r72653 - in /trunk/libmojolicious-perl: Changes MANIFEST META.yml debian/changelog lib/Mojo/Path.pm lib/Mojolicious.pm t/mojo/path.t t/mojo/url.t
carnil at users.alioth.debian.org
carnil at users.alioth.debian.org
Sat Apr 16 06:15:28 UTC 2011
Author: carnil
Date: Sat Apr 16 06:15:09 2011
New Revision: 72653
URL: http://svn.debian.org/wsvn/pkg-perl/?sc=1&rev=72653
Log:
* Team upload.
* New upstream release.
+ Fix path security vulnerablility (Closes: #622952).
Modified:
trunk/libmojolicious-perl/Changes
trunk/libmojolicious-perl/MANIFEST
trunk/libmojolicious-perl/META.yml
trunk/libmojolicious-perl/debian/changelog
trunk/libmojolicious-perl/lib/Mojo/Path.pm
trunk/libmojolicious-perl/lib/Mojolicious.pm
trunk/libmojolicious-perl/t/mojo/path.t
trunk/libmojolicious-perl/t/mojo/url.t
Modified: trunk/libmojolicious-perl/Changes
URL: http://svn.debian.org/wsvn/pkg-perl/trunk/libmojolicious-perl/Changes?rev=72653&op=diff
==============================================================================
--- trunk/libmojolicious-perl/Changes (original)
+++ trunk/libmojolicious-perl/Changes Sat Apr 16 06:15:09 2011
@@ -1,4 +1,8 @@
This file documents the revision history for Perl extension Mojolicious.
+
+1.16 2011-04-15 00:00:00
+ - Emergency release for a critical security issue that can expose
+ files on your system, everybody should update!
1.15 2011-03-18 00:00:00
- Changed default log level in "production" mode from "error" to
Modified: trunk/libmojolicious-perl/MANIFEST
URL: http://svn.debian.org/wsvn/pkg-perl/trunk/libmojolicious-perl/MANIFEST?rev=72653&op=diff
==============================================================================
--- trunk/libmojolicious-perl/MANIFEST (original)
+++ trunk/libmojolicious-perl/MANIFEST Sat Apr 16 06:15:09 2011
@@ -103,6 +103,7 @@
Makefile.PL
MANIFEST This list of files
MANIFEST.SKIP
+META.yml
README.pod
script/hypnotoad
script/mojo
@@ -218,4 +219,3 @@
t/mojolicious/websocket_tls_proxy_lite_app.t
t/pod.t
t/pod_coverage.t
-META.yml Module meta-data (added by MakeMaker)
Modified: trunk/libmojolicious-perl/META.yml
URL: http://svn.debian.org/wsvn/pkg-perl/trunk/libmojolicious-perl/META.yml?rev=72653&op=diff
==============================================================================
--- trunk/libmojolicious-perl/META.yml (original)
+++ trunk/libmojolicious-perl/META.yml Sat Apr 16 06:15:09 2011
@@ -1,6 +1,6 @@
--- #YAML:1.0
name: Mojolicious
-version: 1.15
+version: 1.16
abstract: The Web In A Box!
author:
- Sebastian Riedel <sri at cpan.org>
Modified: trunk/libmojolicious-perl/debian/changelog
URL: http://svn.debian.org/wsvn/pkg-perl/trunk/libmojolicious-perl/debian/changelog?rev=72653&op=diff
==============================================================================
--- trunk/libmojolicious-perl/debian/changelog (original)
+++ trunk/libmojolicious-perl/debian/changelog Sat Apr 16 06:15:09 2011
@@ -1,3 +1,11 @@
+libmojolicious-perl (1.16-1) UNRELEASED; urgency=high
+
+ * Team upload.
+ * New upstream release.
+ + Fix path security vulnerablility (Closes: #622952).
