sprockets 2.1.2 → 2.1.3
Sign up to get free protection for your applications and to get access to all the features.
Potentially problematic release.
This version of sprockets might be problematic. Click here for more details.
- data/lib/sprockets/server.rb +7 -7
- data/lib/sprockets/version.rb +1 -1
- metadata +5 -7
data/lib/sprockets/server.rb
CHANGED
@@ -25,11 +25,6 @@ module Sprockets
|
|
25
25
|
|
26
26
|
msg = "Served asset #{env['PATH_INFO']} -"
|
27
27
|
|
28
|
-
# URLs containing a `".."` are rejected for security reasons.
|
29
|
-
if forbidden_request?(env)
|
30
|
-
return forbidden_response
|
31
|
-
end
|
32
|
-
|
33
28
|
# Mark session as "skipped" so no `Set-Cookie` header is set
|
34
29
|
env['rack.session.options'] ||= {}
|
35
30
|
env['rack.session.options'][:defer] = true
|
@@ -38,6 +33,11 @@ module Sprockets
|
|
38
33
|
# Extract the path from everything after the leading slash
|
39
34
|
path = unescape(env['PATH_INFO'].to_s.sub(/^\//, ''))
|
40
35
|
|
36
|
+
# URLs containing a `".."` are rejected for security reasons.
|
37
|
+
if forbidden_request?(path)
|
38
|
+
return forbidden_response
|
39
|
+
end
|
40
|
+
|
41
41
|
# Strip fingerprint
|
42
42
|
if fingerprint = path_fingerprint(path)
|
43
43
|
path = path.sub("-#{fingerprint}", '')
|
@@ -85,12 +85,12 @@ module Sprockets
|
|
85
85
|
end
|
86
86
|
|
87
87
|
private
|
88
|
-
def forbidden_request?(
|
88
|
+
def forbidden_request?(path)
|
89
89
|
# Prevent access to files elsewhere on the file system
|
90
90
|
#
|
91
91
|
# http://example.org/assets/../../../etc/passwd
|
92
92
|
#
|
93
|
-
|
93
|
+
path.include?("..")
|
94
94
|
end
|
95
95
|
|
96
96
|
# Returns a 403 Forbidden response tuple
|
data/lib/sprockets/version.rb
CHANGED
metadata
CHANGED
@@ -1,13 +1,13 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: sprockets
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
hash:
|
4
|
+
hash: 13
|
5
5
|
prerelease:
|
6
6
|
segments:
|
7
7
|
- 2
|
8
8
|
- 1
|
9
|
-
-
|
10
|
-
version: 2.1.
|
9
|
+
- 3
|
10
|
+
version: 2.1.3
|
11
11
|
platform: ruby
|
12
12
|
authors:
|
13
13
|
- Sam Stephenson
|
@@ -16,8 +16,7 @@ autorequire:
|
|
16
16
|
bindir: bin
|
17
17
|
cert_chain: []
|
18
18
|
|
19
|
-
date:
|
20
|
-
default_executable:
|
19
|
+
date: 2012-04-26 00:00:00 Z
|
21
20
|
dependencies:
|
22
21
|
- !ruby/object:Gem::Dependency
|
23
22
|
name: hike
|
@@ -214,7 +213,6 @@ files:
|
|
214
213
|
- lib/sprockets/utils.rb
|
215
214
|
- lib/sprockets/version.rb
|
216
215
|
- lib/sprockets.rb
|
217
|
-
has_rdoc: true
|
218
216
|
homepage: http://getsprockets.org/
|
219
217
|
licenses: []
|
220
218
|
|
@@ -244,7 +242,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
244
242
|
requirements: []
|
245
243
|
|
246
244
|
rubyforge_project: sprockets
|
247
|
-
rubygems_version: 1.
|
245
|
+
rubygems_version: 1.8.15
|
248
246
|
signing_key:
|
249
247
|
specification_version: 3
|
250
248
|
summary: Rack-based asset packaging system
|