Use a fully resolved file path when confirming if a file can be served by Rack::Static.

ioquatix · ioquatix · commit 873d39e6d673 · 2025-03-11T10:10:12.000+13:00
diff --git a/lib/rack/static.rb b/lib/rack/static.rb
@@ -122,8 +122,9 @@ def can_serve(path)
 
     def call(env)
       path = env[PATH_INFO]
+      actual_path = Utils.clean_path_info(Utils.unescape_path(path))
 
-      if can_serve(path)
+      if can_serve(actual_path)
         if overwrite_file_path(path)
           env[PATH_INFO] = (add_index_root?(path) ? path + @index : @urls[path])
         elsif @gzip && env['HTTP_ACCEPT_ENCODING'] && /\bgzip\b/.match?(env['HTTP_ACCEPT_ENCODING'])
diff --git a/test/spec_static.rb b/test/spec_static.rb
@@ -43,6 +43,12 @@ def static(app, *args)
     res.body.must_match(/ruby/)
   end
 
+  it "does not serve files outside :urls" do
+    res = @request.get("/cgi/../#{File.basename(__FILE__)}")
+    res.must_be :ok?
+    res.body.must_equal "Hello World"
+  end
+
   it "404s if url root is known but it can't find the file" do
     res = @request.get("/cgi/foo")
     res.must_be :not_found?
