r74188 - in /branches/squeeze/libmojolicious-perl: debian/changelog debian/patches/626135-fix-xss-issue-in-link_to-helper.patch debian/patches/series lib/Mojo/Path.pm lib/Mojolicious/Plugin/TagHelpers.pm t/mojo/path.t t/mojo/url.t t/mojox/routes/routes.t

carnil at users.alioth.debian.org carnil at users.alioth.debian.org
Wed May 11 06:06:46 UTC 2011 

Author: carnil
Date: Wed May 11 06:06:19 2011
New Revision: 74188

URL: http://svn.debian.org/wsvn/pkg-perl/?sc=1&rev=74188
Log:
[SECURITY] Fix XSS vulnerability in link_to helper. Fixes
CVE-2011-1841 (Closes: #626135).

Added:
    branches/squeeze/libmojolicious-perl/debian/patches/626135-fix-xss-issue-in-link_to-helper.patch
Modified:
    branches/squeeze/libmojolicious-perl/debian/changelog
    branches/squeeze/libmojolicious-perl/debian/patches/series
    branches/squeeze/libmojolicious-perl/lib/Mojo/Path.pm
    branches/squeeze/libmojolicious-perl/lib/Mojolicious/Plugin/TagHelpers.pm
    branches/squeeze/libmojolicious-perl/t/mojo/path.t
    branches/squeeze/libmojolicious-perl/t/mojo/url.t
    branches/squeeze/libmojolicious-perl/t/mojox/routes/routes.t

Modified: branches/squeeze/libmojolicious-perl/debian/changelog
URL: http://svn.debian.org/wsvn/pkg-perl/branches/squeeze/libmojolicious-perl/debian/changelog?rev=74188&op=diff
==============================================================================
--- branches/squeeze/libmojolicious-perl/debian/changelog (original)
+++ branches/squeeze/libmojolicious-perl/debian/changelog Wed May 11 06:06:19 2011
@@ -1,3 +1,10 @@
+libmojolicious-perl (0.999926-1+squeeze2) stable-security; urgency=low
+
+  * [SECURITY] Fix XSS vulnerability in link_to helper. Fixes
+    CVE-2011-1841 (Closes: #626135).
+
+ -- Salvatore Bonaccorso <carnil at debian.org>  Mon, 09 May 2011 08:13:31 +0200
+
 libmojolicious-perl (0.999926-1+squeeze1) stable-security; urgency=high
 
   * [SECURITY] Add 622952-path-traversal-vulnerability.patch to fix path

Added: branches/squeeze/libmojolicious-perl/debian/patches/626135-fix-xss-issue-in-link_to-helper.patch
URL: http://svn.debian.org/wsvn/pkg-perl/branches/squeeze/libmojolicious-perl/debian/patches/626135-fix-xss-issue-in-link_to-helper.patch?rev=74188&op=file
==============================================================================
--- branches/squeeze/libmojolicious-perl/debian/patches/626135-fix-xss-issue-in-link_to-helper.patch (added)
+++ branches/squeeze/libmojolicious-perl/debian/patches/626135-fix-xss-issue-in-link_to-helper.patch Wed May 11 06:06:19 2011
@@ -1,0 +1,28 @@
+Description: Fix XSS issue in link_to helper
+Origin: backport, commit f6801ef7be8c78092e38f870b19fae3da0899d60
+Bug: http://bugs.debian.org/626135
+Forwarded: not-needed
+Author: Sebastian Riedel <sri at cpan.org>
+Reviewed-by: Salvatore Bonaccorso <carnil at debian.org>
+Last-Update: 2011-05-09
+Applied-Upstream: yes
+
+--- a/lib/Mojolicious/Plugin/TagHelpers.pm
++++ b/lib/Mojolicious/Plugin/TagHelpers.pm
+@@ -73,7 +73,7 @@
+             my $captures = ref $_[0] eq 'HASH' ? shift : {};
+ 
+             # Default content
+-            push @_, sub { ucfirst $name }
++            push @_, sub { $name = Mojo::ByteStream->new($name)->xml_escape->to_string; ucfirst $name }
+               unless defined $_[-1] && ref $_[-1] eq 'CODE';
+ 
+             $self->_tag('a', href => $c->url_for($name, $captures), @_);
+@@ -119,6 +119,7 @@
+     my %attrs = @_;
+     for my $key (sort keys %attrs) {
+         my $value = $attrs{$key};
++        $value = Mojo::ByteStream->new($value)->xml_escape->to_string;
+         $tag .= qq/ $key="$value"/;
+     }
+ 

