From 7c9261e4de3a6ab6f20789544c0978103ec544a4 Mon Sep 17 00:00:00 2001
From: gotoyuzo <gotoyuzo@b2dd03c8-39d4-4d8f-98ff-823fe69b080e>
Date: Sun, 18 May 2008 13:33:24 +0000
Subject: * lib/webrick/httpservlet/filehandler.rb: should normalize path  
 name in path_info to prevent script disclosure vulnerability on   DOSISH
 filesystems. (fix: CVE-2008-1891)   Note: NTFS/FAT filesystem should not be
 published by the platforms   other than Windows. Pathname interpretation
 (including short   filename) is less than perfect.

* lib/webrick/httpservlet/abstract.rb
  (WEBrick::HTTPServlet::AbstracServlet#redirect_to_directory_uri):
  should escape the value of Location: header.

* lib/webrick/httpservlet/cgi_runner.rb: accept interpreter
  command line arguments.


git-svn-id: http://svn.ruby-lang.org/repos/ruby/trunk@16453 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
---
 lib/webrick/httpservlet/abstract.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'lib/webrick/httpservlet/abstract.rb')

diff --git a/lib/webrick/httpservlet/abstract.rb b/lib/webrick/httpservlet/abstract.rb
index 03861e8fc..5375c4622 100644
--- a/lib/webrick/httpservlet/abstract.rb
+++ b/lib/webrick/httpservlet/abstract.rb
@@ -58,7 +58,7 @@ module WEBrick
 
       def redirect_to_directory_uri(req, res)
         if req.path[-1] != ?/
-          location = req.path + "/"
+          location = WEBrick::HTTPUtils.escape_path(req.path + "/")
           if req.query_string && req.query_string.size > 0
             location << "?" << req.query_string
           end
-- 
cgit