Fix CVE-2018-7212

[jankeesvw]

An issue was discovered in rack-protection/lib/rack/protection/path_traversal.rb in Sinatra 2.x before 2.0.1 on Windows. Path traversal is possible via backslash characters.

https://nvd.nist.gov/vuln/detail/CVE-2018-7212.

[jankeesvw]

@andyatkinson can you review this pull request?

[jankeesvw]

@ejschmitt can I do something to get this merged? Thanks!

[andyatkinson]

@jankeesvw Hi there. There are test failures on master, in the integration tests that use a fake mounted Rails app, e.g. TestMountedInRailsApp#test_failed, but those have been failing prior to this change. If you have time to debug and fix those tests, that would be great. Either way, I'll make a note to merge and release this change soon.

[jankeesvw]

Great! Thanks...

I'll base my project on this branch until this is available as released version.

[jankeesvw]

Hi @andyatkinson any update on this issue? Thanks!

[luigi]

@andyatkinson Would love to see this merged in!

[jankeesvw]

Maybe @ejschmitt can look at it?

[rcwhitney]

Hi - any update on getting this issue resolved and when a fix can be deployed? We use this gem and if we can't get this issue resolved, we're going to have to pull it out of our app in order to comply with our security requirements.

[jankeesvw]

Hi - any update on getting this issue resolved and when a fix can be deployed? We use this gem and if we can't get this issue resolved, we're going to have to pull it out of our app in order to comply with our security requirements.

👍 4

@rcwhitney you can use my fork until this is merged.

[andyatkinson]

delayed_job_web 1.4.2 was released, please update and reply back here if it's working ok.

[rcwhitney]

Thank you! We've already incorporated and verified it's working. Appreciate the quick jump on this!