From 4dacedf983257aef38a8ebedb2d9a9c8fead8238 Mon Sep 17 00:00:00 2001
From: Aaron Patterson <aaron.patterson@gmail.com>
Date: Wed, 5 Nov 2014 15:37:36 -0800
Subject: [PATCH] correctly escape backslashes in request path globs

Conflicts:
	actionpack/lib/action_dispatch/middleware/static.rb

make sure that unreadable files are also not leaked

CVE-2014-7829

Conflicts:
	actionpack/lib/action_dispatch/middleware/static.rb
---
 .../lib/action_dispatch/middleware/static.rb       |  6 ++--
 actionpack/test/dispatch/static_test.rb            | 41 ++++++++++++++++++++++
 2 files changed, 45 insertions(+), 2 deletions(-)

diff --git a/actionpack/lib/action_dispatch/middleware/static.rb b/actionpack/lib/action_dispatch/middleware/static.rb
index 4c46283..0276be3 100644
--- a/actionpack/lib/action_dispatch/middleware/static.rb
+++ b/actionpack/lib/action_dispatch/middleware/static.rb
@@ -15,7 +15,7 @@ module ActionDispatch
       paths = "#{full_path}#{ext}"
 
       matches = Dir[paths]
-      match = matches.detect { |m| File.file?(m) }
+      match = matches.detect { |m| File.file?(m) && File.readable?(m) }
       if match
         match.sub!(@compiled_root, '')
         ::Rack::Utils.escape(match)
@@ -38,7 +38,8 @@ module ActionDispatch
     end
 
     def escape_glob_chars(path)
-      path.gsub(/[*?{}\[\]]/, "\\\\\\&")
+      path.force_encoding('binary') if path.respond_to? :force_encoding
+      path.gsub(/[*?{}\[\]\\]/, "\\\\\\&")
     end
 
     private
@@ -46,6 +47,7 @@ module ActionDispatch
     PATH_SEPS = Regexp.union(*[::File::SEPARATOR, ::File::ALT_SEPARATOR].compact)
 
     def clean_path_info(path_info)
+      path_info.force_encoding('binary') if path_info.respond_to? :force_encoding
       parts = path_info.split PATH_SEPS
 
       clean = []
diff --git a/actionpack/test/dispatch/static_test.rb b/actionpack/test/dispatch/static_test.rb
index f225b02..c5bb406 100644
--- a/actionpack/test/dispatch/static_test.rb
+++ b/actionpack/test/dispatch/static_test.rb
@@ -1,4 +1,5 @@
 require 'abstract_unit'
+require 'fileutils'
 require 'rbconfig'
 
 module StaticTests
@@ -145,6 +146,46 @@ class StaticTest < ActiveSupport::TestCase
 
   include StaticTests
 
+  def test_custom_handler_called_when_file_is_not_readable
+    filename = 'unreadable.html.erb'
+    target = File.join(@root, filename)
+    FileUtils.touch target
+    File.chmod 0200, target
+    assert File.exist? target
+    assert !File.readable?(target)
+    path = "/#{filename}"
+    env = {
+      "REQUEST_METHOD"=>"GET",
+      "REQUEST_PATH"=> path,
+      "PATH_INFO"=> path,
+      "REQUEST_URI"=> path,
+      "HTTP_VERSION"=>"HTTP/1.1",
+      "SERVER_NAME"=>"localhost",
+      "SERVER_PORT"=>"8080",
+      "QUERY_STRING"=>""
+    }
+    assert_equal(DummyApp.call(nil), @app.call(env))
+  ensure
+    File.unlink target
+  end
+
+  def test_custom_handler_called_when_file_is_outside_root_backslash
+    filename = 'shared.html.erb'
+    assert File.exist?(File.join(@root, '..', filename))
+    path = "/%5C..%2F#{filename}"
+    env = {
+      "REQUEST_METHOD"=>"GET",
+      "REQUEST_PATH"=> path,
+      "PATH_INFO"=> path,
+      "REQUEST_URI"=> path,
+      "HTTP_VERSION"=>"HTTP/1.1",
+      "SERVER_NAME"=>"localhost",
+      "SERVER_PORT"=>"8080",
+      "QUERY_STRING"=>""
+    }
+    assert_equal(DummyApp.call(nil), @app.call(env))
+  end
+
   def test_custom_handler_called_when_file_is_outside_root
     filename = 'shared.html.erb'
     assert File.exist?(File.join(@root, '..', filename))
-- 
1.9.3 (Apple Git-50)