Class: Rack::Protection::PathTraversal
- Defined in:
- lib/rack/protection/path_traversal.rb
Overview
- Prevented attack
-
Directory traversal
- Supported browsers
-
all
- More infos
Unescapes ‘/’ and ‘.’, expands path_info
. Thus GET /foo/%2e%2e%2fbar
becomes GET /bar
.
Constant Summary
Constants inherited from Base
Instance Attribute Summary
Attributes inherited from Base
Instance Method Summary collapse
Methods inherited from Base
#accepts?, #default_options, default_options, default_reaction, #deny, #drop_session, #encrypt, #initialize, #random_string, #react, #referrer, #safe?, #session, #session?, #warn
Constructor Details
This class inherits a constructor from Rack::Protection::Base
Instance Method Details
#call(env) ⇒ Object
13 14 15 16 17 18 19 |
# File 'lib/rack/protection/path_traversal.rb', line 13 def call(env) path_was = env["PATH_INFO"] env["PATH_INFO"] = cleanup path_was app.call env ensure env["PATH_INFO"] = path_was end |
#cleanup(path) ⇒ Object
21 22 23 24 25 26 27 28 29 30 31 32 33 |
# File 'lib/rack/protection/path_traversal.rb', line 21 def cleanup(path) parts = [] unescaped = path.gsub('%2e', '.').gsub('%2f', '/') unescaped.split('/').each do |part| next if part.empty? or part == '.' part == '..' ? parts.pop : parts << part end cleaned = '/' << parts.join('/') cleaned << '/' if parts.any? and unescaped =~ /\/\.{0,2}$/ cleaned end |