[ruby-cvs:68584] normal:r61401 (trunk): webrick/httpservlet/*handler: use File.open

normal at ruby-lang.org normal at ruby-lang.org
Fri Dec 22 10:08:00 JST 2017


normal	2017-12-22 10:08:00 +0900 (Fri, 22 Dec 2017)

  New Revision: 61401

  https://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=revision&revision=61401

  Log:
    webrick/httpservlet/*handler: use File.open
    
    This makes future code audits easier.  None of these changes
    fix realistic remote code execution vulnerabilities because
    we stat(2) before attempting Kernel#open.
    
    * lib/webrick/httpservlet/erbhandler.rb (do_GET): use File.open
    * lib/webrick/httpservlet/filehandler.rb (do_GET): use File.open
      (make_partial_content): ditto
      [Misc #14216]

  Modified files:
    trunk/lib/webrick/httpservlet/erbhandler.rb
    trunk/lib/webrick/httpservlet/filehandler.rb


More information about the ruby-cvs mailing list