From 6f80224057803f85b3f448936aae89e742452c3b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jos=C3=A9=20Valim?= <jose.valim@gmail.com>
Date: Sun, 28 Nov 2010 22:26:16 +0100
Subject: [PATCH 2/6] Ensure render is case sensitive even on systems with case-insensitive filesystems.

This fixes CVE-2011-0449
---
 actionpack/lib/action_view/template/resolver.rb |   12 +++++++++---
 actionpack/test/controller/render_test.rb       |   10 ++++++++++
 2 files changed, 19 insertions(+), 3 deletions(-)

diff --git a/actionpack/lib/action_view/template/resolver.rb b/actionpack/lib/action_view/template/resolver.rb
index 49e29a2..a508a68 100644
--- a/actionpack/lib/action_view/template/resolver.rb
+++ b/actionpack/lib/action_view/template/resolver.rb
@@ -72,14 +72,20 @@ module ActionView
       query.gsub!(/\{\.html,/, "{.html,.text.html,")
       query.gsub!(/\{\.text,/, "{.text,.text.plain,")
 
-      Dir[query].reject { |p| File.directory?(p) }.map do |p|
-        handler, format = extract_handler_and_format(p, formats)
+      templates = []
+      sanitizer = Hash.new { |h,k| h[k] = Dir["#{File.dirname(k)}/*"] }
+
+      Dir[query].each do |p|
+        next if File.directory?(p) || !sanitizer[p].include?(p)
 
+        handler, format = extract_handler_and_format(p, formats)
         contents = File.open(p, "rb") {|io| io.read }
 
-        Template.new(contents, File.expand_path(p), handler,
+        templates << Template.new(contents, File.expand_path(p), handler,
           :virtual_path => path, :format => format)
       end
+
+      templates
     end
 
     # Extract handler and formats from path. If a format cannot be a found neither
diff --git a/actionpack/test/controller/render_test.rb b/actionpack/test/controller/render_test.rb
index 9037a13..c5c79c1 100644
--- a/actionpack/test/controller/render_test.rb
+++ b/actionpack/test/controller/render_test.rb
@@ -130,6 +130,10 @@ class TestController < ActionController::Base
     render :action => "hello_world"
   end
 
+  def render_action_upcased_hello_world
+    render :action => "Hello_world"
+  end
+
   def render_action_hello_world_as_string
     render "hello_world"
   end
@@ -736,6 +740,12 @@ class RenderTest < ActionController::TestCase
     assert_template "test/hello_world"
   end
 
+  def test_render_action_upcased
+    assert_raise ActionView::MissingTemplate do
+      get :render_action_upcased_hello_world
+    end
+  end
+
   # :ported:
   def test_render_action_hello_world_as_string
     get :render_action_hello_world_as_string
-- 
1.7.2