Commit edd05fc4 authored by Douwe Maan's avatar Douwe Maan

Fix directory traversal vulnerability around help pages.

parent 93133f4d
...@@ -2,6 +2,7 @@ Please view this file on the master branch, on stable branches it's out of date. ...@@ -2,6 +2,7 @@ Please view this file on the master branch, on stable branches it's out of date.
v 7.10.0 (unreleased) v 7.10.0 (unreleased)
- Fix directory traversal vulnerability around uploads routes. - Fix directory traversal vulnerability around uploads routes.
- Fix directory traversal vulnerability around help pages.
- Fix broken file browsing with a submodule that contains a relative link (Stan Hu) - Fix broken file browsing with a submodule that contains a relative link (Stan Hu)
- Fix bug where Wiki pages that included a '/' were no longer accessible (Stan Hu) - Fix bug where Wiki pages that included a '/' were no longer accessible (Stan Hu)
- Fix bug where error messages from Dropzone would not be displayed on the issues page (Stan Hu) - Fix bug where error messages from Dropzone would not be displayed on the issues page (Stan Hu)
......
...@@ -3,7 +3,7 @@ class HelpController < ApplicationController ...@@ -3,7 +3,7 @@ class HelpController < ApplicationController
end end
def show def show
@filepath = params[:filepath] @filepath = clean_path_info(params[:filepath])
@format = params[:format] @format = params[:format]
respond_to do |format| respond_to do |format|
...@@ -36,4 +36,22 @@ class HelpController < ApplicationController ...@@ -36,4 +36,22 @@ class HelpController < ApplicationController
def ui def ui
end end
# Taken from ActionDispatch::FileHandler
PATH_SEPS = Regexp.union(*[::File::SEPARATOR, ::File::ALT_SEPARATOR].compact)
def clean_path_info(path_info)
parts = path_info.split PATH_SEPS
clean = []
parts.each do |part|
next if part.empty? || part == '.'
part == '..' ? clean.pop : clean << part
end
clean.unshift '/' if parts.empty? || parts.first.empty?
::File.join(*clean)
end
end end
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment