github/rails
1
1
Fork 0
mirror of https://github.com/github/rails.git synced 2026-04-26 03:00:59 -04:00
Code Issues Packages Projects Releases Wiki Activity

Ensure render is case sensitive even on systems with case-insensitive filesystems.

Browse Source 
This fixes CVE-2011-0449
This commit is contained in:
José Valim
2010-11-28 22:26:16 +01:00
committed by Aaron Patterson
parent 3ddd7f7ec9
commit b93c590297
2 changed files with 22 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

15
actionpack/lib/action_view/template/resolver.rb
View File

@@ -113,14 +113,23 @@ module ActionView
query << '{' << ext.map {|e| e && ".#{e}" }.join(',') << ',}'
end
Dir[query].reject { |p| File.directory?(p) }.map do |p|
handler, format = extract_handler_and_format(p, formats)
query.gsub!(/\{\.html,/, "{.html,.text.html,")
query.gsub!(/\{\.text,/, "{.text,.text.plain,")
templates = []
sanitizer = Hash.new { |h,k| h[k] = Dir["#{File.dirname(k)}/*"] }
Dir[query].each do |p|
next if File.directory?(p) || !sanitizer[p].include?(p)
handler, format = extract_handler_and_format(p, formats)
contents = File.open(p, "rb") {|io| io.read }
Template.new(contents, File.expand_path(p), handler,
templates << Template.new(contents, File.expand_path(p), handler,
:virtual_path => path, :format => format, :updated_at => mtime(p))
end
templates
end
# Returns the file mtime from the filesystem.