extras/autoindex.rb in yahns-0.0.3 vs extras/autoindex.rb in yahns-1.0.0
- old
+ new
@@ -40,11 +40,11 @@
# try to serve the static file, first
status, headers, body = res = @app.call(env)
return res if status.to_i != 404
path_info = env["PATH_INFO"]
- path_info_ue = Rack::Utils.unescape(path_info)
+ path_info_ue = Rack::Utils.unescape(path_info, Encoding::BINARY)
# reject requests to go up a level (browser takes care of it)
path_info_ue =~ /\.\./ and return r(403)
# cleanup the path
@@ -110,18 +110,21 @@
r(405)
end
rescue Errno::ENOENT, Errno::ENOTDIR # from Dir.open
r(404)
rescue => e
- r(500, e.message, env)
+ r(500, e, env)
ensure
dir.close if dir
end
def r(code, msg = nil, env = nil)
- if env && logger = env["rack.logger"]
+ if env && exc && logger = env["rack.logger"]
+ msg = exc.message
+ msg = msg.dump if /[[:cntrl:]]/ =~ msg # prevent code injection
logger.warn("#{env['REQUEST_METHOD']} #{env['PATH_INFO']} " \
- "#{code} #{msg.inspect}")
+ "#{code} #{msg}")
+ exc.backtrace.each { |line| logger.warn(line) }
end
if Rack::Utils::STATUS_WITH_NO_ENTITY_BODY.include?(code)
[ code, {}, [] ]
else