Directory traversal in Rack::Directory app bundled with Rack
There was a possible directory traversal vulnerability in the Rack::Directory app
that is bundled with Rack.
Versions Affected: rack < 2.2.0
Not affected: Applications that do not use Rack::Directory.
Fixed Versions: 2.1.3, >= 2.2.0
Impact
If certain directories exist in a director that is managed by Rack::Directory, an attacker could, using this vulnerability, read the
contents of files on the server that were outside of the root specified in the
Rack::Directory initializer.
Workarounds
Until such time as the patch is applied or their Rack version is upgraded,
we recommend that developers do not use Rack::Directory in their
applications.
🚨 We recommend to merge and deploy this update as soon as possible! 🚨
Here is everything you need to know about this update. Please take a good look at what changed and the test results before merging this pull request.
Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with @depfu rebase.
All Depfu comment commands
@depfu rebase
Rebases against your default branch and redoes this update
@depfu recreate
Recreates this PR, overwriting any edits that you've made to it
@depfu merge
Merges this PR once your tests are passing and conflicts are resolved
@depfu close
Closes this PR and deletes the branch
@depfu reopen
Restores the branch and reopens this PR (if it's closed)
@depfu pause
Ignores all future updates for this dependency and closes this PR
@depfu pause [minor|major]
Ignores all future minor/major updates for this dependency and closes this PR
@depfu resume
Future versions of this dependency will create PRs again (leaves this PR as is)
depfu[bot]
commented
4 years ago
🚨 Your version of rack has known security vulnerabilities 🚨
Advisory: CVE-2020-8161 Disclosed: May 12, 2020 URL: https://groups.google.com/forum/#!topic/ruby-security-ann/T4ZIsfRf2eA
Directory traversal in Rack::Directory app bundled with Rack
🚨 We recommend to merge and deploy this update as soon as possible! 🚨
Here is everything you need to know about this update. Please take a good look at what changed and the test results before merging this pull request.
What changed?
↗️ rack (indirect, 2.1.1 → 2.1.3) · Repo · Changelog
Release Notes
2.1.2 (from changelog)
Does any of this look wrong? Please let us know.
Commits
See the full diff on Github. The new version differs by 11 commits:
bump versionadding a test for directory traversalUse Dir.entries instead of Dir[glob] to prevent user-specified glob metacharactersBump for 2.1.2 releaseUpdate changelog in preparation for 2.1.2Fix multipart parser for special files #1308Fix `use` with kwargsSkip deflating in Rack::Deflater if Content-Length is 0#transform_keys no longer necessary, reverts #1401Fix: Add to_hash to wrap Hash and Session classesHandle case where session id key is requested but it is missingDepfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with
@depfu rebase.All Depfu comment commands