image_vise 0.0.21 → 0.0.22
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/image_vise.gemspec +2 -2
- data/lib/image_vise/image_request.rb +3 -2
- data/lib/image_vise/render_engine.rb +2 -1
- data/lib/image_vise.rb +1 -1
- metadata +1 -1
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA1:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: fd846193c9dfec3d6a6489d87a2145eeb602a02c
|
|
4
|
+
data.tar.gz: 5d0cf54a6245a0c345517e9a5eca524f0621d6f0
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 7e818b5aa0a04154d248f94a29d95e923ca995cc009115004f86cbfb636136b5f88c9b94b9da568a623832bb1bc230b0cd35688bd67410e8237f512f75c912ba
|
|
7
|
+
data.tar.gz: c0a1e0fb980a1f2b92a5b337d4ccf9051ffc0d52358a14cc6e9ab7a46e28f1c32c35354621a54de2f1c1e780a7d843ce33ff6659acd4428c8b96d0959994dba0
|
data/image_vise.gemspec
CHANGED
|
@@ -2,11 +2,11 @@
|
|
|
2
2
|
# DO NOT EDIT THIS FILE DIRECTLY
|
|
3
3
|
# Instead, edit Jeweler::Tasks in Rakefile, and run 'rake gemspec'
|
|
4
4
|
# -*- encoding: utf-8 -*-
|
|
5
|
-
# stub: image_vise 0.0.
|
|
5
|
+
# stub: image_vise 0.0.22 ruby lib
|
|
6
6
|
|
|
7
7
|
Gem::Specification.new do |s|
|
|
8
8
|
s.name = "image_vise"
|
|
9
|
-
s.version = "0.0.
|
|
9
|
+
s.version = "0.0.22"
|
|
10
10
|
|
|
11
11
|
s.required_rubygems_version = Gem::Requirement.new(">= 0") if s.respond_to? :required_rubygems_version=
|
|
12
12
|
s.require_paths = ["lib"]
|
|
@@ -25,8 +25,9 @@ class ImageVise::ImageRequest < Ks.strict(:src_url, :pipeline)
|
|
|
25
25
|
|
|
26
26
|
src_url = URI.parse(src_url)
|
|
27
27
|
if src_url.scheme == 'file'
|
|
28
|
+
file_path = URI.decode(src_url.path)
|
|
28
29
|
raise URLError, "#{src_url} not permitted since filesystem access is disabled" if allowed_filesystem_patterns.empty?
|
|
29
|
-
raise URLError, "#{src_url} is not on the path whitelist" unless allowed_path?(allowed_filesystem_patterns,
|
|
30
|
+
raise URLError, "#{src_url} is not on the path whitelist" unless allowed_path?(allowed_filesystem_patterns, file_path)
|
|
30
31
|
elsif src_url.scheme != 'file'
|
|
31
32
|
raise URLError, "#{src_url} is not permitted as source" unless permitted_source_hosts.include?(src_url.host)
|
|
32
33
|
end
|
|
@@ -55,7 +56,7 @@ class ImageVise::ImageRequest < Ks.strict(:src_url, :pipeline)
|
|
|
55
56
|
private
|
|
56
57
|
|
|
57
58
|
def self.allowed_path?(filesystem_glob_patterns, path_to_check)
|
|
58
|
-
expanded_path = File.expand_path(path_to_check)
|
|
59
|
+
expanded_path = File.realpath(File.expand_path(path_to_check))
|
|
59
60
|
filesystem_glob_patterns.any? {|pattern| File.fnmatch?(pattern, expanded_path) }
|
|
60
61
|
end
|
|
61
62
|
|
|
@@ -234,7 +234,8 @@ class ImageVise::RenderEngine
|
|
|
234
234
|
|
|
235
235
|
def copy_path_into_tempfile(path_on_filesystem)
|
|
236
236
|
tf = binary_tempfile
|
|
237
|
-
File.
|
|
237
|
+
real_path_on_filesystem = File.realpath(File.expand_path(path_on_filesystem))
|
|
238
|
+
File.open(real_path_on_filesystem, 'rb') do |f|
|
|
238
239
|
IO.copy_stream(f, tf)
|
|
239
240
|
end
|
|
240
241
|
tf.rewind; tf
|
data/lib/image_vise.rb
CHANGED