBY_VERSION_CODE 186 #define RUBY_RELEASE_CODE 20080518 -#define RUBY_PATCHLEVEL 118 +#define RUBY_PATCHLEVEL 119 #define RUBY_VERSION_MAJOR 1 #define RUBY_VERSION_MINOR 8 #define RUBY_VERSION_TEENY 6 #define RUBY_RELEASE_YEAR 2008 #define RUBY_RELEASE_MONTH 5 -#define RUBY_RELEASE_DAY 18 +#define RUBY_RELEASE_DAY 21 #ifdef RUBY_EXTERN RUBY_EXTERN const char ruby_version[]; Index: ruby_1_8_6/lib/webrick/httpservlet/filehandler.rb =================================================================== --- ruby_1_8_6/lib/webrick/httpservlet/filehandler.rb (revision 16494) +++ ruby_1_8_6/lib/webrick/httpservlet/filehandler.rb (revision 16495) @@ -199,26 +199,38 @@ private + def trailing_pathsep?(path) + # check for trailing path separator: + # File.dirname("/aaaa/bbbb/") #=> "/aaaa") + # File.dirname("/aaaa/bbbb/x") #=> "/aaaa/bbbb") + # File.dirname("/aaaa/bbbb") #=> "/aaaa") + # File.dirname("/aaaa/bbbbx") #=> "/aaaa") + return File.dirname(path) != File.dirname(path+"x") + end + def prevent_directory_traversal(req, res) - # Preventing directory traversal on DOSISH platforms; + # Preventing directory traversal on Windows platforms; # Backslashes (0x5c) in path_info are not interpreted as special # character in URI notation. So the value of path_info should be # normalize before accessing to the filesystem. - if File::ALT_SEPARATOR + + if trailing_pathsep?(req.path_info) # File.expand_path removes the trailing path separator. # Adding a character is a workaround to save it. # File.expand_path("/aaa/") #=> "/aaa" # File.expand_path("/aaa/" + "x") #=> "/aaa/x" expanded = File.expand_path(req.path_info + "x") - expanded[-1, 1] = "" # remove trailing "x" - req.path_info = expanded + expanded.chop! # remove trailing "x" + else + expanded = File.expand_path(req.path_info) end + req.path_info = expanded end def exec_handler(req, res) raise HTTPStatus::NotFound, "`#{req.path}' not found" unless @root if set_filename(req, res) - handler = get_handler(req) + handler = get_handler(req, res) call_callback(:HandlerCallback, req, res) h = handler.get_instance(@config, res.filename) h.service(req, res) @@ -228,9 +240,13 @@ return false end - def get_handler(req) - suffix1 = (/\.(\w+)$/ =~ req.script_name) && $1.downcase - suffix2 = (/\.(\w+)\.[\w\-]+$/ =~ req.script_name) && $1.downcase + def get_handler(req, res) + suffix1 = (/\.(\w+)\z/ =~ res.filename) && $1.downcase + if /\.(\w+)\.([\w\-]+)\z/ =~ res.filename + if @options[:AcceptableLanguages].include?($2.downcase) + suffix2 = $1.downcase + end + end handler_table = @options[:HandlerTable] return handler_table[suffix1] || handler_table[suffix2] || HandlerTable[suffix1] || HandlerTable[suffix2] || @@ -243,15 +259,13 @@ path_info.unshift("") # dummy for checking @root dir while base = path_info.first - check_filename(req, res, base) break if base == "/" - break unless File.directory?(res.filename + base) + break unless File.directory?(File.expand_path(res.filename + base)) shift_path_info(req, res, path_info) call_callback(:DirectoryCallback, req, res) end if base = path_info.first - check_filename(req, res, base) if base == "/" if file = search_index_file(req, res) shift_path_info(req, res, path_info, file) @@ -272,12 +286,10 @@ end def check_filename(req, res, name) - @options[:NondisclosureName].each{|pattern| - if File.fnmatch("/#{pattern}", name, File::FNM_CASEFOLD) - @logger.warn("the request refers nondisclosure name `#{name}'.") - raise HTTPStatus::NotFound, "`#{req.path}' not found." - end - } + if nondisclosure_name?(name) || windows_ambiguous_name?(name) + @logger.warn("the request refers nondisclosure name `#{name}'.") + raise HTTPStatus::NotFound, "`#{req.path}' not found." + end end def shift_path_info(req, res, path_info, base=nil) @@ -285,7 +297,8 @@ base = base || tmp req.path_info = path_info.join req.script_name << base - res.filename << base + res.filename = File.expand_path(res.filename + base) + check_filename(req, res, File.basename(res.filename)) end def search_index_file(req, res) @@ -325,6 +338,12 @@ end end + def windows_ambiguous_name?