Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
SUSE:SLE-12-SP1:Update
rubygem-yard.36404
CVE-2017-17042.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File CVE-2017-17042.patch of Package rubygem-yard.36404
From b0217b3e30dc53d057b1682506333335975e62b4 Mon Sep 17 00:00:00 2001 From: Loren Segal <lsegal@soen.ca> Date: Thu, 23 Nov 2017 13:34:33 -0800 Subject: [PATCH] Disallow relative paths that start with ../ Fixes a potential arbitrary file read vulnerability in yard server. Thanks to ztz <ztz@ztz.me> for discovery of this security issue. --- lib/yard/core_ext/file.rb | 2 ++ spec/core_ext/file_spec.rb | 6 +++--- 2 files changed, 5 insertions(+), 3 deletions(-) diff --git a/lib/yard/core_ext/file.rb.orig b/lib/yard/core_ext/file.rb index 8999804..c7e9849 100644 --- a/./lib/yard/core_ext/file.rb.orig +++ b/./lib/yard/core_ext/file.rb @@ -39,6 +39,8 @@ class File if comp == RELATIVE_PARENTDIR && acc.size > 0 && acc.last != RELATIVE_PARENTDIR acc.pop next acc + elsif comp == RELATIVE_PARENTDIR && acc.empty? + next acc end acc << comp end
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor