Sophie: ruby-rack-2.0.8-2.mga7 src

ruby-rack-2.0.8-2.mga7.src.rpm

From dddb7ad18ed79ca6ab06ccc417a169fde451246e Mon Sep 17 00:00:00 2001
From: Jack McCracken <jack.mccracken@shopify.com>
Date: Tue, 12 May 2020 12:23:33 -0400
Subject: [PATCH] Use Dir.entries instead of Dir[glob] to prevent
 user-specified glob metacharacters

[CVE-2020-8161]
---
 lib/rack/directory.rb | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/lib/rack/directory.rb b/lib/rack/directory.rb
index 89cfe80..aa4eb02 100644
--- a/lib/rack/directory.rb
+++ b/lib/rack/directory.rb
@@ -103,13 +103,12 @@ table { width:100%%; }
 
     def list_directory(path_info, path, script_name)
       files = [['../','Parent Directory','','','']]
-      glob = ::File.join(path, '*')
 
       url_head = (script_name.split('/') + path_info.split('/')).map do |part|
         Rack::Utils.escape_path part
       end
 
-      Dir[glob].sort.each do |node|
+      Dir.entries(path).reject { |e| e.start_with?('.') }.sort.each do |node|
         stat = stat(node)
         next unless stat
         basename = ::File.basename(node)