Overview

File rubygem-rack-CVE-2025-27610.patch of Package rubygem-rack.37788

Index: rack-2.0.8/lib/rack/static.rb
===================================================================
--- rack-2.0.8.orig/lib/rack/static.rb
+++ rack-2.0.8/lib/rack/static.rb
@@ -116,8 +116,9 @@ module Rack
 
     def call(env)
       path = env[PATH_INFO]
+      actual_path = Utils.clean_path_info(Utils.unescape_path(path))
 
-      if can_serve(path)
+      if can_serve(actual_path)
         if overwrite_file_path(path)
           env[PATH_INFO] = (add_index_root?(path) ? path + @index : @urls[path])
         elsif @gzip && env['HTTP_ACCEPT_ENCODING'] =~ /\bgzip\b/
Index: rack-2.0.8/test/spec_static.rb
===================================================================
--- rack-2.0.8.orig/test/spec_static.rb
+++ rack-2.0.8/test/spec_static.rb
@@ -39,6 +39,12 @@ describe Rack::Static do
     res.body.must_match(/ruby/)
   end
 
+  it "does not serve files outside :urls" do
+    res = @request.get("/cgi/../#{File.basename(__FILE__)}")
+    res.must_be :ok?
+    res.body.must_equal "Hello World"
+  end
+
   it "404s if url root is known but it can't find the file" do
     res = @request.get("/cgi/foo")
     res.must_be :not_found?
openSUSE Build Service is sponsored by
Places