Modified: branches/squeeze/libmojolicious-perl/debian/patches/series
URL: http://svn.debian.org/wsvn/pkg-perl/branches/squeeze/libmojolicious-perl/debian/patches/series?rev=74188&op=diff
==============================================================================
--- branches/squeeze/libmojolicious-perl/debian/patches/series (original)
+++ branches/squeeze/libmojolicious-perl/debian/patches/series Wed May 11 06:06:19 2011
@@ -1,2 +1,3 @@
 622952-path-traversal-vulnerability.patch
 improve-RFC3986-compliance-of-Mojo-Path.patch
+626135-fix-xss-issue-in-link_to-helper.patch

Modified: branches/squeeze/libmojolicious-perl/lib/Mojo/Path.pm
URL: http://svn.debian.org/wsvn/pkg-perl/branches/squeeze/libmojolicious-perl/lib/Mojo/Path.pm?rev=74188&op=diff
==============================================================================
--- branches/squeeze/libmojolicious-perl/lib/Mojo/Path.pm (original)
+++ branches/squeeze/libmojolicious-perl/lib/Mojo/Path.pm Wed May 11 06:06:19 2011
@@ -85,15 +85,21 @@
     $self->leading_slash(1)  if $path =~ /^\//;
     $self->trailing_slash(1) if $path =~ /\/$/;
 
+    # Unescape
+    $path = b($path)->url_unescape($Mojo::URL::PCHAR)->to_string;
+
     # Parse
     my @parts;
     for my $part (split '/', $path) {
 
-        # Garbage
-        next unless length $part;
+        # Empty parts before the first are garbage
+        next unless length $part or scalar @parts;
+
+        # Empty parts behind the first are ok
+        $part = '' unless defined $part;
 
         # Store
-        push @parts, b($part)->url_unescape($Mojo::URL::PCHAR)->to_string;
+        push @parts, $part;
     }
 
     $self->parts(\@parts);

Modified: branches/squeeze/libmojolicious-perl/lib/Mojolicious/Plugin/TagHelpers.pm
URL: http://svn.debian.org/wsvn/pkg-perl/branches/squeeze/libmojolicious-perl/lib/Mojolicious/Plugin/TagHelpers.pm?rev=74188&op=diff
==============================================================================
--- branches/squeeze/libmojolicious-perl/lib/Mojolicious/Plugin/TagHelpers.pm (original)
+++ branches/squeeze/libmojolicious-perl/lib/Mojolicious/Plugin/TagHelpers.pm Wed May 11 06:06:19 2011
@@ -73,7 +73,7 @@
             my $captures = ref $_[0] eq 'HASH' ? shift : {};
 
             # Default content
-            push @_, sub { ucfirst $name }
+            push @_, sub { $name = Mojo::ByteStream->new($name)->xml_escape->to_string; ucfirst $name }
               unless defined $_[-1] && ref $_[-1] eq 'CODE';
 
             $self->_tag('a', href => $c->url_for($name, $captures), @_);
@@ -119,6 +119,7 @@
     my %attrs = @_;
     for my $key (sort keys %attrs) {
         my $value = $attrs{$key};
+        $value = Mojo::ByteStream->new($value)->xml_escape->to_string;
         $tag .= qq/ $key="$value"/;
     }
 

Modified: branches/squeeze/libmojolicious-perl/t/mojo/path.t
URL: http://svn.debian.org/wsvn/pkg-perl/branches/squeeze/libmojolicious-perl/t/mojo/path.t?rev=74188&op=diff
==============================================================================
--- branches/squeeze/libmojolicious-perl/t/mojo/path.t (original)
+++ branches/squeeze/libmojolicious-perl/t/mojo/path.t Wed May 11 06:06:19 2011
@@ -5,7 +5,7 @@
 use strict;
 use warnings;
 
-use Test::More tests => 3;
+use Test::More tests => 11;
 
 # This is the greatest case of false advertising I’ve seen since I sued the
 # movie “The Never Ending Story.”
@@ -14,3 +14,18 @@
 my $path = Mojo::Path->new;
 is($path->parse('/path')->to_string,   '/path',   'right path');
 is($path->parse('/path/0')->to_string, '/path/0', 'right path');
+
+# Canonicalizing
+$path = Mojo::Path->new(
+  '/%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd');
+is "$path", '/../../../../../../../../../../etc/passwd', 'rigth result';
+is $path->parts->[0], '..', 'right part';
+is $path->canonicalize, '/../../../../../../../../../../etc/passwd',
+  'rigth result';
+is $path->parts->[0], '..', 'right part';
+$path = Mojo::Path->new(
+  '/%2ftest%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd');
+is "$path", '/test/../../../../../../../../../etc/passwd', 'rigth result';
+is $path->parts->[0], 'test', 'right part';
+is $path->canonicalize, '/../../../../../../../../etc/passwd', 'rigth result';
+is $path->parts->[0], '..', 'right part';

