r74933 - in /trunk/libdancer-perl: CHANGES META.yml debian/NEWS debian/changelog debian/patches/pod-spelling.patch lib/Dancer.pm lib/Dancer/FileUtils.pm lib/Dancer/Renderer.pm t/00_base/14_changelog.t t/04_static_file/001_base.t
ghedo-guest at users.alioth.debian.org
ghedo-guest at users.alioth.debian.org
Sat May 28 13:45:25 UTC 2011
Author: ghedo-guest
Date: Sat May 28 13:45:13 2011
New Revision: 74933
URL: http://svn.debian.org/wsvn/pkg-perl/?sc=1&rev=74933
Log:
* New upstream release
- FIX CVE-2011-1589 (Mojolicious report, but Dancer was vulnerable as well).
* Refresh patch
* Update NEWS with security fix
Modified:
trunk/libdancer-perl/CHANGES
trunk/libdancer-perl/META.yml
trunk/libdancer-perl/debian/NEWS
trunk/libdancer-perl/debian/changelog
trunk/libdancer-perl/debian/patches/pod-spelling.patch
trunk/libdancer-perl/lib/Dancer.pm
trunk/libdancer-perl/lib/Dancer/FileUtils.pm
trunk/libdancer-perl/lib/Dancer/Renderer.pm
trunk/libdancer-perl/t/00_base/14_changelog.t
trunk/libdancer-perl/t/04_static_file/001_base.t
Modified: trunk/libdancer-perl/CHANGES
URL: http://svn.debian.org/wsvn/pkg-perl/trunk/libdancer-perl/CHANGES?rev=74933&op=diff
==============================================================================
--- trunk/libdancer-perl/CHANGES (original)
+++ trunk/libdancer-perl/CHANGES Sat May 28 13:45:13 2011
@@ -1,3 +1,12 @@
+1.3051 27.05.2011
+ ** Security release based on 1.3050 **
+
+ [ SECURITY ]
+ * FIX CVE-2011-1589 (Mojolicious report, but Dancer was vulnerable as well).
+ Return "400 Bad Request" when requested filename seems suspicious
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1589
+ (Vladimir Lettiev and Franck Cuny)
+
1.3050 20.05.2011
** Codename: The Captain Hook Adventure // Franck Cuny **
Modified: trunk/libdancer-perl/META.yml
URL: http://svn.debian.org/wsvn/pkg-perl/trunk/libdancer-perl/META.yml?rev=74933&op=diff
==============================================================================
--- trunk/libdancer-perl/META.yml (original)
+++ trunk/libdancer-perl/META.yml Sat May 28 13:45:13 2011
@@ -1,6 +1,6 @@
--- #YAML:1.0
name: Dancer
-version: 1.3050
+version: 1.3051
abstract: A minimal-effort oriented web application framework
author: []
license: perl
Modified: trunk/libdancer-perl/debian/NEWS
URL: http://svn.debian.org/wsvn/pkg-perl/trunk/libdancer-perl/debian/NEWS?rev=74933&op=diff
==============================================================================
--- trunk/libdancer-perl/debian/NEWS (original)
+++ trunk/libdancer-perl/debian/NEWS Sat May 28 13:45:13 2011
@@ -1,3 +1,13 @@
+libdancer-perl (1.3051+dfsg-1) UNRELEASED; urgency=low
+
+ [ SECURITY ]
+ FIX CVE-2011-1589 (Mojolicious report, but Dancer was vulnerable as well).
+ Return "400 Bad Request" when requested filename seems suspicious
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1589
+ (Vladimir Lettiev and Franck Cuny)
+
+ -- Alessandro Ghedini <al3xbio at gmail.com> Sat, 28 May 2011 15:40:56 +0200
+
libdancer-perl (1.3010+dfsg-1) unstable; urgency=low
1.3003
@@ -10,6 +20,6 @@
[ API CHANGES ]
to_json and from_json accept options as hashref instead of hash. Passing
arguments as hash is deprecated
-
+
-- gregor herrmann <gregoa at debian.org> Fri, 11 Feb 2011 22:50:07 +0100
Modified: trunk/libdancer-perl/debian/changelog
URL: http://svn.debian.org/wsvn/pkg-perl/trunk/libdancer-perl/debian/changelog?rev=74933&op=diff
==============================================================================
--- trunk/libdancer-perl/debian/changelog (original)
+++ trunk/libdancer-perl/debian/changelog Sat May 28 13:45:13 2011
@@ -1,3 +1,12 @@
+libdancer-perl (1.3051+dfsg-1) UNRELEASED; urgency=low
+
+ * New upstream release
+ - FIX CVE-2011-1589 (Mojolicious report, but Dancer was vulnerable as well).
