r74188 - in /branches/squeeze/libmojolicious-perl: debian/changelog debian/patches/626135-fix-xss-issue-in-link_to-helper.patch debian/patches/series lib/Mojo/Path.pm lib/Mojolicious/Plugin/TagHelpers.pm t/mojo/path.t t/mojo/url.t t/mojox/routes/routes.t
carnil at users.alioth.debian.org
carnil at users.alioth.debian.org
Wed May 11 06:06:46 UTC 2011
Author: carnil
Date: Wed May 11 06:06:19 2011
New Revision: 74188
URL: http://svn.debian.org/wsvn/pkg-perl/?sc=1&rev=74188
Log:
[SECURITY] Fix XSS vulnerability in link_to helper. Fixes
CVE-2011-1841 (Closes: #626135).
Added:
branches/squeeze/libmojolicious-perl/debian/patches/626135-fix-xss-issue-in-link_to-helper.patch
Modified:
branches/squeeze/libmojolicious-perl/debian/changelog
branches/squeeze/libmojolicious-perl/debian/patches/series
branches/squeeze/libmojolicious-perl/lib/Mojo/Path.pm
branches/squeeze/libmojolicious-perl/lib/Mojolicious/Plugin/TagHelpers.pm
branches/squeeze/libmojolicious-perl/t/mojo/path.t
branches/squeeze/libmojolicious-perl/t/mojo/url.t
branches/squeeze/libmojolicious-perl/t/mojox/routes/routes.t
Modified: branches/squeeze/libmojolicious-perl/debian/changelog
URL: http://svn.debian.org/wsvn/pkg-perl/branches/squeeze/libmojolicious-perl/debian/changelog?rev=74188&op=diff
==============================================================================
--- branches/squeeze/libmojolicious-perl/debian/changelog (original)
+++ branches/squeeze/libmojolicious-perl/debian/changelog Wed May 11 06:06:19 2011
@@ -1,3 +1,10 @@
+libmojolicious-perl (0.999926-1+squeeze2) stable-security; urgency=low
+
+ * [SECURITY] Fix XSS vulnerability in link_to helper. Fixes
+ CVE-2011-1841 (Closes: #626135).
+
+ -- Salvatore Bonaccorso <carnil at debian.org> Mon, 09 May 2011 08:13:31 +0200
+
libmojolicious-perl (0.999926-1+squeeze1) stable-security; urgency=high
* [SECURITY] Add 622952-path-traversal-vulnerability.patch to fix path
Added: branches/squeeze/libmojolicious-perl/debian/patches/626135-fix-xss-issue-in-link_to-helper.patch
URL: http://svn.debian.org/wsvn/pkg-perl/branches/squeeze/libmojolicious-perl/debian/patches/626135-fix-xss-issue-in-link_to-helper.patch?rev=74188&op=file
==============================================================================
--- branches/squeeze/libmojolicious-perl/debian/patches/626135-fix-xss-issue-in-link_to-helper.patch (added)
+++ branches/squeeze/libmojolicious-perl/debian/patches/626135-fix-xss-issue-in-link_to-helper.patch Wed May 11 06:06:19 2011
@@ -1,0 +1,28 @@
+Description: Fix XSS issue in link_to helper
+Origin: backport, commit f6801ef7be8c78092e38f870b19fae3da0899d60
+Bug: http://bugs.debian.org/626135
+Forwarded: not-needed
+Author: Sebastian Riedel <sri at cpan.org>
+Reviewed-by: Salvatore Bonaccorso <carnil at debian.org>
+Last-Update: 2011-05-09
+Applied-Upstream: yes
+
+--- a/lib/Mojolicious/Plugin/TagHelpers.pm
++++ b/lib/Mojolicious/Plugin/TagHelpers.pm
+@@ -73,7 +73,7 @@
+ my $captures = ref $_[0] eq 'HASH' ? shift : {};
+
+ # Default content
+- push @_, sub { ucfirst $name }
++ push @_, sub { $name = Mojo::ByteStream->new($name)->xml_escape->to_string; ucfirst $name }
+ unless defined $_[-1] && ref $_[-1] eq 'CODE';
+
+ $self->_tag('a', href => $c->url_for($name, $captures), @_);
+@@ -119,6 +119,7 @@
+ my %attrs = @_;
+ for my $key (sort keys %attrs) {
+ my $value = $attrs{$key};
++ $value = Mojo::ByteStream->new($value)->xml_escape->to_string;
+ $tag .= qq/ $key="$value"/;
+ }
+
