Changeset [08ef21a2bcbe92ccf542adc7ab714dc95196c757] by John Firebaugh

April 26th, 2012 @ 11:05 PM

Check for directory traversal after unescaping

The forbidden_request? check could be trivially bypassed
by percent encoding .. as %2e%2e.

After auditing Sprockets and Hike and fuzzing a simple
server, I don't believe this is exploitable. However,
better safe than sorry/defense in depth/etc.
https://github.com/sstephenson/sprockets/commit/08ef21a2bcbe92ccf54...

Committed by John Firebaugh

  • M lib/sprockets/server.rb
  • M test/test_server.rb
New-ticket Create new ticket

Create your profile

Help contribute to this project by taking a few moments to create your personal profile. Create your profile ยป

JavaScript dependency management and concatenation
<a href="http://getsprockets.org/">http://getsprockets.org/</a>