sprockets 2.1.2 → 2.1.3

Sign up to get free protection for your applications and to get access to all the features.

Potentially problematic release.


This version of sprockets might be problematic. Click here for more details.

@@ -25,11 +25,6 @@ module Sprockets
25
25
 
26
26
  msg = "Served asset #{env['PATH_INFO']} -"
27
27
 
28
- # URLs containing a `".."` are rejected for security reasons.
29
- if forbidden_request?(env)
30
- return forbidden_response
31
- end
32
-
33
28
  # Mark session as "skipped" so no `Set-Cookie` header is set
34
29
  env['rack.session.options'] ||= {}
35
30
  env['rack.session.options'][:defer] = true
@@ -38,6 +33,11 @@ module Sprockets
38
33
  # Extract the path from everything after the leading slash
39
34
  path = unescape(env['PATH_INFO'].to_s.sub(/^\//, ''))
40
35
 
36
+ # URLs containing a `".."` are rejected for security reasons.
37
+ if forbidden_request?(path)
38
+ return forbidden_response
39
+ end
40
+
41
41
  # Strip fingerprint
42
42
  if fingerprint = path_fingerprint(path)
43
43
  path = path.sub("-#{fingerprint}", '')
@@ -85,12 +85,12 @@ module Sprockets
85
85
  end
86
86
 
87
87
  private
88
- def forbidden_request?(env)
88
+ def forbidden_request?(path)
89
89
  # Prevent access to files elsewhere on the file system
90
90
  #
91
91
  # http://example.org/assets/../../../etc/passwd
92
92
  #
93
- env["PATH_INFO"].include?("..")
93
+ path.include?("..")
94
94
  end
95
95
 
96
96
  # Returns a 403 Forbidden response tuple
@@ -1,3 +1,3 @@
1
1
  module Sprockets
2
- VERSION = "2.1.2"
2
+ VERSION = "2.1.3"
3
3
  end
metadata CHANGED
@@ -1,13 +1,13 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: sprockets
3
3
  version: !ruby/object:Gem::Version
4
- hash: 15
4
+ hash: 13
5
5
  prerelease:
6
6
  segments:
7
7
  - 2
8
8
  - 1
9
- - 2
10
- version: 2.1.2
9
+ - 3
10
+ version: 2.1.3
11
11
  platform: ruby
12
12
  authors:
13
13
  - Sam Stephenson
@@ -16,8 +16,7 @@ autorequire:
16
16
  bindir: bin
17
17
  cert_chain: []
18
18
 
19
- date: 2011-11-20 00:00:00 -06:00
20
- default_executable:
19
+ date: 2012-04-26 00:00:00 Z
21
20
  dependencies:
22
21
  - !ruby/object:Gem::Dependency
23
22
  name: hike
@@ -214,7 +213,6 @@ files:
214
213
  - lib/sprockets/utils.rb
215
214
  - lib/sprockets/version.rb
216
215
  - lib/sprockets.rb
217
- has_rdoc: true
218
216
  homepage: http://getsprockets.org/
219
217
  licenses: []
220
218
 
@@ -244,7 +242,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
244
242
  requirements: []
245
243
 
246
244
  rubyforge_project: sprockets
247
- rubygems_version: 1.6.2
245
+ rubygems_version: 1.8.15
248
246
  signing_key:
249
247
  specification_version: 3
250
248
  summary: Rack-based asset packaging system