sprockets 2.12.2 → 2.12.3

Sign up to get free protection for your applications and to get access to all the features.

Potentially problematic release.


This version of sprockets might be problematic. Click here for more details.

checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA1:
3
- metadata.gz: a18323da3c871b78a1aea7699a585578eca78d85
4
- data.tar.gz: 3ab018646337e454e12463cdfef74467d74f016b
3
+ metadata.gz: 4ac3ec814692936eab4dc58704519ca15c383880
4
+ data.tar.gz: 1888571f870ed8cb1a4e7a36dd78b2c7079991ed
5
5
  SHA512:
6
- metadata.gz: 7737e045a3bf093a6000679d8868167277e13ba72aeb237cd207d467d4bc1d1b7b5bdc0d457d246868105b641f27a4209d0629cb9391e9c1fd31c2d1bc7f04c2
7
- data.tar.gz: b5b52602169324755121be25cc7c99d03751ab014f46945228323f3fdae420ce4c94df1dc80748f3e9d6b0203a2977e0206993271edaa5aabbbf11982e13c11c
6
+ metadata.gz: 5a11411a3911b1bb069ec8b350e3017d96377f70a7a41b62db3b8da1616186c57dd31a9d746f01cc7b16c1e717dd7dfcc1c513a2d92420a4ddbc7f1ee292bdb0
7
+ data.tar.gz: 036a48e5dc1c97776e9aa455e6b254ecfcd83edbd0cabc1c999c1b23f4881685458f9e2683c35e38d9ad72946facbefe05b2bdef962d9cc2ab9fa73c74780b82
data/README.md CHANGED
@@ -366,6 +366,10 @@ submit a pull request.
366
366
 
367
367
  ## Version History ##
368
368
 
369
+ **2.12.3** (October 28, 2014)
370
+
371
+ * Security: Fix directory traversal bug in development mode server.
372
+
369
373
  **2.12.2** (September 5, 2014)
370
374
 
371
375
  * Ensure internal asset lookups calls are still restricted to load paths within
@@ -33,16 +33,16 @@ module Sprockets
33
33
  # Extract the path from everything after the leading slash
34
34
  path = unescape(env['PATH_INFO'].to_s.sub(/^\//, ''))
35
35
 
36
- # URLs containing a `".."` are rejected for security reasons.
37
- if forbidden_request?(path)
38
- return forbidden_response
39
- end
40
-
41
36
  # Strip fingerprint
42
37
  if fingerprint = path_fingerprint(path)
43
38
  path = path.sub("-#{fingerprint}", '')
44
39
  end
45
40
 
41
+ # URLs containing a `".."` are rejected for security reasons.
42
+ if forbidden_request?(path)
43
+ return forbidden_response
44
+ end
45
+
46
46
  # Look up the asset.
47
47
  asset = find_asset(path, :bundle => !body_only?(env))
48
48
 
@@ -90,7 +90,7 @@ module Sprockets
90
90
  #
91
91
  # http://example.org/assets/../../../etc/passwd
92
92
  #
93
- path.include?("..")
93
+ path.include?("..") || Pathname.new(path).absolute?
94
94
  end
95
95
 
96
96
  # Returns a 403 Forbidden response tuple
@@ -222,7 +222,7 @@ module Sprockets
222
222
  # # => "0aa2105d29558f3eb790d411d7d8fb66"
223
223
  #
224
224
  def path_fingerprint(path)
225
- path[/-([0-9a-f]{7,40})\.[^.]+$/, 1]
225
+ path[/-([0-9a-f]{7,40})\.[^.]+\z/, 1]
226
226
  end
227
227
 
228
228
  # URI.unescape is deprecated on 1.9. We need to use URI::Parser
@@ -1,3 +1,3 @@
1
1
  module Sprockets
2
- VERSION = "2.12.2"
2
+ VERSION = "2.12.3"
3
3
  end
metadata CHANGED
@@ -1,7 +1,7 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: sprockets
3
3
  version: !ruby/object:Gem::Version
4
- version: 2.12.2
4
+ version: 2.12.3
5
5
  platform: ruby
6
6
  authors:
7
7
  - Sam Stephenson
@@ -9,7 +9,7 @@ authors:
9
9
  autorequire:
10
10
  bindir: bin
11
11
  cert_chain: []
12
- date: 2014-09-06 00:00:00.000000000 Z
12
+ date: 2014-10-28 00:00:00.000000000 Z
13
13
  dependencies:
14
14
  - !ruby/object:Gem::Dependency
15
15
  name: hike