This Laravel 4 package provides a very simple and easy to use asset pipeline. It was heavily inspired by the Rails asset pipeline. We make use of the wonderful Assetic package to help with pre-compliation!
I've found a directory traversal vulnerability in this library caused by the route wildcard .* that passes every set of characters as a path to the configured controller. So an attacker could make a request like the following:
I've found a directory traversal vulnerability in this library caused by the route wildcard
.*
that passes every set of characters as a path to the configured controller. So an attacker could make a request like the following:http://domain.com/assets/..%252f..%252f..%252fcomposer.json
And get access to files that should never be exposed. This could be avoided by sanitizing the path before it reaches the controller method.