Modified: branches/squeeze/libmojolicious-perl/t/mojo/url.t
URL: http://svn.debian.org/wsvn/pkg-perl/branches/squeeze/libmojolicious-perl/t/mojo/url.t?rev=74188&op=diff
==============================================================================
--- branches/squeeze/libmojolicious-perl/t/mojo/url.t (original)
+++ branches/squeeze/libmojolicious-perl/t/mojo/url.t Wed May 11 06:06:19 2011
@@ -7,7 +7,7 @@
 
 use utf8;
 
-use Test::More tests => 111;
+use Test::More tests => 117;
 
 use Mojo::ByteStream 'b';
 
@@ -121,12 +121,12 @@
 is($url->userinfo, undef,                                     'no userinfo');
 is($url->host,     'acme.s3.amazonaws.com',                   'right host');
 is($url->port,     undef,                                     'no port');
-is($url->path,     '/mojo%2Fg++-4.2_4.2.3-2ubuntu7_i386.deb', 'right path');
+is($url->path,     '/mojo/g++-4.2_4.2.3-2ubuntu7_i386.deb', 'right path');
 ok(!$url->query, 'no query');
 is_deeply($url->query->to_hash, {}, 'right structure');
 is($url->fragment, undef, 'no fragment');
 is("$url",
-    'http://acme.s3.amazonaws.com/mojo%2Fg++-4.2_4.2.3-2ubuntu7_i386.deb',
+    'http://acme.s3.amazonaws.com/mojo/g++-4.2_4.2.3-2ubuntu7_i386.deb',
     'right format');
 
 # Clone (advanced)
@@ -236,3 +236,17 @@
       . '%D1%88%D0%B0%D1%80%D0%B8%D1%84%D1%83%D0%BB%D0%B8%D0%BD',
     'right format'
 );
+
+# Empty path elements
+$url = Mojo::URL->new('http://kraih.com/foo//bar/23/');
+$url->base->parse('http://kraih.com/');
+is($url->is_abs, 1);
+is($url->to_rel, '/foo//bar/23/');
+$url = Mojo::URL->new('http://kraih.com//foo//bar/23/');
+$url->base->parse('http://kraih.com/');
+is($url->is_abs, 1);
+is($url->to_rel, '/foo//bar/23/');
+$url = Mojo::URL->new('http://kraih.com/foo///bar/23/');
+$url->base->parse('http://kraih.com/');
+is($url->is_abs, 1);
+is($url->to_rel, '/foo///bar/23/');

Modified: branches/squeeze/libmojolicious-perl/t/mojox/routes/routes.t
URL: http://svn.debian.org/wsvn/pkg-perl/branches/squeeze/libmojolicious-perl/t/mojox/routes/routes.t?rev=74188&op=diff
==============================================================================
--- branches/squeeze/libmojolicious-perl/t/mojox/routes/routes.t (original)
+++ branches/squeeze/libmojolicious-perl/t/mojox/routes/routes.t Wed May 11 06:06:19 2011
@@ -347,8 +347,8 @@
 $m = MojoX::Routes::Match->new($tx)->match($r);
 is($m->stack->[0]->{controller}, 'wild');
 is($m->stack->[0]->{action},     'card');
-is($m->stack->[0]->{wildcard},   'http:/www.google.com');
-is($m->url_for,                  '/wildcards/1/http:/www.google.com');
+is($m->stack->[0]->{wildcard},   'http://www.google.com');
+is($m->url_for,                  '/wildcards/1/http://www.google.com');
 is(@{$m->stack},                 1);
 $tx = Mojo::Transaction::HTTP->new;
 $tx->req->method('GET');
@@ -357,7 +357,7 @@
 is($m->stack->[0]->{controller}, 'wild');
 is($m->stack->[0]->{action},     'card');
 is($m->stack->[0]->{wildcard},   'http://www.google.com');
-is($m->url_for,                  '/wildcards/1/http:/www.google.com');
+is($m->url_for,                  '/wildcards/1/http://www.google.com');
 is(@{$m->stack},                 1);
 
 # Format

More information about the Pkg-perl-cvs-commits mailing list