Also, attaching a diff with a failing test would totally rock. Evan
On Dec 28, 2007 7:28 PM, Evan Weaver <[EMAIL PROTECTED]> wrote: > I guess expand_path doesn't interact well with HTTP escaping. > > This is pretty critical, can you file a ticket against it? > > Evan > > > On Dec 28, 2007 5:01 PM, Eric Mason <[EMAIL PROTECTED]> wrote: > > I just found a vulnerability in one of my web apps that was running > > Mongrel 1.1.2 where I could go to URIs like > > /.%252e/.%252e/.%252e/.%252e/.%252e/.%252e/.%252e/etc/passwd and it > > would serve the actual /etc/passwd file. > > > > The issue seems to be in lib/mongrel/handlers.rb in the change from > > 1.0.3 to 1.0.4 > > > > > > req_path = HttpRequest.unescape(path_info) > > - if @path > > - req_path = File.expand_path(File.join(@path, path_info), @path) > > - else > > - req_path = File.expand_path(req_path) > > - end > > - > > - if req_path.index(@path) == 0 and File.exist? req_path > > - # it exists and it's in the right location > > + # Add the drive letter or root path > > + req_path = File.join(@path, req_path) if @path > > + req_path = File.expand_path req_path > > + > > + if File.exist? req_path > > + # It exists and it's in the right location > > if File.directory? req_path > > > > The main difference is that "req_path.index(@path) == 0" is removed, > > which seems to be the cause of the vulnerability. > > > > Adding that check back in fixes it in 1.1.2, but may cause issues on > > Windows (I haven't checked) > > > > Also, downgrading to 1.0.3 fixes it. > > -- > > Posted via http://www.ruby-forum.com/. > > _______________________________________________ > > Mongrel-users mailing list > > Mongrel-users@rubyforge.org > > http://rubyforge.org/mailman/listinfo/mongrel-users > > > > > > -- > Evan Weaver > Cloudburst, LLC > -- Evan Weaver Cloudburst, LLC _______________________________________________ Mongrel-users mailing list Mongrel-users@rubyforge.org http://rubyforge.org/mailman/listinfo/mongrel-users
