RSpec
Ruby on Rails
Ruby
method
prevent_directory_traversal
Ruby latest stable (v2_5_5)
-
0 notes -
Class: WEBrick::HTTPServlet::FileHandler
- 1_8_6_287 (0)
- 1_8_7_72 (0)
- 1_8_7_330 (0)
- 1_9_1_378 (0)
- 1_9_2_180 (0)
- 1_9_3_125 (0)
- 1_9_3_392 (0)
- 2_1_10
- 2_2_9
- 2_4_6
- 2_5_5
- 2_6_3
- What's this?
-
add_handler
-
new
-
remove_handler
-
call_callback
(<= v1_9_3_392)
-
check_filename
(<= v1_9_3_392)
-
do_GET
(<= v1_9_3_392)
-
do_OPTIONS
(<= v1_9_3_392)
-
do_POST
(<= v1_9_3_392)
-
exec_handler
(<= v1_9_3_392)
-
get_handler
(<= v1_9_3_392)
-
nondisclosure_name?
(<= v1_9_3_392)
-
prevent_directory_traversal
(<= v1_9_3_392)
-
search_file
(<= v1_9_3_392)
-
search_index_file
(<= v1_9_3_392)
-
service
(<= v1_9_3_392)
-
set_dir_list
(<= v1_9_3_392)
-
set_filename
(<= v1_9_3_392)
-
shift_path_info
(<= v1_9_3_392)
-
trailing_pathsep?
(<= v1_9_3_392)
-
windows_ambiguous_name?
(<= v1_9_3_392)
= private
= protected
prevent_directory_traversal(req, res)
private
Hide source
# File lib/webrick/httpservlet/filehandler.rb, line 242 def prevent_directory_traversal(req, res) # Preventing directory traversal on Windows platforms; # Backslashes (0x5c) in path_info are not interpreted as special # character in URI notation. So the value of path_info should be # normalize before accessing to the filesystem. # dirty hack for filesystem encoding; in nature, File.expand_path # should not be used for path normalization. [Bug #3345] path = req.path_info.dup.force_encoding(Encoding.find("filesystem")) if trailing_pathsep?(req.path_info) # File.expand_path removes the trailing path separator. # Adding a character is a workaround to save it. # File.expand_path("/aaa/") #=> "/aaa" # File.expand_path("/aaa/" + "x") #=> "/aaa/x" expanded = File.expand_path(path + "x") expanded.chop! # remove trailing "x" else expanded = File.expand_path(path) end expanded.force_encoding(req.path_info.encoding) req.path_info = expanded end