+ * Refresh patch
+ * Update NEWS with security fix
+
+ -- Alessandro Ghedini <al3xbio at gmail.com> Sat, 28 May 2011 15:40:56 +0200
+
libdancer-perl (1.3050+dfsg-1) unstable; urgency=low
* New upstream release.
Modified: trunk/libdancer-perl/debian/patches/pod-spelling.patch
URL: http://svn.debian.org/wsvn/pkg-perl/trunk/libdancer-perl/debian/patches/pod-spelling.patch?rev=74933&op=diff
==============================================================================
--- trunk/libdancer-perl/debian/patches/pod-spelling.patch (original)
+++ trunk/libdancer-perl/debian/patches/pod-spelling.patch Sat May 28 13:45:13 2011
@@ -6,7 +6,7 @@
--- a/lib/Dancer/FileUtils.pm
+++ b/lib/Dancer/FileUtils.pm
-@@ -158,7 +158,7 @@
+@@ -160,7 +160,7 @@
Returns either the content of a file (whose filename is the input), I<undef>
if the file could not be opened.
Modified: trunk/libdancer-perl/lib/Dancer.pm
URL: http://svn.debian.org/wsvn/pkg-perl/trunk/libdancer-perl/lib/Dancer.pm?rev=74933&op=diff
==============================================================================
--- trunk/libdancer-perl/lib/Dancer.pm (original)
+++ trunk/libdancer-perl/lib/Dancer.pm Sat May 28 13:45:13 2011
@@ -5,7 +5,7 @@
use Carp;
use Cwd 'realpath';
-our $VERSION = '1.3050';
+our $VERSION = '1.3051';
our $AUTHORITY = 'SUKRIA';
use Dancer::App;
Modified: trunk/libdancer-perl/lib/Dancer/FileUtils.pm
URL: http://svn.debian.org/wsvn/pkg-perl/trunk/libdancer-perl/lib/Dancer/FileUtils.pm?rev=74933&op=diff
==============================================================================
--- trunk/libdancer-perl/lib/Dancer/FileUtils.pm (original)
+++ trunk/libdancer-perl/lib/Dancer/FileUtils.pm Sat May 28 13:45:13 2011
@@ -11,7 +11,7 @@
use base 'Exporter';
use vars '@EXPORT_OK';
- at EXPORT_OK = qw(path dirname read_file_content read_glob_content open_file set_file_mode);
+ at EXPORT_OK = qw(path real_path dirname read_file_content read_glob_content open_file set_file_mode);
# Undo UNC special-casing catfile-voodoo on cygwin
sub _trim_UNC {
@@ -37,6 +37,8 @@
sub d_splitpath { File::Spec->splitpath(_trim_UNC(@_)) }
sub path { d_catfile(@_) }
+
+sub real_path { realpath( d_catfile(@_) ) }
sub path_no_verify {
my @nodes = File::Spec->splitpath(d_catdir(@_)); # 0=vol,1=dirs,2=file
Modified: trunk/libdancer-perl/lib/Dancer/Renderer.pm
URL: http://svn.debian.org/wsvn/pkg-perl/trunk/libdancer-perl/lib/Dancer/Renderer.pm?rev=74933&op=diff
==============================================================================
--- trunk/libdancer-perl/lib/Dancer/Renderer.pm (original)
+++ trunk/libdancer-perl/lib/Dancer/Renderer.pm Sat May 28 13:45:13 2011
@@ -13,7 +13,7 @@
use Dancer::Response;
use Dancer::Serializer;
use Dancer::Config 'setting';
-use Dancer::FileUtils qw(path dirname read_file_content open_file);
+use Dancer::FileUtils qw(path real_path dirname read_file_content open_file);
use Dancer::SharedData;
use Dancer::Logger;
use Dancer::MIME;
@@ -145,10 +145,20 @@
}
sub get_file_response {
- my $request = Dancer::SharedData->request;
- my $path_info = $request->path_info;
- my $app = Dancer::App->current;
- my $static_file = path($app->setting('public'), $path_info);
+ my $request = Dancer::SharedData->request;
+ my $path_info = $request->path_info;
+
+ # requests that have \0 in path are forbidden
+ if ( $path_info =~ /\0/ ) {
+ _bad_request();
+ return 1;
+ }
+
+ my $app = Dancer::App->current;
+ my $static_file = real_path( $app->setting('public'), $path_info );
+
+ return if ( !$static_file
