Properly escape glob characters.

5f94b932 · Aaron Patterson · bfc43257 · 5f94b932 · 5f94b932 · 5f94b932
3 changed file
--- a/actionpack/lib/action_view/template/resolver.rb
+++ b/actionpack/lib/action_view/template/resolver.rb
@@ -142,8 +142,12 @@ def query(path, details, formats)
    # Helper for building query glob string based on resolver's pattern.
    def build_query(path, details)
      query = @pattern.dup
-      query.gsub!(/\:prefix(\/)?/, path.prefix.empty? ? "" : "#{path.prefix}\\1") # prefix can be empty...
-      query.gsub!(/\:action/, path.partial? ? "_#{path.name}" : path.name)
+      prefix = path.prefix.empty? ? "" : "#{escape_entry(path.prefix)}\\1"
+      query.gsub!(/\:prefix(\/)?/, prefix)
+      partial = escape_entry(path.partial? ? "_#{path.name}" : path.name)
+      query.gsub!(/\:action/, partial)
      details.each do |ext, variants|
        query.gsub!(/\:#{ext}/, "{#{variants.compact.uniq.join(',')}}")
@@ -152,6 +156,10 @@ def build_query(path, details)
      File.expand_path(query, @path)
    end
+    def escape_entry(entry)
+      entry.gsub(/(\*|\[|\]|\{|\}|\?)/, "\\\\\\1")
+    end
    # Returns the file mtime from the filesystem.
    def mtime(p)
      File.mtime(p)
@@ -228,8 +236,9 @@ def eql?(resolver)
  class OptimizedFileSystemResolver < FileSystemResolver #:nodoc:
    def build_query(path, details)
      exts = EXTENSIONS.map { |ext| details[ext] }
+      query = escape_entry(File.join(@path, path))
-      File.join(@path, path) + exts.map { |ext|
+      query + exts.map { |ext|
        "{#{ext.compact.uniq.map { |e| ".#{e}," }.join}}"
      }.join
    end

--- a/actionpack/test/controller/render_test.rb
+++ b/actionpack/test/controller/render_test.rb
@@ -405,6 +405,14 @@ def render_with_explicit_template
    render :template => "test/hello_world"
  end
+  def render_with_explicit_unescaped_template
+    render :template => "test/h*llo_world"
+  end
+  def render_with_explicit_escaped_template
+    render :template => "test/hello_w*rld"
+  end
  def render_with_explicit_string_template
    render "test/hello_world"
  end
@@ -1057,6 +1065,12 @@ def test_render_with_explicit_template
    assert_response :success
  end
+  def test_render_with_explicit_unescaped_template
+    assert_raise(ActionView::MissingTemplate) { get :render_with_explicit_unescaped_template }
+    get :render_with_explicit_escaped_template
+    assert_equal "Hello w*rld!", @response.body
+  end
  def test_render_with_explicit_string_template
    get :render_with_explicit_string_template
    assert_equal "<html>Hello world!</html>", @response.body

--- a/actionpack/test/fixtures/test/hello_w*rld.erb
+++ b/actionpack/test/fixtures/test/hello_w*rld.erb
+Hello w*rld!
\ No newline at end of file