[pkgsrc/trunk]: pkgsrc/misc/ruby-sprockets22 misc/ruby-sprockets22 Add fix fo...

[taca <taca%pkgsrc.org@localhost>]

details:   https://anonhg.NetBSD.org/pkgsrc/rev/ac6baf91aa00
branches:  trunk
changeset: 312625:ac6baf91aa00
user:      taca <taca%pkgsrc.org@localhost>
date:      Sat Sep 08 16:59:45 2018 +0000

description:
misc/ruby-sprockets22 Add fix for CVE-2018-3760

* Add fix for CVE-2018-3760.
* pkgsrc change: update HOMEPAGE.

diffstat:

 misc/ruby-sprockets22/Makefile                              |   6 ++--
 misc/ruby-sprockets22/distinfo                              |   3 +-
 misc/ruby-sprockets22/patches/patch-lib_sprockets_server.rb |  15 +++++++++++++
 3 files changed, 20 insertions(+), 4 deletions(-)

diffs (50 lines):

diff -r c6ea0229f245 -r ac6baf91aa00 misc/ruby-sprockets22/Makefile
--- a/misc/ruby-sprockets22/Makefile    Sat Sep 08 16:24:48 2018 +0000
+++ b/misc/ruby-sprockets22/Makefile    Sat Sep 08 16:59:45 2018 +0000
@@ -1,12 +1,12 @@
-# $NetBSD: Makefile,v 1.6 2017/09/02 14:58:36 taca Exp $
+# $NetBSD: Makefile,v 1.7 2018/09/08 16:59:45 taca Exp $
 
 DISTNAME=      sprockets-2.2.3
 PKGNAME=       ${RUBY_PKGPREFIX}-${DISTNAME:S/sprockets/sprockets22/}
-PKGREVISION=   2
+PKGREVISION=   3
 CATEGORIES=    www
 
 MAINTAINER=    pkgsrc-users%NetBSD.org@localhost
-HOMEPAGE=      https://github.com/sstephenson/sprockets
+HOMEPAGE=      https://github.com/rails/sprockets
 COMMENT=       Rack-based asset packaging system
 LICENSE=       mit
 
diff -r c6ea0229f245 -r ac6baf91aa00 misc/ruby-sprockets22/distinfo
--- a/misc/ruby-sprockets22/distinfo    Sat Sep 08 16:24:48 2018 +0000
+++ b/misc/ruby-sprockets22/distinfo    Sat Sep 08 16:59:45 2018 +0000
@@ -1,6 +1,7 @@
-$NetBSD: distinfo,v 1.3 2015/11/03 23:49:51 agc Exp $
+$NetBSD: distinfo,v 1.4 2018/09/08 16:59:45 taca Exp $
 
 SHA1 (sprockets-2.2.3.gem) = c81e5cada0dfa45298678e57401819b13b7cb1ae
 RMD160 (sprockets-2.2.3.gem) = 83647cf6b27a3474127ea3c96bfb80865c5af39d
 SHA512 (sprockets-2.2.3.gem) = f4192aa296cdf5a92fd0b30e3184e1f8fda85fcdc91d6a60f309853599eea4d6cde780b930e2d2d34eeff66d5bd76b614cd24b70264c84234cf4ae9ab884ca51
 Size (sprockets-2.2.3.gem) = 37376 bytes
+SHA1 (patch-lib_sprockets_server.rb) = f3141893a9f2171a3692d8cbfa96339c9982c190
diff -r c6ea0229f245 -r ac6baf91aa00 misc/ruby-sprockets22/patches/patch-lib_sprockets_server.rb
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/misc/ruby-sprockets22/patches/patch-lib_sprockets_server.rb       Sat Sep 08 16:59:45 2018 +0000
@@ -0,0 +1,15 @@
+$NetBSD: patch-lib_sprockets_server.rb,v 1.1 2018/09/08 16:59:45 taca Exp $
+
+Try to avoid CVE-2018-3760.
+
+--- lib/sprockets/server.rb.orig       2018-06-20 01:37:23.885194827 +0000
++++ lib/sprockets/server.rb
+@@ -90,7 +90,7 @@ module Sprockets
+         #
+         #     http://example.org/assets/../../../etc/passwd
+         #
+-        path.include?("..") || Pathname.new(path).absolute?
++        path.include?("..") || Pathname.new(path).absolute? || path.include?("://")
+       end
+ 
+       # Returns a 403 Forbidden response tuple