SUSE has issued an advisory today (June 11):
The issue is fixed upstream in 2.2.0.
Fixed upstream in 2.2.0
I have backported the fix ruby-sinatra-22.214.171.124-1.1.mga8 and it seems obvious enough but I didn't have time to find out how to use sinatra to reproduce the problem.
Fixed upstream in 2.2.0 =>
Installed ruby-sinatra and tried out the simplest examples at https://www.devdungeon.com/content/ruby-sinatra-tutorial#toc-1. These all involved short scripts which launched a WEBrick::HTTP server in a terminal which managed the default localhost:4567 port. Texts appeared in the browser on a Return or could be read in another terminal using:
$ curl http://localhost:4567/
The json facility was also used at one point.
The data could be supplied by the server script or a local file. Created a 'public' directory relative to the current directory but nothing appeared in that.
This was a typical script:
get '/' do
send_file 'test.txt', :disposition => 'attachment', :filename => 'receive.txt'
That is as far as it could be taken with no experience of web programming, HTML templates and such, and no possibility of checking the specific issue addressed by this bug.
Updated the package and ran the same primitive tests. All worked as expected.
Assigning OK on the basis of this.
The vulnerability is for static files, I verified static files still work with:
mkdir public; echo bar > public/foo.html
ruby -rsinatra -e "get '/' do 'Hello world'; end"&
But I didn't understand how to trigger the vulnerability as I get a 400 Bad Request when I try some fancy paths (like '../../etc/hosts') even before the update.
I looked more into it and the error I get is from webrick's normalize_path. It does not seem possible to reproduce the vulnerability using webrick, so it would need something more complicated using a 'sinatra/base' app as a CGI.
I tried the following:
class MyApp < Sinatra::Base
get '/' do
REQUEST_METHOD=GET PATH_INFO=/../../etc/hosts ruby t2.rb
But I am getting a 404.
"REQUEST_METHOD=GET PATH_INFO=/foo.html ruby t2.rb" works.
Debugging more, the extra ../ get dropped before reaching sinatra, even if I couldn't find the code doing so in Rack.
So I still have no idea which setup would make that vulnerability possible and can't trigger it.
A valiant attempt, Pascal.
Validating on the basis of Comment 3.
An update for this issue has been pushed to the Mageia Updates repository.