Mongrel development - Dec 2007 - [SECURITY] Patch For Bug Serving Arbitrary Files

This is a proposed patch for the security hole reported today.  You can
just add the test for @path being at index 0 in the exanded req_path as
shown below.  Take heed of the comment I''ve added too, and there was a
test for this very attack in the unit test suite, so it was removed by
someone as well.  I didn''t test this but I''m pretty sure
it''s the fix.

=== lib/mongrel/handlers.rb
=================================================================---
lib/mongrel/handlers.rb	(revision 6851)
+++ lib/mongrel/handlers.rb	(local)
@@ -132,8 +132,12 @@
       # Add the drive letter or root path
       req_path = File.join(@path, req_path) if @path
       req_path = File.expand_path req_path
-      
-      if File.exist? req_path
+     
+      # do not remove the check for @path at the beginning, it''s what
prevents
+      # the serving of arbitrary files (and good programmer Rule #1
Says: If
+      # you don''t understand something, it''s not because
I''m stupid,
it''s
+      # because you are).
+      if req_path.index(@path) == 0 and File.exist? req_path
         # It exists and it''s in the right location
         if File.directory? req_path
           # The request is for a directory
@@ -153,7 +157,7 @@
           return req_path
         end
       else
-        # does not exist or isn''t in the right spot
+        # does not exist or isn''t in the right spot or isn''t
valid
because not start with @path return nil
       end
     end


-- 
Zed A. Shaw
- Hate: http://savingtheinternetwithhate.com/
- Good: http://www.zedshaw.com/
- Evil: http://yearofevil.com/