aboutsummaryrefslogtreecommitdiffstats
path: root/actionpack/lib/action_view
diff options
context:
space:
mode:
authorJosé Valim <jose.valim@gmail.com>2010-11-28 22:26:16 +0100
committerAaron Patterson <aaron.patterson@gmail.com>2011-02-08 14:04:19 -0800
commitb93c590297ba65a6c5b18655a7790163abcb06f1 (patch)
tree3bf754e587dd7540d328d0c64c9b036d8d48a5a8 /actionpack/lib/action_view
parent3ddd7f7ec9b156e4b7de4c23d448c2db98f30504 (diff)
downloadrails-b93c590297ba65a6c5b18655a7790163abcb06f1.tar.gz
rails-b93c590297ba65a6c5b18655a7790163abcb06f1.tar.bz2
rails-b93c590297ba65a6c5b18655a7790163abcb06f1.zip
Ensure render is case sensitive even on systems with case-insensitive filesystems.
This fixes CVE-2011-0449
Diffstat (limited to 'actionpack/lib/action_view')
-rw-r--r--actionpack/lib/action_view/template/resolver.rb15
1 files changed, 12 insertions, 3 deletions
diff --git a/actionpack/lib/action_view/template/resolver.rb b/actionpack/lib/action_view/template/resolver.rb
index d23aa5ef85..5bf928c62e 100644
--- a/actionpack/lib/action_view/template/resolver.rb
+++ b/actionpack/lib/action_view/template/resolver.rb
@@ -113,14 +113,23 @@ module ActionView
query << '{' << ext.map {|e| e && ".#{e}" }.join(',') << ',}'
end
- Dir[query].reject { |p| File.directory?(p) }.map do |p|
- handler, format = extract_handler_and_format(p, formats)
+ query.gsub!(/\{\.html,/, "{.html,.text.html,")
+ query.gsub!(/\{\.text,/, "{.text,.text.plain,")
+
+ templates = []
+ sanitizer = Hash.new { |h,k| h[k] = Dir["#{File.dirname(k)}/*"] }
+
+ Dir[query].each do |p|
+ next if File.directory?(p) || !sanitizer[p].include?(p)
+ handler, format = extract_handler_and_format(p, formats)
contents = File.open(p, "rb") {|io| io.read }
- Template.new(contents, File.expand_path(p), handler,
+ templates << Template.new(contents, File.expand_path(p), handler,
:virtual_path => path, :format => format, :updated_at => mtime(p))
end
+
+ templates
end
# Returns the file mtime from the filesystem.