sbsm 1.2.1 → 1.2.2

data/History.txt

@@ -1,3 +1,7 @@
+=== 1.2.2 / 24.10.2012
+
+* Fixed tainted path for File#expand_path
+
 === 1.2.1 / 27.09.2012
 
 * Fixed cgi loading problem on Production server

data/lib/sbsm/request.rb

@@ -21,7 +21,7 @@
 # ywesee - intellectual capital connected, Winterthurerstrasse 52, CH-8006 Zürich, Switzerland
 # hwyss@ywesee.com
 #
-# SBSM::Request -- sbsm -- 27.09.2012 -- yasaka@ywesee.com
+# SBSM::Request -- sbsm -- 24.10.2012 -- yasaka@ywesee.com
 # SBSM::Request -- sbsm -- 24.01.2012 -- mhatakeyama@ywesee.com
 # SBSM::Request -- sbsm -- hwyss@ywesee.com
 
@@ -51,11 +51,12 @@ module SBSM
 		  crawler_pattern = /archiver|slurp|bot|crawler|jeeves|spider|\.{6}/i
 			!!crawler_pattern.match(@cgi.user_agent)
 		end
-		def passthru(path, disposition='attachment')
-			@passthru = path
+    def passthru(path, disposition='attachment')
+      # the variable @passthru is set by a trusted source
+      @passthru    = path.untaint
       @disposition = disposition
-			''
-		end
+      ''
+    end
 		def process
 			begin
 				@cgi.params.store('default_flavor', ENV['DEFAULT_FLAVOR'])
@@ -167,11 +168,10 @@ module SBSM
 					cookie = generate_cookie(cookie_input)
 					@request.headers_out.add('Set-Cookie', cookie.to_s)
 				end
-				# the variable @passthru is set by a trusted source
-				basename = File.basename(@passthru)
-				fullpath = File.expand_path(@passthru,
-					@request.server.document_root)
-				fullpath.untaint
+        basename = File.basename(@passthru)
+        fullpath = File.expand_path(
+          @passthru,
+          @request.server.document_root.untaint)
 				subreq = @request.lookup_file(fullpath)
 				@request.content_type = subreq.content_type
 				@request.headers_out.add('Content-Disposition',

data/lib/version.rb

@@ -1 +1 @@
-VERSION = '1.2.1'
+VERSION = '1.2.2'

metadata

@@ -1,65 +1,49 @@
---- !ruby/object:Gem::Specification 
+--- !ruby/object:Gem::Specification
 name: sbsm
-version: !ruby/object:Gem::Version 
-  hash: 29
+version: !ruby/object:Gem::Version
+  version: 1.2.2
   prerelease: 
-  segments: 
-  - 1
-  - 2
-  - 1
-  version: 1.2.1
 platform: ruby
-authors: 
+authors:
 - Masaomi Hatakeyama, Zeno R.R. Davatz
 autorequire: 
 bindir: bin
 cert_chain: []
-
-date: 2012-09-27 00:00:00 Z
-dependencies: 
-- !ruby/object:Gem::Dependency 
+date: 2012-10-24 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
   name: rdoc
-  prerelease: false
-  requirement: &id001 !ruby/object:Gem::Requirement 
+  requirement: &24885960 !ruby/object:Gem::Requirement
     none: false
-    requirements: 
+    requirements:
     - - ~>
-      - !ruby/object:Gem::Version 
-        hash: 19
-        segments: 
-        - 3
-        - 10
-        version: "3.10"
+      - !ruby/object:Gem::Version
+        version: '3.10'
   type: :development
-  version_requirements: *id001
-- !ruby/object:Gem::Dependency 
-  name: hoe
   prerelease: false
-  requirement: &id002 !ruby/object:Gem::Requirement 
+  version_requirements: *24885960
+- !ruby/object:Gem::Dependency
+  name: hoe
+  requirement: &24885420 !ruby/object:Gem::Requirement
     none: false
-    requirements: 
+    requirements:
     - - ~>
-      - !ruby/object:Gem::Version 
-        hash: 25
-        segments: 
-        - 2
-        - 13
-        version: "2.13"
+      - !ruby/object:Gem::Version
+        version: '2.13'
   type: :development
-  version_requirements: *id002
+  prerelease: false
+  version_requirements: *24885420
 description: Application framework for state based session management
-email: 
+email:
 - mhatakeyama@ywesee.com, zdavatz@ywesee.com
 executables: []
-
 extensions: []
-
-extra_rdoc_files: 
+extra_rdoc_files:
 - History.txt
 - LICENCE.txt
 - README.txt
 - usage-en.txt
-files: 
+files:
 - History.txt
 - LICENCE.txt
 - README.txt
@@ -111,39 +95,31 @@ files:
 - .gemtest
 homepage: http://scm.ywesee.com/?p=sbsm/.git;a=summary
 licenses: []
-
 post_install_message: 
-rdoc_options: 
+rdoc_options:
 - --main
 - README.txt
-require_paths: 
+require_paths:
 - lib
-required_ruby_version: !ruby/object:Gem::Requirement 
+required_ruby_version: !ruby/object:Gem::Requirement
   none: false
-  requirements: 
-  - - ">="
-    - !ruby/object:Gem::Version 
-      hash: 3
-      segments: 
-      - 0
-      version: "0"
-required_rubygems_version: !ruby/object:Gem::Requirement 
+  requirements:
+  - - ! '>='
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
   none: false
-  requirements: 
-  - - ">="
-    - !ruby/object:Gem::Version 
-      hash: 3
-      segments: 
-      - 0
-      version: "0"
+  requirements:
+  - - ! '>='
+    - !ruby/object:Gem::Version
+      version: '0'
 requirements: []
-
 rubyforge_project: sbsm
 rubygems_version: 1.8.15
 signing_key: 
 specification_version: 3
 summary: Application framework for state based session management
-test_files: 
+test_files:
 - test/test_drbserver.rb
 - test/test_index.rb
 - test/test_lookandfeel.rb