Class: Rack::Protection::PathTraversal

Inherits:

Base

• Object
• Base
• Rack::Protection::PathTraversal

Defined in:

lib/rack/protection/path_traversal.rb

Overview

Prevented attack

Directory traversal

Supported browsers

all

More infos

en.wikipedia.org/wiki/Directory_traversal

Unescapes ‘/’ and ‘.’, expands path_info. Thus GET /foo/%2e%2e%2fbar becomes GET /bar.

Constant Summary

Constants inherited from Base

Base::DEFAULT_OPTIONS

Instance Attribute Summary

Attributes inherited from Base

#app, #options

Instance Method Summary

• #call(env) ⇒ Object
• #cleanup(path) ⇒ Object

Methods inherited from Base

#accepts?, #default_options, default_options, default_reaction, #deny, #drop_session, #encrypt, #initialize, #random_string, #react, #referrer, #safe?, #session, #session?, #warn

Constructor Details

This class inherits a constructor from Rack::Protection::Base

Instance Method Details

#call(env) ⇒ Object

# File 'lib/rack/protection/path_traversal.rb', line 13

def call(env)
  path_was         = env["PATH_INFO"]
  env["PATH_INFO"] = cleanup path_was
  app.call env
ensure
  env["PATH_INFO"] = path_was
end

#cleanup(path) ⇒ Object

# File 'lib/rack/protection/path_traversal.rb', line 21

def cleanup(path)
  return cleanup("/" << path)[1..-1] unless path[0] == ?/
  escaped = ::File.expand_path path.gsub('%2e', '.').gsub('%2f', '/')
  escaped << '/' if escaped[-1] != ?/ and path =~ /\/\.{0,2}$/
  escaped.gsub /\/\/+/, '/'
end