Modified: branches/squeeze/libmojolicious-perl/debian/patches/series
URL: http://svn.debian.org/wsvn/pkg-perl/branches/squeeze/libmojolicious-perl/debian/patches/series?rev=74188&op=diff
==============================================================================
--- branches/squeeze/libmojolicious-perl/debian/patches/series (original)
+++ branches/squeeze/libmojolicious-perl/debian/patches/series Wed May 11 06:06:19 2011
@@ -1,2 +1,3 @@
622952-path-traversal-vulnerability.patch
improve-RFC3986-compliance-of-Mojo-Path.patch
+626135-fix-xss-issue-in-link_to-helper.patch
Modified: branches/squeeze/libmojolicious-perl/lib/Mojo/Path.pm
URL: http://svn.debian.org/wsvn/pkg-perl/branches/squeeze/libmojolicious-perl/lib/Mojo/Path.pm?rev=74188&op=diff
==============================================================================
--- branches/squeeze/libmojolicious-perl/lib/Mojo/Path.pm (original)
+++ branches/squeeze/libmojolicious-perl/lib/Mojo/Path.pm Wed May 11 06:06:19 2011
@@ -85,15 +85,21 @@
$self->leading_slash(1) if $path =~ /^\//;
$self->trailing_slash(1) if $path =~ /\/$/;
+ # Unescape
+ $path = b($path)->url_unescape($Mojo::URL::PCHAR)->to_string;
+
# Parse
my @parts;
for my $part (split '/', $path) {
- # Garbage
- next unless length $part;
+ # Empty parts before the first are garbage
+ next unless length $part or scalar @parts;
+
+ # Empty parts behind the first are ok
+ $part = '' unless defined $part;
# Store
- push @parts, b($part)->url_unescape($Mojo::URL::PCHAR)->to_string;
+ push @parts, $part;
}
$self->parts(\@parts);
Modified: branches/squeeze/libmojolicious-perl/lib/Mojolicious/Plugin/TagHelpers.pm
URL: http://svn.debian.org/wsvn/pkg-perl/branches/squeeze/libmojolicious-perl/lib/Mojolicious/Plugin/TagHelpers.pm?rev=74188&op=diff
==============================================================================
--- branches/squeeze/libmojolicious-perl/lib/Mojolicious/Plugin/TagHelpers.pm (original)
+++ branches/squeeze/libmojolicious-perl/lib/Mojolicious/Plugin/TagHelpers.pm Wed May 11 06:06:19 2011
@@ -73,7 +73,7 @@
my $captures = ref $_[0] eq 'HASH' ? shift : {};
# Default content
- push @_, sub { ucfirst $name }
+ push @_, sub { $name = Mojo::ByteStream->new($name)->xml_escape->to_string; ucfirst $name }
unless defined $_[-1] && ref $_[-1] eq 'CODE';
$self->_tag('a', href => $c->url_for($name, $captures), @_);
@@ -119,6 +119,7 @@
my %attrs = @_;
for my $key (sort keys %attrs) {
my $value = $attrs{$key};
+ $value = Mojo::ByteStream->new($value)->xml_escape->to_string;
$tag .= qq/ $key="$value"/;
}
Modified: branches/squeeze/libmojolicious-perl/t/mojo/path.t
URL: http://svn.debian.org/wsvn/pkg-perl/branches/squeeze/libmojolicious-perl/t/mojo/path.t?rev=74188&op=diff
==============================================================================
--- branches/squeeze/libmojolicious-perl/t/mojo/path.t (original)
+++ branches/squeeze/libmojolicious-perl/t/mojo/path.t Wed May 11 06:06:19 2011
@@ -5,7 +5,7 @@
use strict;
use warnings;
-use Test::More tests => 3;
+use Test::More tests => 11;
# This is the greatest case of false advertising Iâve seen since I sued the
# movie âThe Never Ending Story.â
@@ -14,3 +14,18 @@
my $path = Mojo::Path->new;
is($path->parse('/path')->to_string, '/path', 'right path');
is($path->parse('/path/0')->to_string, '/path/0', 'right path');
+
+# Canonicalizing
+$path = Mojo::Path->new(
+ '/%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd');
+is "$path", '/../../../../../../../../../../etc/passwd', 'rigth result';
