Ruby 获取Sinatra处理程序中的实际编码url,splat已断开
如何获取传递给Sinatra中处理程序的实际编码URL 我有一个类似的url-注意,后面有一个编码的双斜杠Ruby 获取Sinatra处理程序中的实际编码url,splat已断开,ruby,sinatra,rack,urlencode,Ruby,Sinatra,Rack,Urlencode,如何获取传递给Sinatra中处理程序的实际编码URL 我有一个类似的url-注意,后面有一个编码的双斜杠 http://someplace.com/thing/blah/%2F%2Fxxx.png get '/thing/*/*' do begin # would like this to work but it does not. Sinatra 1.4.4, ruby 2.0.0 first = CGI.unescape(params[:splat
http://someplace.com/thing/blah/%2F%2Fxxx.png
get '/thing/*/*' do
begin
# would like this to work but it does not. Sinatra 1.4.4, ruby 2.0.0
first = CGI.unescape(params[:splat][0])
path = CGI.unescape(params[:splat][1])
# path does NOT have a double // (%2F%2F),
# it has all of them ripped off by some rack code, I think
# TRY get actual URL and parse by myself...
the_url = request.url # this is already urldecoded and is missing the double //
the_query_path = request.env["rack.request.query_string"]; # blank for me?
谢谢
好吧,我知道,那份报告是6个月前我写的。正如您所见,他们在splat上添加了保护,以阻止攻击者攻击您的文件系统
在应用程序配置部分:
set :protection, :except => :path_traversal
现在你失去了保护。。。在我的例子中,路径与ruby服务器不在同一台机器上
知道如何获取服务器被击中的实际url仍然很方便,可能是机架环境的问题