Overview

File CVE-2017-17042.patch of Package rubygem-yard.7896

From b0217b3e30dc53d057b1682506333335975e62b4 Mon Sep 17 00:00:00 2001
From: Loren Segal <lsegal@soen.ca>
Date: Thu, 23 Nov 2017 13:34:33 -0800
Subject: [PATCH] Disallow relative paths that start with ../

Fixes a potential arbitrary file read vulnerability in yard server.
Thanks to ztz <ztz@ztz.me> for discovery of this security issue.
---
 lib/yard/core_ext/file.rb  | 2 ++
 spec/core_ext/file_spec.rb | 6 +++---
 2 files changed, 5 insertions(+), 3 deletions(-)

diff --git a/lib/yard/core_ext/file.rb.orig b/lib/yard/core_ext/file.rb
index 8999804..c7e9849 100644
--- a/./lib/yard/core_ext/file.rb.orig
+++ b/./lib/yard/core_ext/file.rb
@@ -39,6 +39,8 @@ class File
       if comp == RELATIVE_PARENTDIR && acc.size > 0 && acc.last != RELATIVE_PARENTDIR
         acc.pop
         next acc
+      elsif comp == RELATIVE_PARENTDIR && acc.empty?
+        next acc
       end
       acc << comp
     end
openSUSE Build Service is sponsored by
Places