diff options
author | schneems <richard.schneeman@gmail.com> | 2014-08-18 11:20:06 -0500 |
---|---|---|
committer | schneems <richard.schneeman@gmail.com> | 2014-08-27 13:03:08 -0500 |
commit | 0b1a87f73cca3da23b65f3dfb19daeac436ab2ee (patch) | |
tree | a5e04e8b52c47c007dee4861c5f26383674ff9d7 /actionpack/lib | |
parent | 5bcd5a32abf14b371424131dce819139de09c74c (diff) | |
download | rails-0b1a87f73cca3da23b65f3dfb19daeac436ab2ee.tar.gz rails-0b1a87f73cca3da23b65f3dfb19daeac436ab2ee.tar.bz2 rails-0b1a87f73cca3da23b65f3dfb19daeac436ab2ee.zip |
Refactor out Dir.glob from ActionDispatch::Static
Dir.glob can be a security concern. The original use was to provide logic of fallback files. Example a request to `/` should render the file from `/public/index.html`. We can replace the dir glob with the specific logic it represents. The glob {,index,index.html} will look for the current path, then in the directory of the path with index file and then in the directory of the path with index.html. This PR replaces the glob logic by manually checking each potential match. Best case scenario this results in one less file API request, worst case, this has one more file API request.
Related to #16464
Update: added a test for when a file of a given name (`public/bar.html` and a directory `public/bar` both exist in the same root directory. Changed logic to accommodate this scenario.
Diffstat (limited to 'actionpack/lib')
-rw-r--r-- | actionpack/lib/action_dispatch/middleware/static.rb | 25 |
1 files changed, 5 insertions, 20 deletions
diff --git a/actionpack/lib/action_dispatch/middleware/static.rb b/actionpack/lib/action_dispatch/middleware/static.rb index 0733132277..e66c21ef85 100644 --- a/actionpack/lib/action_dispatch/middleware/static.rb +++ b/actionpack/lib/action_dispatch/middleware/static.rb @@ -21,17 +21,13 @@ module ActionDispatch end def match?(path) - path = unescape_path(path) + path = URI.parser.unescape(path) return false unless path.valid_encoding? - full_path = path.empty? ? @root : File.join(@root, escape_glob_chars(path)) - paths = "#{full_path}#{ext}" + paths = [path, "#{path}#{ext}", "#{path}/index#{ext}"] - matches = Dir[paths] - match = matches.detect { |m| File.file?(m) } - if match - match.sub!(@compiled_root, '') - ::Rack::Utils.escape(match) + if match = paths.detect {|p| File.file?(File.join(@root, p)) } + return ::Rack::Utils.escape(match) end end @@ -57,18 +53,7 @@ module ActionDispatch private def ext - @ext ||= begin - ext = ::ActionController::Base.default_static_extension - "{,#{ext},/index#{ext}}" - end - end - - def unescape_path(path) - URI.parser.unescape(path) - end - - def escape_glob_chars(path) - path.gsub(/[*?{}\[\]]/, "\\\\\\&") + ::ActionController::Base.default_static_extension end def content_type(path) |