+ || index( $static_file, real_path( $app->setting('public') ) ) != 0 );
return Dancer::Renderer->get_file_response_for_path( $static_file, undef,
$request->content_type );
@@ -187,6 +197,12 @@
my $file = shift;
my $mime = Dancer::MIME->instance();
return $mime->for_file($file);
+}
+
+sub _bad_request{
+ my $response = Dancer::SharedData->response() || Dancer::Response->new();
+ $response->status(400);
+ $response->content('Bad Request');
}
# set of builtin templates needed by Dancer when rendering HTML pages
Modified: trunk/libdancer-perl/t/00_base/14_changelog.t
URL: http://svn.debian.org/wsvn/pkg-perl/trunk/libdancer-perl/t/00_base/14_changelog.t?rev=74933&op=diff
==============================================================================
--- trunk/libdancer-perl/t/00_base/14_changelog.t (original)
+++ trunk/libdancer-perl/t/00_base/14_changelog.t Sat May 28 13:45:13 2011
@@ -16,7 +16,7 @@
my $stop_checking_version = '1.3014';
# ordered list of possible sections
-my @possible_sections = ('API CHANGES', 'BUG FIXES', 'ENHANCEMENTS', 'DOCUMENTATION', );
+my @possible_sections = ('SECURITY', 'API CHANGES', 'BUG FIXES', 'ENHANCEMENTS', 'DOCUMENTATION', );
#################
Modified: trunk/libdancer-perl/t/04_static_file/001_base.t
URL: http://svn.debian.org/wsvn/pkg-perl/trunk/libdancer-perl/t/04_static_file/001_base.t?rev=74933&op=diff
==============================================================================
--- trunk/libdancer-perl/t/04_static_file/001_base.t (original)
+++ trunk/libdancer-perl/t/04_static_file/001_base.t Sat May 28 13:45:13 2011
@@ -1,17 +1,60 @@
use strict;
use warnings;
-use Test::More tests => 3, import => ['!pass'];
+# There is an issue with HTTP::Parser::XS while parsing an URI with \0
+# Using the pure perl via PERL_ONLY works
+BEGIN { $ENV{PERL_ONLY} = 1; }
+
+use Test::More tests => 8, import => ['!pass'];
use Dancer::Test;
use Dancer ':syntax';
-set public => path(dirname(__FILE__), 'static');
+set public => path( dirname(__FILE__), 'static' );
my $public = setting('public');
my $req = [ GET => '/hello.txt' ];
response_is_file $req;
my $resp = Dancer::Test::_get_file_response($req);
-is_deeply($resp->headers_to_array, ['Content-Type' => 'text/plain'], "response header looks good for @$req");
-is(ref($resp->{content}), 'GLOB', "response content looks good for @$req");
+is_deeply(
+ $resp->headers_to_array,
+ [ 'Content-Type' => 'text/plain' ],
+ "response header looks good for @$req"
+);
+is( ref( $resp->{content} ), 'GLOB', "response content looks good for @$req" );
+
+ok $resp = Dancer::Test::_get_file_response( [ GET => "/hello\0.txt" ] );
+my $r = Dancer::SharedData->response();
+is $r->status, 400;
+is $r->content, 'Bad Request';
+
+SKIP: {
+ skip "Test::TCP is required", 2
+ unless Dancer::ModuleLoader->load('Test::TCP');
+ skip "Plack is required", 2
+ unless Dancer::ModuleLoader->load('Plack::Loader');
+ require HTTP::Request;
+ require LWP::UserAgent;
+
+ Test::TCP::test_tcp(
+ client => sub {
+ my $port = shift;
+ my $req =
+ HTTP::Request->new(
+ GET => "http://127.0.0.1:$port/hello%00.txt" );
+ my $ua = LWP::UserAgent->new();
+ my $res = $ua->request($req);
+ ok !$res->is_success;
+ is $res->code, 400;
+ },
+ server => sub {
+ my $port = shift;
+ setting apphandler => 'PSGI';
+ Dancer::Config->load;
+ my $app = Dancer::Handler->psgi_app;
+ Plack::Loader->auto( port => $port )->run($app);
+ Dancer->dance();
+ }
+ );
+}
More information about the Pkg-perl-cvs-commits
mailing list