gem.sh

lib/rack/protection/path_traversal.rb

require 'rack/protection'

module Rack
  module Protection
    ##
    # Prevented attack::   Directory traversal
    # Supported browsers:: all
    # More infos::         http://en.wikipedia.org/wiki/Directory_traversal
    #
    # Unescapes '/' and '.', expands +path_info+.
    # Thus <tt>GET /foo/%2e%2e%2fbar</tt> becomes <tt>GET /bar</tt>.
    class PathTraversal < Base
      def call(env)
        path_was         = env["PATH_INFO"]
        env["PATH_INFO"] = cleanup path_was
        app.call env
      ensure
        env["PATH_INFO"] = path_was
      end

      def cleanup(path)
        return cleanup("/" << path)[1..-1] unless path[0] == ?/
        escaped = ::File.expand_path path.gsub('%2e', '.').gsub('%2f', '/')
        escaped << '/' if escaped[-1] != ?/ and path =~ /\/\.{0,2}$/
        escaped.gsub /\/\/+/, '/'
      end
    end
  end
end

Source Files

lib/rack-protection.rb
lib/rack/protection.rb
lib/rack/protection/authenticity_token.rb
lib/rack/protection/base.rb
lib/rack/protection/escaped_params.rb
lib/rack/protection/form_token.rb
lib/rack/protection/frame_options.rb
lib/rack/protection/ip_spoofing.rb
lib/rack/protection/json_csrf.rb
lib/rack/protection/path_traversal.rb
lib/rack/protection/remote_referrer.rb
lib/rack/protection/remote_token.rb
lib/rack/protection/session_hijacking.rb
lib/rack/protection/version.rb
lib/rack/protection/xss_header.rb

Modules

Classes

lib/rack/protection/path_traversal.rb

Source Files