+is $path->parts->[0], '..', 'right part';
+is $path->canonicalize, '/../../../../../../../../../../etc/passwd',
+ 'rigth result';
+is $path->parts->[0], '..', 'right part';
+$path = Mojo::Path->new(
+ '/%2ftest%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd');
+is "$path", '/test/../../../../../../../../../etc/passwd', 'rigth result';
+is $path->parts->[0], 'test', 'right part';
+is $path->canonicalize, '/../../../../../../../../etc/passwd', 'rigth result';
+is $path->parts->[0], '..', 'right part';
Modified: branches/squeeze/libmojolicious-perl/t/mojo/url.t
URL: http://svn.debian.org/wsvn/pkg-perl/branches/squeeze/libmojolicious-perl/t/mojo/url.t?rev=74188&op=diff
==============================================================================
--- branches/squeeze/libmojolicious-perl/t/mojo/url.t (original)
+++ branches/squeeze/libmojolicious-perl/t/mojo/url.t Wed May 11 06:06:19 2011
@@ -7,7 +7,7 @@
use utf8;
-use Test::More tests => 111;
+use Test::More tests => 117;
use Mojo::ByteStream 'b';
@@ -121,12 +121,12 @@
is($url->userinfo, undef, 'no userinfo');
is($url->host, 'acme.s3.amazonaws.com', 'right host');
is($url->port, undef, 'no port');
-is($url->path, '/mojo%2Fg++-4.2_4.2.3-2ubuntu7_i386.deb', 'right path');
+is($url->path, '/mojo/g++-4.2_4.2.3-2ubuntu7_i386.deb', 'right path');
ok(!$url->query, 'no query');
is_deeply($url->query->to_hash, {}, 'right structure');
is($url->fragment, undef, 'no fragment');
is("$url",
- 'http://acme.s3.amazonaws.com/mojo%2Fg++-4.2_4.2.3-2ubuntu7_i386.deb',
+ 'http://acme.s3.amazonaws.com/mojo/g++-4.2_4.2.3-2ubuntu7_i386.deb',
'right format');
# Clone (advanced)
@@ -236,3 +236,17 @@
. '%D1%88%D0%B0%D1%80%D0%B8%D1%84%D1%83%D0%BB%D0%B8%D0%BD',
'right format'
);
+
+# Empty path elements
+$url = Mojo::URL->new('http://kraih.com/foo//bar/23/');
+$url->base->parse('http://kraih.com/');
+is($url->is_abs, 1);
+is($url->to_rel, '/foo//bar/23/');
+$url = Mojo::URL->new('http://kraih.com//foo//bar/23/');
+$url->base->parse('http://kraih.com/');
+is($url->is_abs, 1);
+is($url->to_rel, '/foo//bar/23/');
+$url = Mojo::URL->new('http://kraih.com/foo///bar/23/');
+$url->base->parse('http://kraih.com/');
+is($url->is_abs, 1);
+is($url->to_rel, '/foo///bar/23/');
Modified: branches/squeeze/libmojolicious-perl/t/mojox/routes/routes.t
URL: http://svn.debian.org/wsvn/pkg-perl/branches/squeeze/libmojolicious-perl/t/mojox/routes/routes.t?rev=74188&op=diff
==============================================================================
--- branches/squeeze/libmojolicious-perl/t/mojox/routes/routes.t (original)
+++ branches/squeeze/libmojolicious-perl/t/mojox/routes/routes.t Wed May 11 06:06:19 2011
@@ -347,8 +347,8 @@
$m = MojoX::Routes::Match->new($tx)->match($r);
is($m->stack->[0]->{controller}, 'wild');
is($m->stack->[0]->{action}, 'card');
-is($m->stack->[0]->{wildcard}, 'http:/www.google.com');
-is($m->url_for, '/wildcards/1/http:/www.google.com');
+is($m->stack->[0]->{wildcard}, 'http://www.google.com');
+is($m->url_for, '/wildcards/1/http://www.google.com');
is(@{$m->stack}, 1);
$tx = Mojo::Transaction::HTTP->new;
$tx->req->method('GET');
@@ -357,7 +357,7 @@
is($m->stack->[0]->{controller}, 'wild');
is($m->stack->[0]->{action}, 'card');
is($m->stack->[0]->{wildcard}, 'http://www.google.com');
-is($m->url_for, '/wildcards/1/http:/www.google.com');
+is($m->url_for, '/wildcards/1/http://www.google.com');
is(@{$m->stack}, 1);
# Format
More information about the Pkg-perl-cvs-commits
mailing list