Reply to post: Re: #include <DolanDuck.h>

Authy 2FA app popped by simple, secret, code

Michael Wojcik Silver badge

Re: #include <DolanDuck.h>

Sinatra is a Ruby gem that provides a DSL for creating simple web apps. It's the new Perl for the new CGI. The fact that we didn't need new versions of either of those things is immaterial; everyone knows DSLs are Good In Themselves.

Rack::Protection (not "rack-protection"; Darren seems to have copied that from Egor's blog post) is a Ruby gem for Rack, Rails, and other frameworks that's supposed to prevent "common" web vulnerabilities. Sinatra uses it unless told not to. As Egor points out, this is Yet Another case where adding "security software" reduces security. It turns out the Ruby communities bullets are not so silver after all. Shocking!

I haven't investigated it, but I suspect the problem is that Rack::Protection is removing the URL-encoding of the "." characters and then normalizing the Request-URI, so the "../" part of the token ends up removing the previous element from the abs_path.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon