From dddb7ad18ed79ca6ab06ccc417a169fde451246e Mon Sep 17 00:00:00 2001 From: Jack McCracken <jack.mccracken@shopify.com> Date: Tue, 12 May 2020 12:23:33 -0400 Subject: [PATCH] Use Dir.entries instead of Dir[glob] to prevent user-specified glob metacharacters [CVE-2020-8161] --- lib/rack/directory.rb | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/lib/rack/directory.rb b/lib/rack/directory.rb index 89cfe80..aa4eb02 100644 --- a/lib/rack/directory.rb +++ b/lib/rack/directory.rb @@ -103,13 +103,12 @@ table { width:100%%; } def list_directory(path_info, path, script_name) files = [['../','Parent Directory','','','']] - glob = ::File.join(path, '*') url_head = (script_name.split('/') + path_info.split('/')).map do |part| Rack::Utils.escape_path part end - Dir[glob].sort.each do |node| + Dir.entries(path).reject { |e| e.start_with?('.') }.sort.each do |node| stat = stat(node) next unless stat basename = ::File.basename(node)