sprockets 2.12.2 → 2.12.3
Sign up to get free protection for your applications and to get access to all the features.
Potentially problematic release.
This version of sprockets might be problematic. Click here for more details.
- checksums.yaml +4 -4
- data/README.md +4 -0
- data/lib/sprockets/server.rb +7 -7
- data/lib/sprockets/version.rb +1 -1
- metadata +2 -2
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA1:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 4ac3ec814692936eab4dc58704519ca15c383880
|
|
4
|
+
data.tar.gz: 1888571f870ed8cb1a4e7a36dd78b2c7079991ed
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 5a11411a3911b1bb069ec8b350e3017d96377f70a7a41b62db3b8da1616186c57dd31a9d746f01cc7b16c1e717dd7dfcc1c513a2d92420a4ddbc7f1ee292bdb0
|
|
7
|
+
data.tar.gz: 036a48e5dc1c97776e9aa455e6b254ecfcd83edbd0cabc1c999c1b23f4881685458f9e2683c35e38d9ad72946facbefe05b2bdef962d9cc2ab9fa73c74780b82
|
data/README.md
CHANGED
|
@@ -366,6 +366,10 @@ submit a pull request.
|
|
|
366
366
|
|
|
367
367
|
## Version History ##
|
|
368
368
|
|
|
369
|
+
**2.12.3** (October 28, 2014)
|
|
370
|
+
|
|
371
|
+
* Security: Fix directory traversal bug in development mode server.
|
|
372
|
+
|
|
369
373
|
**2.12.2** (September 5, 2014)
|
|
370
374
|
|
|
371
375
|
* Ensure internal asset lookups calls are still restricted to load paths within
|
data/lib/sprockets/server.rb
CHANGED
|
@@ -33,16 +33,16 @@ module Sprockets
|
|
|
33
33
|
# Extract the path from everything after the leading slash
|
|
34
34
|
path = unescape(env['PATH_INFO'].to_s.sub(/^\//, ''))
|
|
35
35
|
|
|
36
|
-
# URLs containing a `".."` are rejected for security reasons.
|
|
37
|
-
if forbidden_request?(path)
|
|
38
|
-
return forbidden_response
|
|
39
|
-
end
|
|
40
|
-
|
|
41
36
|
# Strip fingerprint
|
|
42
37
|
if fingerprint = path_fingerprint(path)
|
|
43
38
|
path = path.sub("-#{fingerprint}", '')
|
|
44
39
|
end
|
|
45
40
|
|
|
41
|
+
# URLs containing a `".."` are rejected for security reasons.
|
|
42
|
+
if forbidden_request?(path)
|
|
43
|
+
return forbidden_response
|
|
44
|
+
end
|
|
45
|
+
|
|
46
46
|
# Look up the asset.
|
|
47
47
|
asset = find_asset(path, :bundle => !body_only?(env))
|
|
48
48
|
|
|
@@ -90,7 +90,7 @@ module Sprockets
|
|
|
90
90
|
#
|
|
91
91
|
# http://example.org/assets/../../../etc/passwd
|
|
92
92
|
#
|
|
93
|
-
path.include?("..")
|
|
93
|
+
path.include?("..") || Pathname.new(path).absolute?
|
|
94
94
|
end
|
|
95
95
|
|
|
96
96
|
# Returns a 403 Forbidden response tuple
|
|
@@ -222,7 +222,7 @@ module Sprockets
|
|
|
222
222
|
# # => "0aa2105d29558f3eb790d411d7d8fb66"
|
|
223
223
|
#
|
|
224
224
|
def path_fingerprint(path)
|
|
225
|
-
path[/-([0-9a-f]{7,40})\.[^.]
|
|
225
|
+
path[/-([0-9a-f]{7,40})\.[^.]+\z/, 1]
|
|
226
226
|
end
|
|
227
227
|
|
|
228
228
|
# URI.unescape is deprecated on 1.9. We need to use URI::Parser
|
data/lib/sprockets/version.rb
CHANGED
metadata
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: sprockets
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 2.12.
|
|
4
|
+
version: 2.12.3
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Sam Stephenson
|
|
@@ -9,7 +9,7 @@ authors:
|
|
|
9
9
|
autorequire:
|
|
10
10
|
bindir: bin
|
|
11
11
|
cert_chain: []
|
|
12
|
-
date: 2014-
|
|
12
|
+
date: 2014-10-28 00:00:00.000000000 Z
|
|
13
13
|
dependencies:
|
|
14
14
|
- !ruby/object:Gem::Dependency
|
|
15
15
|
name: hike
|