Directory traversal in Rack::Directory app bundled with Rack
There was a possible directory traversal vulnerability in the Rack::Directory app
that is bundled with Rack.
Versions Affected: rack < 2.2.0
Not affected: Applications that do not use Rack::Directory.
Fixed Versions: 2.1.3, >= 2.2.0
Impact
If certain directories exist in a director that is managed by Rack::Directory, an attacker could, using this vulnerability, read the
contents of files on the server that were outside of the root specified in the
Rack::Directory initializer.
Workarounds
Until such time as the patch is applied or their Rack version is upgraded,
we recommend that developers do not use Rack::Directory in their
applications.
🚨 We recommend to merge and deploy this update as soon as possible! 🚨
Here is everything you need to know about this update. Please take a good look at what changed and the test results before merging this pull request.
Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with @depfu rebase.
All Depfu comment commands
@depfu rebase
Rebases against your default branch and redoes this update
@depfu recreate
Recreates this PR, overwriting any edits that you've made to it
@depfu merge
Merges this PR once your tests are passing and conflicts are resolved
@depfu close
Closes this PR and deletes the branch
@depfu reopen
Restores the branch and reopens this PR (if it's closed)
@depfu pause
Ignores all future updates for this dependency and closes this PR
@depfu pause [minor|major]
Ignores all future minor/major updates for this dependency and closes this PR
@depfu resume
Future versions of this dependency will create PRs again (leaves this PR as is)
🚨 Your version of rack has known security vulnerabilities 🚨
Advisory: CVE-2020-8161 Disclosed: May 12, 2020 URL: https://groups.google.com/forum/#!topic/ruby-security-ann/T4ZIsfRf2eA
Directory traversal in Rack::Directory app bundled with Rack
🚨 We recommend to merge and deploy this update as soon as possible! 🚨
Here is everything you need to know about this update. Please take a good look at what changed and the test results before merging this pull request.
What changed?
↗️ rack (indirect, 2.1.1 → 2.1.3) · Repo · Changelog
Release Notes
2.1.2 (from changelog)
Does any of this look wrong? Please let us know.
Commits
See the full diff on Github. The new version differs by 11 commits:
bump version
adding a test for directory traversal
Use Dir.entries instead of Dir[glob] to prevent user-specified glob metacharacters
Bump for 2.1.2 release
Update changelog in preparation for 2.1.2
Fix multipart parser for special files #1308
Fix `use` with kwargs
Skip deflating in Rack::Deflater if Content-Length is 0
#transform_keys no longer necessary, reverts #1401
Fix: Add to_hash to wrap Hash and Session classes
Handle case where session id key is requested but it is missing
Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with
@depfu rebase
.All Depfu comment commands