sprockets 2.0.3 → 2.0.4

Sign up to get free protection for your applications and to get access to all the features.

Potentially problematic release.


This version of sprockets might be problematic. Click here for more details.

@@ -25,11 +25,6 @@ module Sprockets
25
25
 
26
26
  msg = "Served asset #{env['PATH_INFO']} -"
27
27
 
28
- # URLs containing a `".."` are rejected for security reasons.
29
- if forbidden_request?(env)
30
- return forbidden_response
31
- end
32
-
33
28
  # Mark session as "skipped" so no `Set-Cookie` header is set
34
29
  env['rack.session.options'] ||= {}
35
30
  env['rack.session.options'][:defer] = true
@@ -38,6 +33,11 @@ module Sprockets
38
33
  # Extract the path from everything after the leading slash
39
34
  path = unescape(env['PATH_INFO'].to_s.sub(/^\//, ''))
40
35
 
36
+ # URLs containing a `".."` are rejected for security reasons.
37
+ if forbidden_request?(path)
38
+ return forbidden_response
39
+ end
40
+
41
41
  # Look up the asset.
42
42
  asset = find_asset(path)
43
43
  asset.to_a if asset
@@ -82,12 +82,12 @@ module Sprockets
82
82
  end
83
83
 
84
84
  private
85
- def forbidden_request?(env)
85
+ def forbidden_request?(path)
86
86
  # Prevent access to files elsewhere on the file system
87
87
  #
88
88
  # http://example.org/assets/../../../etc/passwd
89
89
  #
90
- env["PATH_INFO"].include?("..")
90
+ path.include?("..")
91
91
  end
92
92
 
93
93
  # Returns a 403 Forbidden response tuple
@@ -1,3 +1,3 @@
1
1
  module Sprockets
2
- VERSION = "2.0.3"
2
+ VERSION = "2.0.4"
3
3
  end
metadata CHANGED
@@ -1,13 +1,13 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: sprockets
3
3
  version: !ruby/object:Gem::Version
4
- hash: 9
4
+ hash: 7
5
5
  prerelease:
6
6
  segments:
7
7
  - 2
8
8
  - 0
9
- - 3
10
- version: 2.0.3
9
+ - 4
10
+ version: 2.0.4
11
11
  platform: ruby
12
12
  authors:
13
13
  - Sam Stephenson
@@ -16,8 +16,7 @@ autorequire:
16
16
  bindir: bin
17
17
  cert_chain: []
18
18
 
19
- date: 2011-10-17 00:00:00 -05:00
20
- default_executable:
19
+ date: 2012-04-26 00:00:00 Z
21
20
  dependencies:
22
21
  - !ruby/object:Gem::Dependency
23
22
  name: hike
@@ -214,7 +213,6 @@ files:
214
213
  - lib/sprockets/utils.rb
215
214
  - lib/sprockets/version.rb
216
215
  - lib/sprockets.rb
217
- has_rdoc: true
218
216
  homepage: http://getsprockets.org/
219
217
  licenses: []
220
218
 
@@ -244,7 +242,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
244
242
  requirements: []
245
243
 
246
244
  rubyforge_project: sprockets
247
- rubygems_version: 1.5.2
245
+ rubygems_version: 1.8.15
248
246
  signing_key:
249
247
  specification_version: 3
250
248
  summary: Rack-based asset packaging system