sprockets 2.3.0 → 2.3.1

Sign up to get free protection for your applications and to get access to all the features.

Potentially problematic release.

This version of sprockets might be problematic. Click here for more details.

Files changed (6) hide show
  1. data/README.md +7 -1
  2. data/lib/sprockets/asset.rb +1 -0
  3. data/lib/sprockets/manifest.rb +1 -0
  4. data/lib/sprockets/server.rb +7 -7
  5. data/lib/sprockets/version.rb +1 -1
  6. metadata +4 -4
data/README.md CHANGED
@@ -354,7 +354,13 @@ submit a pull request.
354
354
 
355
355
  ## Version History ##
356
356
 
357
- **2.3.0** (Unreleased)
357
+ **2.3.1** (February 11, 2012)
358
+
359
+ * Added bytesize to manifest
360
+ * Added Asset#bytesize alias
361
+ * Security: Check path for forbidden access after unescaping
362
+
363
+ **2.3.0** (January 16, 2012)
358
364
 
359
365
  * Added special Sass importer that automatically tracks any `@import`ed files.
360
366
 
data/lib/sprockets/asset.rb CHANGED
@@ -30,6 +30,7 @@ module Sprockets
30
30
 
31
31
  attr_reader :logical_path, :pathname
32
32
  attr_reader :content_type, :mtime, :length, :digest
33
+ alias_method :bytesize, :length
33
34
 
34
35
  def initialize(environment, logical_path, pathname)
35
36
  @root = environment.root
data/lib/sprockets/manifest.rb CHANGED
@@ -91,6 +91,7 @@ module Sprockets
91
91
  files[asset.digest_path] = {
92
92
  'logical_path' => asset.logical_path,
93
93
  'mtime' => asset.mtime.iso8601,
94
+ 'size' => asset.bytesize,
94
95
  'digest' => asset.digest
95
96
  }
96
97
  assets[asset.logical_path] = asset.digest_path
data/lib/sprockets/server.rb CHANGED
@@ -25,11 +25,6 @@ module Sprockets
25
25
 
26
26
  msg = "Served asset #{env['PATH_INFO']} -"
27
27
 
28
- # URLs containing a `".."` are rejected for security reasons.
29
- if forbidden_request?(env)
30
- return forbidden_response
31
- end
32
-
33
28
  # Mark session as "skipped" so no `Set-Cookie` header is set
34
29
  env['rack.session.options'] ||= {}
35
30
  env['rack.session.options'][:defer] = true
@@ -38,6 +33,11 @@ module Sprockets
38
33
  # Extract the path from everything after the leading slash
39
34
  path = unescape(env['PATH_INFO'].to_s.sub(/^\//, ''))
40
35
 
36
+ # URLs containing a `".."` are rejected for security reasons.
37
+ if forbidden_request?(path)
38
+ return forbidden_response
39
+ end
40
+
41
41
  # Strip fingerprint
42
42
  if fingerprint = path_fingerprint(path)
43
43
  path = path.sub("-#{fingerprint}", '')
@@ -85,12 +85,12 @@ module Sprockets
85
85
  end
86
86
 
87
87
  private
88
- def forbidden_request?(env)
88
+ def forbidden_request?(path)
89
89
  # Prevent access to files elsewhere on the file system
90
90
  #
91
91
  # http://example.org/assets/../../../etc/passwd
92
92
  #
93
- env["PATH_INFO"].include?("..")
93
+ path.include?("..")
94
94
  end
95
95
 
96
96
  # Returns a 403 Forbidden response tuple
data/lib/sprockets/version.rb CHANGED
@@ -1,3 +1,3 @@
1
1
  module Sprockets
2
- VERSION = "2.3.0"
2
+ VERSION = "2.3.1"
3
3
  end
metadata CHANGED
@@ -1,13 +1,13 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: sprockets
3
3
  version: !ruby/object:Gem::Version
4
- hash: 3
4
+ hash: 1
5
5
  prerelease:
6
6
  segments:
7
7
  - 2
8
8
  - 3
9
- - 0
10
- version: 2.3.0
9
+ - 1
10
+ version: 2.3.1
11
11
  platform: ruby
12
12
  authors:
13
13
  - Sam Stephenson
@@ -16,7 +16,7 @@ autorequire:
16
16
  bindir: bin
17
17
  cert_chain: []
18
18
 
19
- date: 2012-01-16 00:00:00 -06:00
19
+ date: 2012-02-11 00:00:00 -06:00
20
20
  default_executable:
21
21
  dependencies:
22
22
  - !ruby/object:Gem::Dependency