+
+ -- Salvatore Bonaccorso <carnil at debian.org> Sat, 16 Apr 2011 08:11:46 +0200
+
libmojolicious-perl (1.15-1) unstable; urgency=low
* New upstream release
Modified: trunk/libmojolicious-perl/lib/Mojo/Path.pm
URL: http://svn.debian.org/wsvn/pkg-perl/trunk/libmojolicious-perl/lib/Mojo/Path.pm?rev=72653&op=diff
==============================================================================
--- trunk/libmojolicious-perl/lib/Mojo/Path.pm (original)
+++ trunk/libmojolicious-perl/lib/Mojo/Path.pm Sat Apr 16 06:15:09 2011
@@ -80,6 +80,9 @@
$path =~ /^\// ? $self->leading_slash(1) : $self->leading_slash(0);
$path =~ /\/$/ ? $self->trailing_slash(1) : $self->trailing_slash(0);
+ # Unescape
+ url_unescape $path;
+
# Parse
my @parts;
for my $part (split '/', $path) {
@@ -91,7 +94,6 @@
$part = '' unless defined $part;
# Store
- url_unescape $part;
push @parts, $part;
}
Modified: trunk/libmojolicious-perl/lib/Mojolicious.pm
URL: http://svn.debian.org/wsvn/pkg-perl/trunk/libmojolicious-perl/lib/Mojolicious.pm?rev=72653&op=diff
==============================================================================
--- trunk/libmojolicious-perl/lib/Mojolicious.pm (original)
+++ trunk/libmojolicious-perl/lib/Mojolicious.pm Sat Apr 16 06:15:09 2011
@@ -29,7 +29,7 @@
has types => sub { Mojolicious::Types->new };
our $CODENAME = 'Smiling Cat Face With Heart-Shaped Eyes';
-our $VERSION = '1.15';
+our $VERSION = '1.16';
# "These old doomsday devices are dangerously unstable.
# I'll rest easier not knowing where they are."
Modified: trunk/libmojolicious-perl/t/mojo/path.t
URL: http://svn.debian.org/wsvn/pkg-perl/trunk/libmojolicious-perl/t/mojo/path.t?rev=72653&op=diff
==============================================================================
--- trunk/libmojolicious-perl/t/mojo/path.t (original)
+++ trunk/libmojolicious-perl/t/mojo/path.t Sat Apr 16 06:15:09 2011
@@ -3,7 +3,7 @@
use strict;
use warnings;
-use Test::More tests => 3;
+use Test::More tests => 11;
# "This is the greatest case of false advertising I’ve seen since I sued the
# movie 'The Never Ending Story.'"
@@ -12,3 +12,18 @@
my $path = Mojo::Path->new;
is $path->parse('/path')->to_string, '/path', 'right path';
is $path->parse('/path/0')->to_string, '/path/0', 'right path';
+
+# Canonicalizing
+$path = Mojo::Path->new(
+ '/%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd');
+is "$path", '/../../../../../../../../../../etc/passwd', 'rigth result';
+is $path->parts->[0], '..', 'right part';
+is $path->canonicalize, '/../../../../../../../../../../etc/passwd',
+ 'rigth result';
+is $path->parts->[0], '..', 'right part';
+$path = Mojo::Path->new(
+ '/%2ftest%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd');
+is "$path", '/test/../../../../../../../../../etc/passwd', 'rigth result';
+is $path->parts->[0], 'test', 'right part';
+is $path->canonicalize, '/../../../../../../../../etc/passwd', 'rigth result';
+is $path->parts->[0], '..', 'right part';
Modified: trunk/libmojolicious-perl/t/mojo/url.t
URL: http://svn.debian.org/wsvn/pkg-perl/trunk/libmojolicious-perl/t/mojo/url.t?rev=72653&op=diff
==============================================================================
--- trunk/libmojolicious-perl/t/mojo/url.t (original)
+++ trunk/libmojolicious-perl/t/mojo/url.t Sat Apr 16 06:15:09 2011
@@ -135,17 +135,17 @@
# Real world tests
$url = Mojo::URL->new('http://acme.s3.amazonaws.com'
. '/mojo%2Fg%2B%2B-4%2E2_4%2E2%2E3-2ubuntu7_i386%2Edeb');
-is $url->is_abs, 1, 'is absolute';
-is $url->scheme, 'http', 'right scheme';
-is $url->userinfo, undef, 'no userinfo';
-is $url->host, 'acme.s3.amazonaws.com', 'right host';
-is $url->port, undef, 'no port';
-is $url->path, '/mojo%2Fg++-4.2_4.2.3-2ubuntu7_i386.deb', 'right path';
+is $url->is_abs, 1, 'is absolute';
+is $url->scheme, 'http', 'right scheme';
+is $url->userinfo, undef, 'no userinfo';
+is $url->host, 'acme.s3.amazonaws.com', 'right host';
+is $url->port, undef, 'no port';
+is $url->path, '/mojo/g++-4.2_4.2.3-2ubuntu7_i386.deb', 'right path';
ok !$url->query->to_string, 'no query';
is_deeply $url->query->to_hash, {}, 'right structure';
is $url->fragment, undef, 'no fragment';
is "$url",
- 'http://acme.s3.amazonaws.com/mojo%2Fg++-4.2_4.2.3-2ubuntu7_i386.deb',
+ 'http://acme.s3.amazonaws.com/mojo/g++-4.2_4.2.3-2ubuntu7_i386.deb',
'right format';
# Clone (advanced)
More information about the Pkg-perl-cvs-commits
mailing list