rpms / rh-ror50-rubygem-sprockets

Clone
Source Code
GIT

Files

c7
  1.   c7
  2.   SOURCES
  3.   rubygem-sprockets-3.7.2-CVE-2018-3760-Fix-Path-traversal-in-sprockets-server.patch
Blob Blame History Raw 
From 9c34fa05900b968d74f08ccf40917848a7be9441 Mon Sep 17 00:00:00 2001
From: schneems <richard.schneeman+foo@gmail.com>
Date: Tue, 24 Apr 2018 16:32:22 -0500
Subject: [PATCH] Do not respond to http requests asking for a `file://`

Based on CVE-2018-3760 when the Sprockets server is accidentally being used in production, an attacker can pass in a specifically crafted url that will allow them access to view every file on the system. If the file hit contains a compilable extension such as `.erb` then the code in that file will be executed.

A Rails app will be using the Sprockets file server in production if they have accidentally configured their app to:

```ruby
config.assets.compile = true # Your app is vulnerable
```

It is highly recommended to not use the Sprockets server in production and to instead precompile assets to disk and serve them through a server such as Nginx or via the static file middleware that ships with rails `config.public_file_server.enabled = true`.

This patch mitigates the issue, but explicitly disallowing any requests to any URI resources via the server.
---
 lib/sprockets/server.rb | 2 +-
 1 files changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/sprockets/server.rb b/lib/sprockets/server.rb
index 795bdec7..2ad2c9ab 100644
--- a/lib/sprockets/server.rb
+++ b/lib/sprockets/server.rb
@@ -115,7 +115,7 @@ def forbidden_request?(path)
         #
         #     http://example.org/assets/../../../etc/passwd
         #
-        path.include?("..") || absolute_path?(path)
+        path.include?("..") || absolute_path?(path) || path.include?("://")
       end
 
       def head_request?(env)

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation