sprockets 2.2.0 → 2.2.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (3) hide show
  1. data/lib/sprockets/server.rb +7 -7
  2. data/lib/sprockets/version.rb +1 -1
  3. metadata +5 -7
data/lib/sprockets/server.rb CHANGED
@@ -25,11 +25,6 @@ module Sprockets
25
25
 
26
26
  msg = "Served asset #{env['PATH_INFO']} -"
27
27
 
28
- # URLs containing a `".."` are rejected for security reasons.
29
- if forbidden_request?(env)
30
- return forbidden_response
31
- end
32
-
33
28
  # Mark session as "skipped" so no `Set-Cookie` header is set
34
29
  env['rack.session.options'] ||= {}
35
30
  env['rack.session.options'][:defer] = true
@@ -38,6 +33,11 @@ module Sprockets
38
33
  # Extract the path from everything after the leading slash
39
34
  path = unescape(env['PATH_INFO'].to_s.sub(/^\//, ''))
40
35
 
36
+ # URLs containing a `".."` are rejected for security reasons.
37
+ if forbidden_request?(path)
38
+ return forbidden_response
39
+ end
40
+
41
41
  # Strip fingerprint
42
42
  if fingerprint = path_fingerprint(path)
43
43
  path = path.sub("-#{fingerprint}", '')
@@ -85,12 +85,12 @@ module Sprockets
85
85
  end
86
86
 
87
87
  private
88
- def forbidden_request?(env)
88
+ def forbidden_request?(path)
89
89
  # Prevent access to files elsewhere on the file system
90
90
  #
91
91
  # http://example.org/assets/../../../etc/passwd
92
92
  #
93
- env["PATH_INFO"].include?("..")
93
+ path.include?("..")
94
94
  end
95
95
 
96
96
  # Returns a 403 Forbidden response tuple
data/lib/sprockets/version.rb CHANGED
@@ -1,3 +1,3 @@
1
1
  module Sprockets
2
- VERSION = "2.2.0"
2
+ VERSION = "2.2.1"
3
3
  end
metadata CHANGED
@@ -1,13 +1,13 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: sprockets
3
3
  version: !ruby/object:Gem::Version
4
- hash: 7
4
+ hash: 5
5
5
  prerelease:
6
6
  segments:
7
7
  - 2
8
8
  - 2
9
- - 0
10
- version: 2.2.0
9
+ - 1
10
+ version: 2.2.1
11
11
  platform: ruby
12
12
  authors:
13
13
  - Sam Stephenson
@@ -16,8 +16,7 @@ autorequire:
16
16
  bindir: bin
17
17
  cert_chain: []
18
18
 
19
- date: 2012-01-10 00:00:00 -06:00
20
- default_executable:
19
+ date: 2012-04-26 00:00:00 Z
21
20
  dependencies:
22
21
  - !ruby/object:Gem::Dependency
23
22
  name: hike
@@ -248,7 +247,6 @@ files:
248
247
  - lib/sprockets/version.rb
249
248
  - lib/sprockets.rb
250
249
  - bin/sprockets
251
- has_rdoc: true
252
250
  homepage: http://getsprockets.org/
253
251
  licenses: []
254
252
 
@@ -278,7 +276,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
278
276
  requirements: []
279
277
 
280
278
  rubyforge_project: sprockets
281
- rubygems_version: 1.6.2
279
+ rubygems_version: 1.8.15
282
280
  signing_key:
283
281
  specification_version: 3
284
282
  summary: Rack-based asset packaging system