From 27f85e54510a28b8215e7ad707d01e569faed99b Mon Sep 17 00:00:00 2001
From: Sam <sam.saffron@gmail.com>
Date: Thu, 10 Jul 2014 17:29:38 +1000
Subject: [PATCH] FIX: allow for subdirectorys for cdn assets

---
 app/controllers/static_controller.rb | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/app/controllers/static_controller.rb b/app/controllers/static_controller.rb
index bf2764d28fe..cee9f184c1f 100644
--- a/app/controllers/static_controller.rb
+++ b/app/controllers/static_controller.rb
@@ -60,8 +60,13 @@ class StaticController < ApplicationController
 
   skip_before_filter :verify_authenticity_token, only: [:cdn_asset]
   def cdn_asset
-    path = params[:path].gsub(/[^a-zA-Z0-9_\-\.]/, "")
-    path = (Rails.root + "public/assets/" + path).to_s
+    path = File.expand_path(Rails.root + "public/assets/" + params[:path])
+
+    # SECURITY what if path has /../
+    unless path.start_with?(Rails.root.to_s + "/public/assets")
+      raise Discourse::NotFound
+    end
+
     expires_in 1.year, public: true
     response.headers["Access-Control-Allow-Origin"] = params[:origin]
     begin