RubyGems - sprockets - Versions diffs - 2.0.3 → 2.0.4 - Mend

sprockets 2.0.3 → 2.0.4

This version of sprockets might be problematic. Click here for more details.

Files changed (3) hide show

@@ -25,11 +25,6 @@ module Sprockets
       msg = "Served asset #{env['PATH_INFO']} -"
-      # URLs containing a `".."` are rejected for security reasons.
-      if forbidden_request?(env)
-        return forbidden_response
-      end
       # Mark session as "skipped" so no `Set-Cookie` header is set
       env['rack.session.options'] ||= {}
       env['rack.session.options'][:defer] = true
@@ -38,6 +33,11 @@ module Sprockets
       # Extract the path from everything after the leading slash
       path = unescape(env['PATH_INFO'].to_s.sub(/^\//, ''))
+      # URLs containing a `".."` are rejected for security reasons.
+      if forbidden_request?(path)
+        return forbidden_response
+      end
       # Look up the asset.
       asset = find_asset(path)
       asset.to_a if asset
@@ -82,12 +82,12 @@ module Sprockets
     end
     private
-      def forbidden_request?(env)
+      def forbidden_request?(path)
         # Prevent access to files elsewhere on the file system
         #
         #     http://example.org/assets/../../../etc/passwd
         #
-        env["PATH_INFO"].include?("..")
+        path.include?("..")
       end
       # Returns a 403 Forbidden response tuple

data/lib/sprockets/version.rb CHANGED

@@ -1,3 +1,3 @@
 module Sprockets
-  VERSION = "2.0.3"
+  VERSION = "2.0.4"
 end

metadata CHANGED

@@ -1,13 +1,13 @@
 --- !ruby/object:Gem::Specification
 name: sprockets
 version: !ruby/object:Gem::Version
-  hash: 9
+  hash: 7
   prerelease:
   segments:
   - 2
   - 0
-  - 3
-  version: 2.0.3
+  - 4
+  version: 2.0.4
 platform: ruby
 authors:
 - Sam Stephenson
@@ -16,8 +16,7 @@ autorequire:
 bindir: bin
 cert_chain: []
-date: 2011-10-17 00:00:00 -05:00
-default_executable:
+date: 2012-04-26 00:00:00 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: hike
@@ -214,7 +213,6 @@ files:
 - lib/sprockets/utils.rb
 - lib/sprockets/version.rb
 - lib/sprockets.rb
-has_rdoc: true
 homepage: http://getsprockets.org/
 licenses: []
@@ -244,7 +242,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
 requirements: []
 rubyforge_project: sprockets
-rubygems_version: 1.5.2
+rubygems_version: 1.8.15
 signing_key:
 specification_version: 3
 summary: Rack-based asset packaging system