Skip to content
Permalink

Comparing changes

Choose two branches to see what’s changed or to start a new pull request. If you need to, you can also or learn more about diff comparisons.

Open a pull request

Create a new pull request by comparing changes across two branches. If you need to, you can also . Learn more about diff comparisons here.
base repository: rails/sprockets
Failed to load repositories. Confirm that selected base ref is valid, then try again.
Loading
base: v2.12.4
Choose a base ref
...
head repository: rails/sprockets
Failed to load repositories. Confirm that selected head ref is valid, then try again.
Loading
compare: v2.12.5
Choose a head ref
  • 5 commits
  • 5 files changed
  • 3 contributors

Commits on Aug 18, 2015

  1. Notify on campfire

    @rafaelfranca
    rafaelfranca committed Aug 18, 2015
    Configuration menu
    Copy the full SHA
    d487c31 View commit details
    Browse the repository at this point in the history

Commits on Aug 22, 2015

  1. Test on 2.2

    @schneems
    schneems committed Aug 22, 2015
    Configuration menu
    Copy the full SHA
    18309b0 View commit details
    Browse the repository at this point in the history

  2. Add test-unit gem

    @schneems
    schneems committed Aug 22, 2015
    Configuration menu
    Copy the full SHA
    2199a60 View commit details
    Browse the repository at this point in the history

Commits on Jun 19, 2018

  1. Do not respond to http requests asking for a file:// 

    Based on CVE-2018-3760 when the Sprockets server is accidentally being used in production, an attacker can pass in a specifically crafted url that will allow them access to view every file on the system. If the file hit contains a compilable extension such as `.erb` then the code in that file will be executed.

A Rails app will be using the Sprockets file server in production if they have accidentally configured their app to:

```ruby
config.assets.compile = true # Your app is vulnerable
```

It is highly recommended to not use the Sprockets server in production and to instead precompile assets to disk and serve them through a server such as Nginx or via the static file middleware that ships with rails `config.public_file_server.enabled = true`.

This patch mitigates the issue, but explicitly disallowing any requests to any URI resources via the server.
    @schneems
    schneems committed Jun 19, 2018
    Configuration menu
    Copy the full SHA
    18b8a7f View commit details
    Browse the repository at this point in the history

  2. v2.12.5

    @schneems
    schneems committed Jun 19, 2018
    Configuration menu
    Copy the full SHA
    d51c58c View commit details
    Browse the repository at this point in the history
Loading