Contents

require 'rack/protection'

module Rack
  module Protection
    ##
    # Prevented attack::   Directory traversal
    # Supported browsers:: all
    # More infos::         http://en.wikipedia.org/wiki/Directory_traversal
    #
    # Unescapes '/' and '.', expands +path_info+.
    # Thus <tt>GET /foo/%2e%2e%2fbar</tt> becomes <tt>GET /bar</tt>.
    class PathTraversal < Base
      def call(env)
        path_was         = env["PATH_INFO"]
        env["PATH_INFO"] = cleanup path_was if path_was && !path_was.empty?
        app.call env
      ensure
        env["PATH_INFO"] = path_was
      end

      def cleanup(path)
        if path.respond_to?(:encoding)
          # Ruby 1.9+ M17N
          encoding = path.encoding
          dot   = '.'.encode(encoding)
          slash = '/'.encode(encoding)
        else
          # Ruby 1.8
          dot   = '.'
          slash = '/'
        end

        parts     = []
        unescaped = path.gsub(/%2e/i, dot).gsub(/%2f/i, slash)

        unescaped.split(slash).each do |part|
          next if part.empty? or part == dot
          part == '..' ? parts.pop : parts << part
        end

        cleaned = slash + parts.join(slash)
        cleaned << slash if parts.any? and unescaped =~ %r{/\.{0,2}$}
        cleaned
      end
    end
  end
end

Version data entries

57 entries across 55 versions & 17 rubygems

Version	Path
logstash-filter-csharp-0.2.1	vendor/bundle/jruby/2.3.0/gems/rack-protection-1.5.3/lib/rack/protection/path_traversal.rb
logstash-filter-csharp-0.2.0	vendor/bundle/jruby/2.3.0/gems/rack-protection-1.5.3/lib/rack/protection/path_traversal.rb
logstash-output-icinga-1.1.0	vendor/jruby/1.9/gems/rack-protection-1.5.3/lib/rack/protection/path_traversal.rb
logstash-output-icinga-1.1.0	vendor/jruby/2.3.0/gems/rack-protection-1.5.3/lib/rack/protection/path_traversal.rb
logstash-filter-cache-redis-0.3.1	vendor/bundle/jruby/1.9/gems/rack-protection-1.5.3/lib/rack/protection/path_traversal.rb
logstash-filter-cache-redis-0.3.0	vendor/bundle/jruby/1.9/gems/rack-protection-1.5.3/lib/rack/protection/path_traversal.rb
logstash-filter-cache-redis-0.2.0	vendor/bundle/jruby/1.9/gems/rack-protection-1.5.3/lib/rack/protection/path_traversal.rb
logstash-filter-cache-redis-0.1.0	vendor/bundle/jruby/1.9/gems/rack-protection-1.5.3/lib/rack/protection/path_traversal.rb
logstash-filter-csharp-0.1.0	vendor/bundle/jruby/2.3.0/gems/rack-protection-1.5.3/lib/rack/protection/path_traversal.rb
logstash-filter-htmlentities-0.1.0	vendor/bundle/jruby/1.9/gems/rack-protection-1.5.3/lib/rack/protection/path_traversal.rb
logstash-output-icinga-1.0.0	vendor/jruby/1.9/gems/rack-protection-1.5.3/lib/rack/protection/path_traversal.rb
rack-protection-2.0.0	lib/rack/protection/path_traversal.rb
rack-protection-2.0.0.rc6	lib/rack/protection/path_traversal.rb
rack-protection-2.0.0.rc5	lib/rack/protection/path_traversal.rb
enju_leaf-1.2.1	vendor/bundle/ruby/2.3/gems/rack-protection-2.0.0.rc2/lib/rack/protection/path_traversal.rb
enju_leaf-1.2.1	vendor/bundle/ruby/2.3/gems/rack-protection-1.5.3/lib/rack/protection/path_traversal.rb
rack-protection-2.0.0.rc2	lib/rack/protection/path_traversal.rb
mdg-1.0.1	vendor/bundle/ruby/2.3.0/gems/rack-protection-1.5.3/lib/rack/protection/path_traversal.rb
rack-protection-2.0.0.rc1	lib/rack/protection/path_traversal.rb
logstash-input-fifo-0.9.1	vendor/bundle/jruby/1.9/gems/rack-protection-1.5.3/lib/rack/protection/path_traversal.rb