Fix directory traversal vulnerability around help pages.

edd05fc4 · Douwe Maan · 93133f4d · edd05fc4 · edd05fc4
Commit edd05fc4 authored Apr 10, 2015 by Douwe Maan
Hide whitespace changes
Inline Side-by-side

Showing with 20 additions and 1 deletion

CHANGELOG CHANGELOG +1 -0

app/controllers/help_controller.rb app/controllers/help_controller.rb +19 -1

No files found.
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -2,6 +2,7 @@ Please view this file on the master branch, on stable branches it's out of date.

 v 7.10.0 (unreleased)
  - Fix directory traversal vulnerability around uploads routes.
+  - Fix directory traversal vulnerability around help pages.
  - Fix broken file browsing with a submodule that contains a relative link (Stan Hu)
  - Fix bug where Wiki pages that included a '/' were no longer accessible (Stan Hu)
  - Fix bug where error messages from Dropzone would not be displayed on the issues page (Stan Hu)

--- a/app/controllers/help_controller.rb
+++ b/app/controllers/help_controller.rb
@@ -3,7 +3,7 @@ class HelpController < ApplicationController
  end

  def show
-    @filepath = params[:filepath]
+    @filepath = clean_path_info(params[:filepath])
    @format = params[:format]

    respond_to do |format|
@@ -36,4 +36,22 @@ class HelpController < ApplicationController

  def ui
  end
+
+  # Taken from ActionDispatch::FileHandler
+  PATH_SEPS = Regexp.union(*[::File::SEPARATOR, ::File::ALT_SEPARATOR].compact)
+
+  def clean_path_info(path_info)
+    parts = path_info.split PATH_SEPS
+
+    clean = []
+
+    parts.each do |part|
+      next if part.empty? || part == '.'
+      part == '..' ? clean.pop : clean << part
+    end
+
+    clean.unshift '/' if parts.empty? || parts.first.empty?
+
+    ::File.join(*clean)
+  end
 end