sprockets 2.12.2 → 2.12.3
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/README.md +4 -0
- data/lib/sprockets/server.rb +7 -7
- data/lib/sprockets/version.rb +1 -1
- metadata +2 -2
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA1:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 4ac3ec814692936eab4dc58704519ca15c383880
|
|
4
|
+
data.tar.gz: 1888571f870ed8cb1a4e7a36dd78b2c7079991ed
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 5a11411a3911b1bb069ec8b350e3017d96377f70a7a41b62db3b8da1616186c57dd31a9d746f01cc7b16c1e717dd7dfcc1c513a2d92420a4ddbc7f1ee292bdb0
|
|
7
|
+
data.tar.gz: 036a48e5dc1c97776e9aa455e6b254ecfcd83edbd0cabc1c999c1b23f4881685458f9e2683c35e38d9ad72946facbefe05b2bdef962d9cc2ab9fa73c74780b82
|
data/README.md
CHANGED
|
@@ -366,6 +366,10 @@ submit a pull request.
|
|
|
366
366
|
|
|
367
367
|
## Version History ##
|
|
368
368
|
|
|
369
|
+
**2.12.3** (October 28, 2014)
|
|
370
|
+
|
|
371
|
+
* Security: Fix directory traversal bug in development mode server.
|
|
372
|
+
|
|
369
373
|
**2.12.2** (September 5, 2014)
|
|
370
374
|
|
|
371
375
|
* Ensure internal asset lookups calls are still restricted to load paths within
|
data/lib/sprockets/server.rb
CHANGED
|
@@ -33,16 +33,16 @@ module Sprockets
|
|
|
33
33
|
# Extract the path from everything after the leading slash
|
|
34
34
|
path = unescape(env['PATH_INFO'].to_s.sub(/^\//, ''))
|
|
35
35
|
|
|
36
|
-
# URLs containing a `".."` are rejected for security reasons.
|
|
37
|
-
if forbidden_request?(path)
|
|
38
|
-
return forbidden_response
|
|
39
|
-
end
|
|
40
|
-
|
|
41
36
|
# Strip fingerprint
|
|
42
37
|
if fingerprint = path_fingerprint(path)
|
|
43
38
|
path = path.sub("-#{fingerprint}", '')
|
|
44
39
|
end
|
|
45
40
|
|
|
41
|
+
# URLs containing a `".."` are rejected for security reasons.
|
|
42
|
+
if forbidden_request?(path)
|
|
43
|
+
return forbidden_response
|
|
44
|
+
end
|
|
45
|
+
|
|
46
46
|
# Look up the asset.
|
|
47
47
|
asset = find_asset(path, :bundle => !body_only?(env))
|
|
48
48
|
|
|
@@ -90,7 +90,7 @@ module Sprockets
|
|
|
90
90
|
#
|
|
91
91
|
# http://example.org/assets/../../../etc/passwd
|
|
92
92
|
#
|
|
93
|
-
path.include?("..")
|
|
93
|
+
path.include?("..") || Pathname.new(path).absolute?
|
|
94
94
|
end
|
|
95
95
|
|
|
96
96
|
# Returns a 403 Forbidden response tuple
|
|
@@ -222,7 +222,7 @@ module Sprockets
|
|
|
222
222
|
# # => "0aa2105d29558f3eb790d411d7d8fb66"
|
|
223
223
|
#
|
|
224
224
|
def path_fingerprint(path)
|
|
225
|
-
path[/-([0-9a-f]{7,40})\.[^.]
|
|
225
|
+
path[/-([0-9a-f]{7,40})\.[^.]+\z/, 1]
|
|
226
226
|
end
|
|
227
227
|
|
|
228
228
|
# URI.unescape is deprecated on 1.9. We need to use URI::Parser
|
data/lib/sprockets/version.rb
CHANGED
metadata
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: sprockets
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 2.12.
|
|
4
|
+
version: 2.12.3
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Sam Stephenson
|
|
@@ -9,7 +9,7 @@ authors:
|
|
|
9
9
|
autorequire:
|
|
10
10
|
bindir: bin
|
|
11
11
|
cert_chain: []
|
|
12
|
-
date: 2014-
|
|
12
|
+
date: 2014-10-28 00:00:00.000000000 Z
|
|
13
13
|
dependencies:
|
|
14
14
|
- !ruby/object:Gem::Dependency
|
|
15
15
|
name: hike
|