This repository has been archived by the owner. It is now read-only.
Please sign in to comment.
Check for directory traversal after unescaping
The `forbidden_request?` check could be trivially bypassed by percent encoding .. as %2e%2e. After auditing Sprockets and Hike and fuzzing a simple server, I don't believe this is exploitable. However, better safe than sorry/defense in depth/etc. Conflicts: lib/sprockets/server.rb
- Loading branch information...
Showing with 10 additions and 7 deletions.