blob: abcb128201b483af93acd40244db7f484aae757e (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
|
$NetBSD: patch-lib_sprockets_server.rb,v 1.1 2018/09/08 16:59:45 taca Exp $
Try to avoid CVE-2018-3760.
--- lib/sprockets/server.rb.orig 2018-06-20 01:37:23.885194827 +0000
+++ lib/sprockets/server.rb
@@ -90,7 +90,7 @@ module Sprockets
#
# http://example.org/assets/../../../etc/passwd
#
- path.include?("..") || Pathname.new(path).absolute?
+ path.include?("..") || Pathname.new(path).absolute? || path.include?("://")
end
# Returns a 403 Forbidden response tuple
|