Issue #15835 has been updated by naruse (Yui NARUSE).

Status changed from Open to Feedback

On Apache with `FollowSymLinks` enabled, it can traverse out of DocumentRoot.
hxxps://httpd.apache.org/docs/2.4/en/urlmapping.html
Therefore it's not a problem.

----------------------------------------
Bug #15835: Path traversal symlink - WEBrick
https://bugs.ruby-lang.org/issues/15835#change-77945

* Author: Dhiraj (Dhiraj Mishra)
* Status: Feedback
* Priority: Normal
* Assignee: 
* Target version: 
* ruby -v: 2.6.3
* Backport: 2.4: UNKNOWN, 2.5: UNKNOWN, 2.6: UNKNOWN
----------------------------------------
**Summary:**
A path traversal issue was observed in WEBrick ( WEBrick/1.4.2 (Ruby/2.6.3/2019-04-16)) via symlink. WEBrick serves static page for the current directory once enabled, however using symlink attacker could view data outside the hosted/running directory.

**Steps to reproduce:**
> mkdir nothing
> cd nothing
> ln -s ../../ symlnk
> ruby -run -ehttpd . -p8080

**Impact:**
This would allow the attacker to view sensitive data outside the root/running directory. 

**Recommendation:**
We can probably educate users about this behavior in the WebBrick documentation and providing a flag/parameter to disable/enable following symlinks.



-- 
https://bugs.ruby-lang.org/

Unsubscribe: <mailto:ruby-core-request / ruby-lang.org?subject=unsubscribe>
<http://lists.ruby-lang.org/cgi-bin/mailman/options/ruby-core>