sprockets 2.0.3 → 2.0.4
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Potentially problematic release.
This version of sprockets might be problematic. Click here for more details.
- data/lib/sprockets/server.rb +7 -7
- data/lib/sprockets/version.rb +1 -1
- metadata +5 -7
data/lib/sprockets/server.rb
CHANGED
@@ -25,11 +25,6 @@ module Sprockets
|
|
25
25
|
|
26
26
|
msg = "Served asset #{env['PATH_INFO']} -"
|
27
27
|
|
28
|
-
# URLs containing a `".."` are rejected for security reasons.
|
29
|
-
if forbidden_request?(env)
|
30
|
-
return forbidden_response
|
31
|
-
end
|
32
|
-
|
33
28
|
# Mark session as "skipped" so no `Set-Cookie` header is set
|
34
29
|
env['rack.session.options'] ||= {}
|
35
30
|
env['rack.session.options'][:defer] = true
|
@@ -38,6 +33,11 @@ module Sprockets
|
|
38
33
|
# Extract the path from everything after the leading slash
|
39
34
|
path = unescape(env['PATH_INFO'].to_s.sub(/^\//, ''))
|
40
35
|
|
36
|
+
# URLs containing a `".."` are rejected for security reasons.
|
37
|
+
if forbidden_request?(path)
|
38
|
+
return forbidden_response
|
39
|
+
end
|
40
|
+
|
41
41
|
# Look up the asset.
|
42
42
|
asset = find_asset(path)
|
43
43
|
asset.to_a if asset
|
@@ -82,12 +82,12 @@ module Sprockets
|
|
82
82
|
end
|
83
83
|
|
84
84
|
private
|
85
|
-
def forbidden_request?(
|
85
|
+
def forbidden_request?(path)
|
86
86
|
# Prevent access to files elsewhere on the file system
|
87
87
|
#
|
88
88
|
# http://example.org/assets/../../../etc/passwd
|
89
89
|
#
|
90
|
-
|
90
|
+
path.include?("..")
|
91
91
|
end
|
92
92
|
|
93
93
|
# Returns a 403 Forbidden response tuple
|
data/lib/sprockets/version.rb
CHANGED
metadata
CHANGED
@@ -1,13 +1,13 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: sprockets
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
hash:
|
4
|
+
hash: 7
|
5
5
|
prerelease:
|
6
6
|
segments:
|
7
7
|
- 2
|
8
8
|
- 0
|
9
|
-
-
|
10
|
-
version: 2.0.
|
9
|
+
- 4
|
10
|
+
version: 2.0.4
|
11
11
|
platform: ruby
|
12
12
|
authors:
|
13
13
|
- Sam Stephenson
|
@@ -16,8 +16,7 @@ autorequire:
|
|
16
16
|
bindir: bin
|
17
17
|
cert_chain: []
|
18
18
|
|
19
|
-
date:
|
20
|
-
default_executable:
|
19
|
+
date: 2012-04-26 00:00:00 Z
|
21
20
|
dependencies:
|
22
21
|
- !ruby/object:Gem::Dependency
|
23
22
|
name: hike
|
@@ -214,7 +213,6 @@ files:
|
|
214
213
|
- lib/sprockets/utils.rb
|
215
214
|
- lib/sprockets/version.rb
|
216
215
|
- lib/sprockets.rb
|
217
|
-
has_rdoc: true
|
218
216
|
homepage: http://getsprockets.org/
|
219
217
|
licenses: []
|
220
218
|
|
@@ -244,7 +242,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
244
242
|
requirements: []
|
245
243
|
|
246
244
|
rubyforge_project: sprockets
|
247
|
-
rubygems_version: 1.
|
245
|
+
rubygems_version: 1.8.15
|
248
246
|
signing_key:
|
249
247
|
specification_version: 3
|
250
248
|
summary: Rack-based asset packaging system
|