Ensure render is case sensitive even on systems with case-insensitive filesystems.

This fixes CVE-2011-0449

1 files changed, 12 insertions, 3 deletions

diff --git a/actionpack/lib/action_view/template/resolver.rb b/actionpack/lib/action_view/template/resolver.rb
index d23aa5ef85..5bf928c62e 100644
--- a/actionpack/lib/action_view/template/resolver.rb
+++ b/actionpack/lib/action_view/template/resolver.rb
@@ -113,14 +113,23 @@ module ActionView
         query << '{' << ext.map {|e| e && ".#{e}" }.join(',') << ',}'
       end
 
-      Dir[query].reject { |p| File.directory?(p) }.map do |p|
-        handler, format = extract_handler_and_format(p, formats)
+      query.gsub!(/\{\.html,/, "{.html,.text.html,")
+      query.gsub!(/\{\.text,/, "{.text,.text.plain,")
+
+      templates = []
+      sanitizer = Hash.new { |h,k| h[k] = Dir["#{File.dirname(k)}/*"] }
+
+      Dir[query].each do |p|
+        next if File.directory?(p) || !sanitizer[p].include?(p)
 
+        handler, format = extract_handler_and_format(p, formats)
         contents = File.open(p, "rb") {|io| io.read }
 
-        Template.new(contents, File.expand_path(p), handler,
+        templates << Template.new(contents, File.expand_path(p), handler,
           :virtual_path => path, :format => format, :updated_at => mtime(p))
       end
+
+      templates
     end
 
     # Returns the file mtime from the filesystem.