[Pkg-javascript-commits] [node-serve-static] 01/02: Upstream patch fixing CVE-2015-1164

[Jérémy Lal]

This is an automated email from the git hooks/post-receive script.

kapouer pushed a commit to branch master
in repository node-serve-static.

commit e780824eceaf6217e73e3da4fa4565872d1d9409
Author: Jérémy Lal <kapouer at melix.org>
Date:   Sat Jan 31 12:10:20 2015 +0100

    Upstream patch fixing CVE-2015-1164
---
 debian/patches/CVE-2015-1164.patch | 71 ++++++++++++++++++++++++++++++++++++++
 debian/patches/series              |  1 +
 2 files changed, 72 insertions(+)

diff --git a/debian/patches/CVE-2015-1164.patch b/debian/patches/CVE-2015-1164.patch
new file mode 100644
index 0000000..3f3af1e
--- /dev/null
+++ b/debian/patches/CVE-2015-1164.patch
@@ -0,0 +1,71 @@
+Description: Fix open redirect when mounted at root
+Origin: https://github.com/expressjs/serve-static/commit/0399e399.patch
+Bug-Upstream: https://github.com/expressjs/serve-static/issues/26
+From: Douglas Christopher Wilson <doug at somethingdoug.com>
+Last-Update: 2015-01-31
+Reviewed-by: Jérémy Lal <kapouer at melix.org>
+Applied-Upstream: 1.7.2
+
+fixes #26
+--- a/index.js
++++ b/index.js
+@@ -79,10 +79,13 @@
+           return next()
+         }
+ 
+-        originalUrl.pathname += '/'
++        // append trailing slash
++        originalUrl.pathname = collapseLeadingSlashes(originalUrl.pathname + '/')
+ 
++        // reformat the URL
+         var target = url.format(originalUrl)
+ 
++        // send redirect response
+         res.statusCode = 303
+         res.setHeader('Content-Type', 'text/html; charset=utf-8')
+         res.setHeader('Location', target)
+@@ -116,3 +119,19 @@
+  */
+ 
+ exports.mime = send.mime
++
++/**
++ * Collapse all leading slashes into a single slash
++ * @private
++ */
++function collapseLeadingSlashes(str) {
++  for (var i = 0; i < str.length; i++) {
++    if (str[i] !== '/') {
++      break
++    }
++  }
++
++  return i > 1
++    ? '/' + str.substr(i)
++    : str
++}
+--- a/test/test.js
++++ b/test/test.js
+@@ -259,6 +259,13 @@
+       .expect(303, done)
+     })
+ 
++    it('should not redirect to protocol-relative locations', function (done) {
++      request(server)
++      .get('//users')
++      .expect('Location', '/users/')
++      .expect(303, done)
++    })
++
+     it('should not redirect incorrectly', function (done) {
+       request(server)
+       .get('/')
+@@ -532,7 +539,7 @@
+     it('should not choke on auth-looking URL', function(done){
+       request(server)
+       .get('//todo at txt')
+-      .expect('Location', '//todo at txt/')
++      .expect('Location', '/todo at txt/')
+       .expect(303, done);
+     });
+   });
diff --git a/debian/patches/series b/debian/patches/series
new file mode 100644
index 0000000..3181459
--- /dev/null
+++ b/debian/patches/series
@@ -0,0 +1 @@
+CVE-2015-1164.patch

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-javascript/node-serve-static.git