Hello community, here is the log from the commit of package rubygem-sprockets for openSUSE:Factory checked in at 2015-02-16 21:09:34 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/rubygem-sprockets (Old) and /work/SRC/openSUSE:Factory/.rubygem-sprockets.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "rubygem-sprockets" Changes: -------- --- /work/SRC/openSUSE:Factory/rubygem-sprockets/rubygem-sprockets.changes 2014-11-24 11:12:49.000000000 +0100 +++ /work/SRC/openSUSE:Factory/.rubygem-sprockets.new/rubygem-sprockets.changes 2015-02-16 21:09:36.000000000 +0100 @@ -1,0 +2,6 @@ +Tue Feb 10 08:01:48 UTC 2015 - [email protected] + +- updated to version 2.12.3 + * Security: Fix directory traversal bug in development mode server. + +------------------------------------------------------------------- Old: ---- sprockets-2.12.2.gem New: ---- gem2rpm.yml sprockets-2.12.3.gem ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ rubygem-sprockets.spec ++++++ --- /var/tmp/diff_new_pack.u1xUhb/_old 2015-02-16 21:09:37.000000000 +0100 +++ /var/tmp/diff_new_pack.u1xUhb/_new 2015-02-16 21:09:37.000000000 +0100 @@ -1,7 +1,7 @@ # # spec file for package rubygem-sprockets # -# Copyright (c) 2014 SUSE LINUX Products GmbH, Nuernberg, Germany. +# Copyright (c) 2015 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -16,8 +16,15 @@ # +# +# This file was generated with a gem2rpm.yml and not just plain gem2rpm. +# All sections marked as MANUAL, license headers, summaries and descriptions +# can be maintained in that file. Please consult this file before editing any +# of those fields +# + Name: rubygem-sprockets -Version: 2.12.2 +Version: 2.12.3 Release: 0 %define mod_name sprockets %define mod_full_name %{mod_name}-%{version} @@ -28,6 +35,7 @@ BuildRequires: update-alternatives Url: http://getsprockets.org/ Source: http://rubygems.org/gems/%{mod_full_name}.gem +Source1: gem2rpm.yml Summary: Rack-based asset packaging system License: MIT Group: Development/Languages/Ruby ++++++ gem2rpm.yml ++++++ # --- # ## used by gem2rpm # :summary: this is a custom summary # ## used by gem2rpm # :description: |- # this is a custom description # # it can be multiline # ## used by gem2rpm # :license: MIT or Ruby # ## used by gem2rpm and gem_packages # :version_suffix: -x_y # ## used by gem2rpm and gem_packages # :disable_docs: true # ## used by gem2rpm # :disable_automatic_rdoc_dep: true # ## used by gem2rpm # :preamble: |- # BuildRequires: foobar # Requires: foobar # ## used by gem2rpm # :patches: # foo.patch: -p1 # bar.patch: # ## used by gem2rpm :sources: # - foo.desktop # - bar.desktop # :gem_install_args: '....' # ## used by gem2rpm # :pre_install: |- # %if 0%{?use_system_libev} # export USE_VENDORED_LIBEV="no" # %endif # ## used by gem2rpm # :post_install: |- # # delete custom files here or do other fancy stuff # install -D -m 0644 %{S:1} %{buildroot}%{_bindir}/gem2rpm-opensuse # ## used by gem2rpm # :testsuite_command: |- # (pushd %{buildroot}%{gem_base}/gems/%{mod_full_name} && rake test) # ## used by gem2rpm # :filelist: |- # /usr/bin/gem2rpm-opensuse # ## used by gem2rpm # :scripts: # :post: |- # /bin/echo foo # ## used by gem_packages # :main: # :preamble: |- # Requires: util-linux # Recommends: pwgen # :filelist: |- # /usr/bin/gem2rpm-opensuse # ## used by gem_packages # :custom: # apache: # :preamble: |- # Requires: ..... # :filelist: |- # /etc/apache2/conf.d/passenger.conf # :summary: Custom summary is optional # :description: |- # Custom description is optional # # bar # :post: |- # /bin/echo foo # ++++++ sprockets-2.12.2.gem -> sprockets-2.12.3.gem ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/README.md new/README.md --- old/README.md 2014-09-06 06:34:57.000000000 +0200 +++ new/README.md 2014-10-28 19:56:15.000000000 +0100 @@ -366,6 +366,10 @@ ## Version History ## +**2.12.3** (October 28, 2014) + +* Security: Fix directory traversal bug in development mode server. + **2.12.2** (September 5, 2014) * Ensure internal asset lookups calls are still restricted to load paths within Files old/checksums.yaml.gz and new/checksums.yaml.gz differ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/lib/sprockets/server.rb new/lib/sprockets/server.rb --- old/lib/sprockets/server.rb 2014-09-06 06:34:57.000000000 +0200 +++ new/lib/sprockets/server.rb 2014-10-28 19:56:15.000000000 +0100 @@ -33,16 +33,16 @@ # Extract the path from everything after the leading slash path = unescape(env['PATH_INFO'].to_s.sub(/^\//, '')) - # URLs containing a `".."` are rejected for security reasons. - if forbidden_request?(path) - return forbidden_response - end - # Strip fingerprint if fingerprint = path_fingerprint(path) path = path.sub("-#{fingerprint}", '') end + # URLs containing a `".."` are rejected for security reasons. + if forbidden_request?(path) + return forbidden_response + end + # Look up the asset. asset = find_asset(path, :bundle => !body_only?(env)) @@ -90,7 +90,7 @@ # # http://example.org/assets/../../../etc/passwd # - path.include?("..") + path.include?("..") || Pathname.new(path).absolute? end # Returns a 403 Forbidden response tuple @@ -222,7 +222,7 @@ # # => "0aa2105d29558f3eb790d411d7d8fb66" # def path_fingerprint(path) - path[/-([0-9a-f]{7,40})\.[^.]+$/, 1] + path[/-([0-9a-f]{7,40})\.[^.]+\z/, 1] end # URI.unescape is deprecated on 1.9. We need to use URI::Parser diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/lib/sprockets/version.rb new/lib/sprockets/version.rb --- old/lib/sprockets/version.rb 2014-09-06 06:34:57.000000000 +0200 +++ new/lib/sprockets/version.rb 2014-10-28 19:56:15.000000000 +0100 @@ -1,3 +1,3 @@ module Sprockets - VERSION = "2.12.2" + VERSION = "2.12.3" end diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/metadata new/metadata --- old/metadata 2014-09-06 06:34:57.000000000 +0200 +++ new/metadata 2014-10-28 19:56:15.000000000 +0100 @@ -1,7 +1,7 @@ --- !ruby/object:Gem::Specification name: sprockets version: !ruby/object:Gem::Version - version: 2.12.2 + version: 2.12.3 platform: ruby authors: - Sam Stephenson @@ -9,7 +9,7 @@ autorequire: bindir: bin cert_chain: [] -date: 2014-09-06 00:00:00.000000000 Z +date: 2014-10-28 00:00:00.000000000 Z dependencies: - !ruby/object:Gem::Dependency name: hike -- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
