Bug#880458: libcatalyst-plugin-static-simple-perl: leaks files without extention, inadvertently
Damyan Ivanov
dmn at debian.org
Tue Oct 31 19:42:07 UTC 2017
Package: libcatalyst-plugin-static-simple-perl
Version: 0.31
Severity: important
Tags: security upstream fixed-upstream
Forwarded: https://rt.cpan.org/Public/Bug/Display.html?id=120558
>From upstream changelog for version 0.34:
Fix security vulnerability, when serving static files with dots in
the names (RT#120558)
Catalyst::Plugin::Static::Simple is a plugin for Catalyst, a web
framework in Perl. Its purpose is to serve static files, and it is
supposed to only serve files with extensions (from which it determines
the content type).
Due to the bug, however, any file under a directory whose name contains a
dot could be served.
the upstream fix is as follows:
--- a/lib/Catalyst/Plugin/Static/Simple.pm
+++ b/lib/Catalyst/Plugin/Static/Simple.pm
@@ -64,7 +64,7 @@ before prepare_action => sub {
}
# Does the path have an extension?
- if ( $path =~ /.*\.(\S{1,})$/xms ) {
+ if ( $path =~ /\.([^\/\\]+)$/m ) {
# and does it exist?
$c->_locate_static_file( $path );
}
That is, instead of matching one or more non-space characters between a
dot (including "/") and the end of the path, match one or more characters
different from "/" and "\" between a dot and the end of the path.
Cheers,
dam
More information about the pkg-perl-maintainers
mailing list