diff options
| author | bogdanvlviv <bogdanvlviv@gmail.com> | 2017-05-15 14:17:28 +0000 |
|---|---|---|
| committer | bogdanvlviv <bogdanvlviv@gmail.com> | 2017-05-23 00:53:51 +0300 |
| commit | 40bdbce191ad90dfea43dad51fac5c4726b89392 (patch) | |
| tree | a6c6d8369874775cdc6cf1d4b90684490c0198bc /guides/source/security.md | |
| parent | d414881a342d849d65810a037c0b1baff8538e41 (diff) | |
| download | rails-40bdbce191ad90dfea43dad51fac5c4726b89392.tar.gz rails-40bdbce191ad90dfea43dad51fac5c4726b89392.tar.bz2 rails-40bdbce191ad90dfea43dad51fac5c4726b89392.zip | |
Define path with __dir__
".. with __dir__ we can restore order in the Universe." - by @fxn
Related to 5b8738c2df003a96f0e490c43559747618d10f5f
Diffstat (limited to 'guides/source/security.md')
| -rw-r--r-- | guides/source/security.md | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/guides/source/security.md b/guides/source/security.md index 1fcb2fc91f..75522834df 100644 --- a/guides/source/security.md +++ b/guides/source/security.md @@ -356,7 +356,7 @@ send_file('/var/www/uploads/' + params[:filename]) Simply pass a file name like "../../../etc/passwd" to download the server's login information. A simple solution against this, is to _check that the requested file is in the expected directory_: ```ruby -basename = File.expand_path(File.join(File.dirname(__FILE__), '../../files')) +basename = File.expand_path('../../files', __dir__) filename = File.expand_path(File.join(basename, @file.public_filename)) raise if basename != File.expand_path(File.join(File.dirname(filename), '../../../')) |