Changeset 963

Show
Ignore:
Timestamp:
02/19/08 23:48:42 (7 months ago)
Author:
evanweaver
Message:

Failing test for pass traversal issue.

Files:

Legend:

Unmodified
Added
Removed
Modified
Copied
Moved

  • branches/stable_1-1/lib/mongrel/handlers.rb

    r927 r963  
    88require 'zlib' 
    99require 'yaml' 
    10  
    1110 
    1211module Mongrel 
     
    103102  # If you pass nil as the root path, it will not check any locations or 
    104103  # expand any paths. This lets you serve files from multiple drives 
    105   # on win32. 
     104  # on win32. It should probably not be used in a public-facing way 
     105  # without additional checks. 
    106106  # 
    107107  # The default content type is "text/plain; charset=ISO-8859-1" but you 
     
    121121    def initialize(path, listing_allowed=true, index_html="index.html") 
    122122      @path = File.expand_path(path) if path 
    123       @listing_allowed=listing_allowed 
     123      @listing_allowed = listing_allowed 
    124124      @index_html = index_html 
    125125      @default_content_type = "application/octet-stream".freeze 
     
    133133      req_path = File.join(@path, req_path) if @path 
    134134      req_path = File.expand_path req_path 
    135       
    136       # do not remove the check for @path at the beginning, it's what prevents 
    137       # the serving of arbitrary files (and good programmer Rule #1 Says: If 
    138       # you don't understand something, it's not because I'm stupid, it's 
    139       # because you are). 
    140       if req_path.index(@path) == 0 and File.exist? req_path 
     135       
     136      if File.exist? req_path # and (!@path or req_path.index(@path) == 0) 
    141137        # It exists and it's in the right location 
    142138        if File.directory? req_path 
     
    158154        end 
    159155      else 
    160         # does not exist or isn't in the right spot or isn't valid because not start with @path 
     156        # does not exist or isn't in the right spot 
    161157        return nil 
    162158      end 

  • branches/stable_1-1/test/test_handlers.rb

    r740 r963  
    5050      end 
    5151    end 
     52     
     53    File.open("/tmp/testfile", 'w') do 
     54      # Do nothing 
     55    end 
     56     
    5257    @config.run 
    5358  end 
     
    5560  def teardown 
    5661    @config.stop(false, true) 
     62    File.delete "/tmp/testfile" 
    5763  end 
    5864 
     
    6773          "http://localhost:9998/status", 
    6874    ]) 
    69  
    70     # XXX This can't possibly have good coverage. 
    7175    check_status res, String 
     76  end 
     77   
     78  def test_nil_dirhandler 
     79    # Camping uses this internally 
     80    handler = Mongrel::DirHandler.new(nil, false)   
     81    assert handler.can_serve("/tmp/testfile") 
     82    # Not a bug! A nil @file parameter is the only circumstance under which 
     83    # we are allowed to serve any existing file 
     84    assert handler.can_serve("../../../../../../../../../../tmp/testfile") 
     85  end 
     86   
     87  def test_non_nil_dirhandler_is_not_vulnerable_to_path_traversal 
     88    # The famous security bug of Mongrel 1.1.2 
     89    handler = Mongrel::DirHandler.new("/doc", false) 
     90    assert_nil handler.can_serve("/tmp/testfile") 
     91    assert_nil handler.can_serve("../../../../../../../../../../tmp/testfile") 
    7292  end 
    7393 
    7494  def test_deflate 
    7595    Net::HTTP.start("localhost", 9998) do |h| 
    76       # test that no accept-encoding returns a non-deflated response 
     96      # Test that no accept-encoding returns a non-deflated response 
    7797      req = h.get("/dumb") 
    7898      assert(