diff options
| author | Aaron Patterson <aaron.patterson@gmail.com> | 2016-01-20 10:39:19 -0800 |
|---|---|---|
| committer | Aaron Patterson <aaron.patterson@gmail.com> | 2016-01-22 15:02:27 -0800 |
| commit | b7758b40fc035a47f6843158155606d455314c42 (patch) | |
| tree | 92e2bdb231a7dda8902e0563bdc98867098c298a /actionview/lib/action_view/template/resolver.rb | |
| parent | 0fde6f554b75b13b0435dd70f1c3ec02bc209e0d (diff) | |
| download | rails-b7758b40fc035a47f6843158155606d455314c42.tar.gz rails-b7758b40fc035a47f6843158155606d455314c42.tar.bz2 rails-b7758b40fc035a47f6843158155606d455314c42.zip | |
allow :file to be outside rails root, but anything else must be inside the rails view directory
CVE-2016-0752
Diffstat (limited to 'actionview/lib/action_view/template/resolver.rb')
| -rw-r--r-- | actionview/lib/action_view/template/resolver.rb | 23 |
1 files changed, 20 insertions, 3 deletions
diff --git a/actionview/lib/action_view/template/resolver.rb b/actionview/lib/action_view/template/resolver.rb index 7859c58b43..c92f19689c 100644 --- a/actionview/lib/action_view/template/resolver.rb +++ b/actionview/lib/action_view/template/resolver.rb @@ -126,6 +126,12 @@ module ActionView end end + def find_all_anywhere(name, prefix, partial=false, details={}, key=nil, locals=[]) + cached(key, [name, prefix, partial], details, locals) do + find_templates(name, prefix, partial, details, true) + end + end + def find_all_with_query(query) # :nodoc: @cache.cache_query(query) { find_template_paths(File.join(@path, query)) } end @@ -187,15 +193,16 @@ module ActionView private - def find_templates(name, prefix, partial, details) + def find_templates(name, prefix, partial, details, outside_app_allowed = false) path = Path.build(name, prefix, partial) - query(path, details, details[:formats]) + query(path, details, details[:formats], outside_app_allowed) end - def query(path, details, formats) + def query(path, details, formats, outside_app_allowed) query = build_query(path, details) template_paths = find_template_paths(query) + template_paths = reject_files_external_to_app(template_paths) unless outside_app_allowed template_paths.map do |template| handler, format, variant = extract_handler_and_format_and_variant(template, formats) @@ -210,6 +217,10 @@ module ActionView end end + def reject_files_external_to_app(files) + files.reject { |filename| !inside_path?(@path, filename) } + end + def find_template_paths(query) Dir[query].reject do |filename| File.directory?(filename) || @@ -218,6 +229,12 @@ module ActionView end end + def inside_path?(path, filename) + filename = File.expand_path(filename) + path = File.join(path, '') + filename.start_with?(path) + end + # Helper for building query glob string based on resolver's pattern. def build_query(path, details) query = @pattern.dup |