Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
openSUSE:Leap:42.3:Update
rubygem-sprockets
fix_cve_2018_3760.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File fix_cve_2018_3760.patch of Package rubygem-sprockets
From c09131cf5b2c479263939c8582e22b98ed616c5f Mon Sep 17 00:00:00 2001 From: schneems <richard.schneeman+foo@gmail.com> Date: Tue, 24 Apr 2018 16:37:53 -0500 Subject: [PATCH] Do not respond to http requests asking for a `file://` Based on CVE-2018-3760 when the Sprockets server is accidentally being used in production, an attacker can pass in a specifically crafted url that will allow them access to view every file on the system. If the file hit contains a compilable extension such as `.erb` then the code in that file will be executed. A Rails app will be using the Sprockets file server in production if they have accidentally configured their app to: ```ruby config.assets.compile = true # Your app is vulnerable ``` It is highly recommended to not use the Sprockets server in production and to instead precompile assets to disk and serve them through a server such as Nginx or via the static file middleware that ships with rails `config.public_file_server.enabled = true`. This patch mitigates the issue, but explicitly disallowing any requests to uri resources via the server. --- lib/sprockets/server.rb | 2 +- test/test_server.rb | 7 +++++++ 2 files changed, 8 insertions(+), 1 deletion(-) diff --git a/a/lib/sprockets/server.rb b/b/lib/sprockets/server.rb index 0430e48..41c2371 100644 --- a/lib/sprockets/server.rb +++ b/lib/sprockets/server.rb @@ -115,7 +115,7 @@ module Sprockets # # http://example.org/assets/../../../etc/passwd # - path.include?("..") || absolute_path?(path) + path.include?("..") || absolute_path?(path) || path.include?("://") end # Returns a 200 OK response tuple
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor