method
prevent_directory_traversal
v1_9_3_125 -
Show latest stable
-
0 notes -
Class: WEBrick::HTTPServlet::FileHandler
- 1_8_6_287 (0)
- 1_8_7_72 (0)
- 1_8_7_330 (0)
- 1_9_1_378 (0)
- 1_9_2_180 (0)
- 1_9_3_125 (0)
- 1_9_3_392 (0)
- 2_1_10
- 2_2_9
- 2_4_6
- 2_5_5
- 2_6_3
- What's this?
prevent_directory_traversal(req, res)
private
Hide source
# File lib/webrick/httpservlet/filehandler.rb, line 242 def prevent_directory_traversal(req, res) # Preventing directory traversal on Windows platforms; # Backslashes (0x5c) in path_info are not interpreted as special # character in URI notation. So the value of path_info should be # normalize before accessing to the filesystem. # dirty hack for filesystem encoding; in nature, File.expand_path # should not be used for path normalization. [Bug #3345] path = req.path_info.dup.force_encoding(Encoding.find("filesystem")) if trailing_pathsep?(req.path_info) # File.expand_path removes the trailing path separator. # Adding a character is a workaround to save it. # File.expand_path("/aaa/") #=> "/aaa" # File.expand_path("/aaa/" + "x") #=> "/aaa/x" expanded = File.expand_path(path + "x") expanded.chop! # remove trailing "x" else expanded = File.expand_path(path) end expanded.force_encoding(req.path_info.encoding) req.path_info = expanded end