File CVE-2020-8161.patch of Package rubygem-rack.16422

commit fbb9fd203e69ca9d113c067be78c3b58f005b327
Author: Jack McCracken <jack.mccracken@shopify.com>
Date:   Tue May 12 12:23:33 2020 -0400

    Use Dir.entries instead of Dir[glob] to prevent user-specified glob metacharacters
    
    [CVE-2020-8161]
    
    (cherry picked from commit dddb7ad18ed79ca6ab06ccc417a169fde451246e)

diff --git a/lib/rack/directory.rb b/lib/rack/directory.rb
index 98d66e02faba..0366eff141b3 100644
--- a/lib/rack/directory.rb
+++ b/lib/rack/directory.rb
@@ -78,13 +78,12 @@ table { width:100%%; }
 
     def list_directory
       @files = [['../','Parent Directory','','','']]
-      glob = F.join(@path, '*')
 
       url_head = (@script_name.split('/') + @path_info.split('/')).map do |part|
         Rack::Utils.escape part
       end
 
-      Dir[glob].sort.each do |node|
+      Dir.entries(path).reject { |e| e.start_with?('.') }.sort.each do |node|
         stat = stat(node)
         next  unless stat
         basename = F.basename(node)

Places

File CVE-2020-8161.patch of Package rubygem-rack.16422

Places