class Rack::Protection::PathTraversal
- Prevented attack
-
Directory traversal
- Supported browsers
-
all
- More infos
Unescapes ‘/’ and ‘.’, expands path_info
. Thus GET /foo/%2e%2e%2fbar
becomes GET /bar
.
Public Instance Methods
call(env)
click to toggle source
# File lib/rack/protection/path_traversal.rb, line 15 def call(env) path_was = env['PATH_INFO'] env['PATH_INFO'] = cleanup path_was if path_was && !path_was.empty? app.call env ensure env['PATH_INFO'] = path_was end
cleanup(path)
click to toggle source
# File lib/rack/protection/path_traversal.rb, line 23 def cleanup(path) encoding = path.encoding dot = '.'.encode(encoding) slash = '/'.encode(encoding) backslash = '\\'.encode(encoding) parts = [] unescaped = path.gsub(/%2e/i, dot).gsub(/%2f/i, slash).gsub(/%5c/i, backslash) unescaped = unescaped.gsub(backslash, slash) unescaped.split(slash).each do |part| next if part.empty? || (part == dot) part == '..' ? parts.pop : parts << part end cleaned = slash + parts.join(slash) cleaned << slash if parts.any? && unescaped =~ (%r{/\.{0,2}$}) cleaned end