Files may exist and be stat-able, but not readable. Return
a 403 response for non-readable files.
---
extras/try_gzip_static.rb | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/extras/try_gzip_static.rb b/extras/try_gzip_static.rb
index d562957..4279e65 100644
--- a/extras/try_gzip_static.rb
+++ b/extras/try_gzip_static.rb
@@ -92,7 +92,9 @@ class TryGzipStatic
path = fspath(env) or return r(403)
begin
st = File.stat(path)
- st.file? ? [ path, st ] : r(404)
+ return r(404) unless st.file?
+ return r(403) unless st.readable?
+ [ path, st ]
rescue Errno::ENOENT, Errno::ENOTDIR
r(404)
rescue Errno::EACCES
--
EW