(name) + return true if /[. ]+\z/ =~ name + return true if /::\$DATA\z/ =~ name + return false + end + def nondisclosure_name?(name) @options[:NondisclosureName].each{|pattern| if File.fnmatch(pattern, name, File::FNM_CASEFOLD) @@ -343,7 +362,8 @@ list = Dir::entries(local_path).collect{|name| next if name == "." || name == ".." next if nondisclosure_name?(name) - st = (File::stat(local_path + name) rescue nil) + next if windows_ambiguous_name?(name) + st = (File::stat(File.join(local_path, name)) rescue nil) if st.nil? [ name, nil, -1 ] elsif st.directory? @@ -383,7 +403,7 @@ res.body << "<A HREF=\"?S=#{d1}\">Size</A>\n" res.body << "<HR>\n" - list.unshift [ "..", File::mtime(local_path+".."), -1 ] + list.unshift [ "..", File::mtime(local_path+"/.."), -1 ] list.each{ |name, time, size| if name == ".." dname = "Parent Directory" Index: ruby_1_8_6/lib/webrick/httpservlet/abstract.rb =================================================================== --- ruby_1_8_6/lib/webrick/httpservlet/abstract.rb (revision 16494) +++ ruby_1_8_6/lib/webrick/httpservlet/abstract.rb (revision 16495) @@ -58,7 +58,7 @@ def redirect_to_directory_uri(req, res) if req.path[-1] != ?/ - location = req.path + "/" + location = WEBrick::HTTPUtils.escape_path(req.path + "/") if req.query_string && req.query_string.size > 0 location << "?" << req.query_string end Index: ruby_1_8_6/lib/webrick/httpservlet/cgi_runner.rb =================================================================== --- ruby_1_8_6/lib/webrick/httpservlet/cgi_runner.rb (revision 16494) +++ ruby_1_8_6/lib/webrick/httpservlet/cgi_runner.rb (revision 16495) @@ -39,7 +39,9 @@ Dir::chdir dir if interpreter = ARGV[0] - exec(interpreter, ENV["SCRIPT_FILENAME"]) + argv = ARGV.dup + argv << ENV["SCRIPT_FILENAME"] + exec(*argv) # NOTREACHED end exec ENV["SCRIPT_FILENAME"] Index: ruby_1_8_6/test/webrick/utils.rb =================================================================== --- ruby_1_8_6/test/webrick/utils.rb (revision 16494) +++ ruby_1_8_6/test/webrick/utils.rb (revision 16495) @@ -1,3 +1,10 @@ +begin + loadpath = $:.dup + $:.replace($: | [File.expand_path("../ruby", File.dirname(__FILE__))]) + require 'envutil' +ensure + $:.replace(loadpath) +end require "webrick" begin require "webrick/https" @@ -12,6 +19,11 @@ return self end + RubyBin = "\"#{EnvUtil.rubybin}\"" + RubyBin << " \"-I#{File.expand_path("../..", File.dirname(__FILE__))}/lib\"" + RubyBin << " \"-I#{File.dirname(EnvUtil.rubybin)}/.ext/common\"" + RubyBin << " \"-I#{File.dirname(EnvUtil.rubybin)}/.ext/#{RUBY_PLATFORM}\"" + module_function def start_server(klass, config={}, &block) Index: ruby_1_8_6/test/webrick/test_cgi.rb =================================================================== --- ruby_1_8_6/test/webrick/test_cgi.rb (revision 16494) +++ ruby_1_8_6/test/webrick/test_cgi.rb (revision 16495) @@ -1,20 +1,13 @@ require "webrick" require File.join(File.dirname(__FILE__), "utils.rb") require "test/unit" -begin - loadpath = $:.dup - $:.replace($: | [File.expand_path("../ruby", File.dirname(__FILE__))]) - require 'envutil' -ensure - $:.replace(loadpath) -end class TestWEBrickCGI < Test::Unit::TestCase def test_cgi accepted = started = stopped = 0 requested0 = requested1 = 0 config = { - :CGIInterpreter => EnvUtil.rubybin, + :CGIInterpreter => TestWEBrick::RubyBin, :DocumentRoot => File.dirname(__FILE__), :DirectoryIndex => ["webrick.cgi"], } Index: ruby_1_8_6/test/webrick/webrick_long_filename.cgi =================================================================== --- ruby_1_8_6/test/webrick/webrick_long_filename.cgi (revision 0) +++ ruby_1_8_6/test/webrick/webrick_long_filename.cgi (revision 16495) @@ -0,0 +1,36 @@ +#!ruby -d +require "webrick/cgi" + +class TestApp < WEBrick::CGI + def do_GET(req, res) + res["content-type"] = "text/plain" + if (p = req.path_info) && p.length > 0 + res.body = p + elsif (q = req.query).size > 0 + res.body = q.keys.sort.collect{|key| + q[key].list.sort.collect{|v| + "#{key}=#{v}" + }.join(", ") + }.join(", ") + elsif %r{/$} =~ req.request_uri.to_s + res.body = "" + res.body << req.request_uri.to_s << "\n" + res.body << req.script_name + elsif !req.cookies.empty? + res.body = req.cookies.inject(""){|result, cookie| + result << "%s=%s\n" % [cookie.name, cookie.value] + } + res.cookies << WEBrick::Cookie.new("Customer", "WILE_E_COYOTE") + res.cookies << WEBrick::Cookie.new("Shipping", "FedEx") + else + res.body = req.script_name + end + end + + def do_POST(req, res) + do_GET(req, res) + end +end + +cgi = TestApp.new +cgi.start Property changes on: ruby_1_8_6/test/webrick/webrick_long_filename.cgi ___________________________________________________________________ Name: svn:executable + * Index: ruby_1_8_6/test/webrick/.htaccess =================================================================== --- ruby_1_8_6/test/webrick/.htaccess (revision 0) +++ ruby_1_8_6/test/webrick/.htaccess (revision 16495) @@ -0,0 +1 @@ +this file should not be published. Index: ruby_1_8_6/test/webrick/test_filehandler.rb =================================================================== --- ruby_1_8_6/test/webrick/test_filehandler.rb (revision 16494) +++ ruby_1_8_6/test/webrick/test_filehandler.rb (revision 16495) @@ -9,6 +9,10 @@ klass.new(WEBrick::Config::HTTP, filename) end + def windows? + File.directory?("\\") + end + def get_res_body(res) return res.body.read rescue res.body end @@ -115,10 +119,82 @@ http = Net::HTTP.new(addr, port) req = Net::HTTP::Get.new("/../../") http.request(req){|res| assert_equal("400", res.code) } - req = Net::HTTP::Get.new( - "/..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5cboot.ini" - ) + req = Net::HTTP::Get.new("/..%5c../#{File.basename(__FILE__)}") + http.request(req){|res| assert_equal(windows? ? "200" : "404", res.code) } + req = Net::HTTP::Get.new("/..%5c..%5cruby.c") http.request(req){|res| assert_equal("404", res.code) } end end + + def test_unwise_in_path + if windows? + config = { :DocumentRoot => File.dirname(__FILE__), } + this_file = File.basename(__FILE__) + TestWEBrick.start_httpserver(config) do |server, addr, port| + http = Net::HTTP.new(addr, port) + req = Net::HTTP::Get.new("/..%5c..") + http.request(req){|res| assert_equal("301", res.code) } + end + end + end + + def test_short_filename + config = { + :CGIInterpreter => TestWEBrick::RubyBin, + :DocumentRoot => File.dirname(__FILE__), + :CGIPathEnv => ENV['PATH'], + } + TestWEBrick.start_httpserver(config) do |server, addr, port| + http = Net::HTTP.new(addr, port) + + req = Net::HTTP::Get.new("/webric~1.cgi/test") + http.request(req) do |res| + if windows? + assert_equal("200", res.code) + assert_equal("/test", res.body) + else + assert_equal("404", res.code) + end + end + + req = Net::HTTP::Get.new("/.htaccess") + http.request(req) {|res| assert_equal("404", res.code) } + req = Net::HTTP::Get.new("/htacce~1") + http.request(req) {|res| assert_equal("404", res.code) } + req = Net::HTTP::Get.new("/HTACCE~1") + http.request(req) {|res| assert_equal("404", res.code) } + end + end + + def test_script_disclosure + config = { + :CGIInterpreter => TestWEBrick::RubyBin, + :DocumentRoot => File.dirname(__FILE__), + :CGIPathEnv => ENV['PATH'], + } + TestWEBrick.start_httpserver(config) do |server, addr, port| + http = Net::HTTP.new(addr, port) + + req = Net::HTTP::Get.new("/webrick.cgi/test") + http.request(req) do |res| + assert_equal("200", res.code) + assert_equal("/test", res.body) + end + + response_assertion = Proc.new do |res| + if windows? + assert_equal("200", res.code) + assert_equal("/test", res.body) + else + assert_equal("404", res.code) + end + end + req = Net::HTTP::Get.new("/webrick.cgi%20/test") + http.request(req, &response_assertion) + req = Net::HTTP::Get.new("/webrick.cgi./test") + http.request(req, &response_assertion) + req = Net::HTTP::Get.new("/webrick.cgi::$DATA/test") + http.request(req, &response_assertion) + end + end end -- ML: ruby-changes@q... Info: http://www.atdot.net/~ko1/quickml/