It seems like the following commit addressed the issue of checking for traversal before unescaping the URL:
but the author thought it wasn't exploitable and thus (i am assuming) new version of the 2.1.x branch hasn't been released, which afaict Rails depends on.
To exploit this vulnerability the following URL must be sent via curl, webscarab or any other tool that doesn't unescape the URL before sending. NOTE: browser will unescape the URL and it will not work if you access it via browser. This URL assumes that your app is in /usr/local/blah/MyRails/
Also, please not that the code in server.rb tries to remove leading slash too, but assumes that only 1 leading slash is present, which isn't true, that regexp needs to be corrected too.
While such a request doesn't return forbidden, it does raise Sprockets::FileOutsidePaths when trying to compile.