rubygem-rack/Fix-CVE-2025-27610.patch

From 50caab74fa01ee8f5dbdee7bb2782126d20c6583 Mon Sep 17 00:00:00 2001
From: Samuel Williams <samuel.williams@oriontransfer.co.nz>
Date: Sat, 8 Mar 2025 11:13:39 +1300
Subject: [PATCH] Use a fully resolved file path when confirming if a file can
 be served by `Rack::Static`.

---
 lib/rack/static.rb | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/lib/rack/static.rb b/lib/rack/static.rb
index 8cb58b2..0ea78a1 100644
--- a/lib/rack/static.rb
+++ b/lib/rack/static.rb
@@ -122,8 +122,9 @@ module Rack
 
     def call(env)
       path = env[PATH_INFO]
+      actual_path = Utils.clean_path_info(Utils.unescape_path(path))
 
-      if can_serve(path)
+      if can_serve(actual_path)
         if overwrite_file_path(path)
           env[PATH_INFO] = (add_index_root?(path) ? path + @index : @urls[path])
         elsif @gzip && env['HTTP_ACCEPT_ENCODING'] && /\bgzip\b/.match?(env['HTTP_ACCEPT_ENCODING'])
-- 
2.46.0