image_vise 0.0.21 → 0.0.22
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/image_vise.gemspec +2 -2
- data/lib/image_vise/image_request.rb +3 -2
- data/lib/image_vise/render_engine.rb +2 -1
- data/lib/image_vise.rb +1 -1
- metadata +1 -1
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA1:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: fd846193c9dfec3d6a6489d87a2145eeb602a02c
|
|
4
|
+
data.tar.gz: 5d0cf54a6245a0c345517e9a5eca524f0621d6f0
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 7e818b5aa0a04154d248f94a29d95e923ca995cc009115004f86cbfb636136b5f88c9b94b9da568a623832bb1bc230b0cd35688bd67410e8237f512f75c912ba
|
|
7
|
+
data.tar.gz: c0a1e0fb980a1f2b92a5b337d4ccf9051ffc0d52358a14cc6e9ab7a46e28f1c32c35354621a54de2f1c1e780a7d843ce33ff6659acd4428c8b96d0959994dba0
|
data/image_vise.gemspec
CHANGED
|
@@ -2,11 +2,11 @@
|
|
|
2
2
|
# DO NOT EDIT THIS FILE DIRECTLY
|
|
3
3
|
# Instead, edit Jeweler::Tasks in Rakefile, and run 'rake gemspec'
|
|
4
4
|
# -*- encoding: utf-8 -*-
|
|
5
|
-
# stub: image_vise 0.0.
|
|
5
|
+
# stub: image_vise 0.0.22 ruby lib
|
|
6
6
|
|
|
7
7
|
Gem::Specification.new do |s|
|
|
8
8
|
s.name = "image_vise"
|
|
9
|
-
s.version = "0.0.
|
|
9
|
+
s.version = "0.0.22"
|
|
10
10
|
|
|
11
11
|
s.required_rubygems_version = Gem::Requirement.new(">= 0") if s.respond_to? :required_rubygems_version=
|
|
12
12
|
s.require_paths = ["lib"]
|
|
@@ -25,8 +25,9 @@ class ImageVise::ImageRequest < Ks.strict(:src_url, :pipeline)
|
|
|
25
25
|
|
|
26
26
|
src_url = URI.parse(src_url)
|
|
27
27
|
if src_url.scheme == 'file'
|
|
28
|
+
file_path = URI.decode(src_url.path)
|
|
28
29
|
raise URLError, "#{src_url} not permitted since filesystem access is disabled" if allowed_filesystem_patterns.empty?
|
|
29
|
-
raise URLError, "#{src_url} is not on the path whitelist" unless allowed_path?(allowed_filesystem_patterns,
|
|
30
|
+
raise URLError, "#{src_url} is not on the path whitelist" unless allowed_path?(allowed_filesystem_patterns, file_path)
|
|
30
31
|
elsif src_url.scheme != 'file'
|
|
31
32
|
raise URLError, "#{src_url} is not permitted as source" unless permitted_source_hosts.include?(src_url.host)
|
|
32
33
|
end
|
|
@@ -55,7 +56,7 @@ class ImageVise::ImageRequest < Ks.strict(:src_url, :pipeline)
|
|
|
55
56
|
private
|
|
56
57
|
|
|
57
58
|
def self.allowed_path?(filesystem_glob_patterns, path_to_check)
|
|
58
|
-
expanded_path = File.expand_path(path_to_check)
|
|
59
|
+
expanded_path = File.realpath(File.expand_path(path_to_check))
|
|
59
60
|
filesystem_glob_patterns.any? {|pattern| File.fnmatch?(pattern, expanded_path) }
|
|
60
61
|
end
|
|
61
62
|
|
|
@@ -234,7 +234,8 @@ class ImageVise::RenderEngine
|
|
|
234
234
|
|
|
235
235
|
def copy_path_into_tempfile(path_on_filesystem)
|
|
236
236
|
tf = binary_tempfile
|
|
237
|
-
File.
|
|
237
|
+
real_path_on_filesystem = File.realpath(File.expand_path(path_on_filesystem))
|
|
238
|
+
File.open(real_path_on_filesystem, 'rb') do |f|
|
|
238
239
|
IO.copy_stream(f, tf)
|
|
239
240
|
end
|
|
240
241
|
tf.rewind; tf
|
data/lib/image_vise.rb
CHANGED