aboutsummaryrefslogtreecommitdiffstats
path: root/actionpack/lib
diff options
context:
space:
mode:
authorschneems <richard.schneeman@gmail.com>2014-08-18 11:20:06 -0500
committerschneems <richard.schneeman@gmail.com>2014-08-27 13:03:08 -0500
commit0b1a87f73cca3da23b65f3dfb19daeac436ab2ee (patch)
treea5e04e8b52c47c007dee4861c5f26383674ff9d7 /actionpack/lib
parent5bcd5a32abf14b371424131dce819139de09c74c (diff)
downloadrails-0b1a87f73cca3da23b65f3dfb19daeac436ab2ee.tar.gz
rails-0b1a87f73cca3da23b65f3dfb19daeac436ab2ee.tar.bz2
rails-0b1a87f73cca3da23b65f3dfb19daeac436ab2ee.zip
Refactor out Dir.glob from ActionDispatch::Static
Dir.glob can be a security concern. The original use was to provide logic of fallback files. Example a request to `/` should render the file from `/public/index.html`. We can replace the dir glob with the specific logic it represents. The glob {,index,index.html} will look for the current path, then in the directory of the path with index file and then in the directory of the path with index.html. This PR replaces the glob logic by manually checking each potential match. Best case scenario this results in one less file API request, worst case, this has one more file API request. Related to #16464 Update: added a test for when a file of a given name (`public/bar.html` and a directory `public/bar` both exist in the same root directory. Changed logic to accommodate this scenario.
Diffstat (limited to 'actionpack/lib')
-rw-r--r--actionpack/lib/action_dispatch/middleware/static.rb25
1 files changed, 5 insertions, 20 deletions
diff --git a/actionpack/lib/action_dispatch/middleware/static.rb b/actionpack/lib/action_dispatch/middleware/static.rb
index 0733132277..e66c21ef85 100644
--- a/actionpack/lib/action_dispatch/middleware/static.rb
+++ b/actionpack/lib/action_dispatch/middleware/static.rb
@@ -21,17 +21,13 @@ module ActionDispatch
end
def match?(path)
- path = unescape_path(path)
+ path = URI.parser.unescape(path)
return false unless path.valid_encoding?
- full_path = path.empty? ? @root : File.join(@root, escape_glob_chars(path))
- paths = "#{full_path}#{ext}"
+ paths = [path, "#{path}#{ext}", "#{path}/index#{ext}"]
- matches = Dir[paths]
- match = matches.detect { |m| File.file?(m) }
- if match
- match.sub!(@compiled_root, '')
- ::Rack::Utils.escape(match)
+ if match = paths.detect {|p| File.file?(File.join(@root, p)) }
+ return ::Rack::Utils.escape(match)
end
end
@@ -57,18 +53,7 @@ module ActionDispatch
private
def ext
- @ext ||= begin
- ext = ::ActionController::Base.default_static_extension
- "{,#{ext},/index#{ext}}"
- end
- end
-
- def unescape_path(path)
- URI.parser.unescape(path)
- end
-
- def escape_glob_chars(path)
- path.gsub(/[*?{}\[\]]/, "\\\\\\&")
+ ::ActionController::Base.default_static_extension
end
def content_type(path)