Changeset [4d832126380a18a3145c47dfbc57021f96e9a89e] by John Firebaugh

April 26th, 2012 @ 11:00 PM

Check for directory traversal after unescaping

The forbidden_request? check could be trivially bypassed
by percent encoding .. as %2e%2e.

After auditing Sprockets and Hike and fuzzing a simple
server, I don't believe this is exploitable. However,
better safe than sorry/defense in depth/etc.

Conflicts:

    lib/sprockets/server.rb

https://github.com/sstephenson/sprockets/commit/4d832126380a18a3145...

Committed by John Firebaugh

  • M lib/sprockets/server.rb
  • M test/test_server.rb
New-ticket Create new ticket

Create your profile

Help contribute to this project by taking a few moments to create your personal profile. Create your profile ยป

JavaScript dependency management and concatenation
<a href="http://getsprockets.org/">http://getsprockets.org/</a>