From d1123f2056eff3696ae76e5116a6ab53e6c33f57 Mon Sep 17 00:00:00 2001
From: Aaron Patterson <aaron.patterson@gmail.com>
Date: Fri, 10 Oct 2014 16:00:03 -0700
Subject: FileHandler should not be called for files outside the root

FileHandler#matches? should return false for files that are outside the
"root" path.
---
 actionpack/lib/action_dispatch/middleware/static.rb | 14 ++++++++++++--
 1 file changed, 12 insertions(+), 2 deletions(-)

(limited to 'actionpack/lib')

diff --git a/actionpack/lib/action_dispatch/middleware/static.rb b/actionpack/lib/action_dispatch/middleware/static.rb
index e66c21ef85..002bf8b11a 100644
--- a/actionpack/lib/action_dispatch/middleware/static.rb
+++ b/actionpack/lib/action_dispatch/middleware/static.rb
@@ -24,9 +24,19 @@ module ActionDispatch
       path = URI.parser.unescape(path)
       return false unless path.valid_encoding?
 
-      paths = [path, "#{path}#{ext}", "#{path}/index#{ext}"]
+      paths = [path, "#{path}#{ext}", "#{path}/index#{ext}"].map { |v|
+        Rack::Utils.clean_path_info v
+      }
 
-      if match = paths.detect {|p| File.file?(File.join(@root, p)) }
+      if match = paths.detect { |p|
+        path = File.join(@root, p)
+        begin
+          File.file?(path) && File.readable?(path)
+        rescue SystemCallError
+          false
+        end
+
+      }
         return ::Rack::Utils.escape(match)
       end
     end
-- 
cgit v1.2.3