r74933 - in /trunk/libdancer-perl: CHANGES META.yml debian/NEWS debian/changelog debian/patches/pod-spelling.patch lib/Dancer.pm lib/Dancer/FileUtils.pm lib/Dancer/Renderer.pm t/00_base/14_changelog.t t/04_static_file/001_base.t

ghedo-guest at users.alioth.debian.org ghedo-guest at users.alioth.debian.org
Sat May 28 13:45:25 UTC 2011 

Author: ghedo-guest
Date: Sat May 28 13:45:13 2011
New Revision: 74933

URL: http://svn.debian.org/wsvn/pkg-perl/?sc=1&rev=74933
Log:
* New upstream release
  - FIX CVE-2011-1589 (Mojolicious report, but Dancer was vulnerable as well).
* Refresh patch
* Update NEWS with security fix

Modified:
    trunk/libdancer-perl/CHANGES
    trunk/libdancer-perl/META.yml
    trunk/libdancer-perl/debian/NEWS
    trunk/libdancer-perl/debian/changelog
    trunk/libdancer-perl/debian/patches/pod-spelling.patch
    trunk/libdancer-perl/lib/Dancer.pm
    trunk/libdancer-perl/lib/Dancer/FileUtils.pm
    trunk/libdancer-perl/lib/Dancer/Renderer.pm
    trunk/libdancer-perl/t/00_base/14_changelog.t
    trunk/libdancer-perl/t/04_static_file/001_base.t

Modified: trunk/libdancer-perl/CHANGES
URL: http://svn.debian.org/wsvn/pkg-perl/trunk/libdancer-perl/CHANGES?rev=74933&op=diff
==============================================================================
--- trunk/libdancer-perl/CHANGES (original)
+++ trunk/libdancer-perl/CHANGES Sat May 28 13:45:13 2011
@@ -1,3 +1,12 @@
+1.3051      27.05.2011
+    ** Security release based on 1.3050 **
+
+    [ SECURITY ]
+    * FIX CVE-2011-1589 (Mojolicious report, but Dancer was vulnerable as well).
+      Return "400 Bad Request" when requested filename seems suspicious
+      http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1589
+      (Vladimir Lettiev and Franck Cuny)
+
 1.3050      20.05.2011
     ** Codename: The Captain Hook Adventure // Franck Cuny **
 

Modified: trunk/libdancer-perl/META.yml
URL: http://svn.debian.org/wsvn/pkg-perl/trunk/libdancer-perl/META.yml?rev=74933&op=diff
==============================================================================
--- trunk/libdancer-perl/META.yml (original)
+++ trunk/libdancer-perl/META.yml Sat May 28 13:45:13 2011
@@ -1,6 +1,6 @@
 --- #YAML:1.0
 name:               Dancer
-version:            1.3050
+version:            1.3051
 abstract:           A minimal-effort oriented web application framework
 author:  []
 license:            perl

Modified: trunk/libdancer-perl/debian/NEWS
URL: http://svn.debian.org/wsvn/pkg-perl/trunk/libdancer-perl/debian/NEWS?rev=74933&op=diff
==============================================================================
--- trunk/libdancer-perl/debian/NEWS (original)
+++ trunk/libdancer-perl/debian/NEWS Sat May 28 13:45:13 2011
@@ -1,3 +1,13 @@
+libdancer-perl (1.3051+dfsg-1) UNRELEASED; urgency=low
+
+  [ SECURITY ]
+  FIX CVE-2011-1589 (Mojolicious report, but Dancer was vulnerable as well).
+  Return "400 Bad Request" when requested filename seems suspicious
+  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1589
+  (Vladimir Lettiev and Franck Cuny)
+
+ -- Alessandro Ghedini <al3xbio at gmail.com>  Sat, 28 May 2011 15:40:56 +0200
+
 libdancer-perl (1.3010+dfsg-1) unstable; urgency=low
 
   1.3003
@@ -10,6 +20,6 @@
   [ API CHANGES ]
   to_json and from_json accept options as hashref instead of hash. Passing
   arguments as hash is deprecated
-  
+
 
  -- gregor herrmann <gregoa at debian.org>  Fri, 11 Feb 2011 22:50:07 +0100

Modified: trunk/libdancer-perl/debian/changelog
URL: http://svn.debian.org/wsvn/pkg-perl/trunk/libdancer-perl/debian/changelog?rev=74933&op=diff
==============================================================================
--- trunk/libdancer-perl/debian/changelog (original)
+++ trunk/libdancer-perl/debian/changelog Sat May 28 13:45:13 2011
@@ -1,3 +1,12 @@
+libdancer-perl (1.3051+dfsg-1) UNRELEASED; urgency=low
+
+  * New upstream release
+    - FIX CVE-2011-1589 (Mojolicious report, but Dancer was vulnerable as well).
+  * Refresh patch
+  * Update NEWS with security fix
+
+ -- Alessandro Ghedini <al3xbio at gmail.com>  Sat, 28 May 2011 15:40:56 +0200
+
 libdancer-perl (1.3050+dfsg-1) unstable; urgency=low
 
   * New upstream release.

Modified: trunk/libdancer-perl/debian/patches/pod-spelling.patch
URL: http://svn.debian.org/wsvn/pkg-perl/trunk/libdancer-perl/debian/patches/pod-spelling.patch?rev=74933&op=diff
==============================================================================
--- trunk/libdancer-perl/debian/patches/pod-spelling.patch (original)
+++ trunk/libdancer-perl/debian/patches/pod-spelling.patch Sat May 28 13:45:13 2011
@@ -6,7 +6,7 @@
 
 --- a/lib/Dancer/FileUtils.pm
 +++ b/lib/Dancer/FileUtils.pm
-@@ -158,7 +158,7 @@
+@@ -160,7 +160,7 @@
  Returns either the content of a file (whose filename is the input), I<undef>
  if the file could not be opened.
  

Modified: trunk/libdancer-perl/lib/Dancer.pm
URL: http://svn.debian.org/wsvn/pkg-perl/trunk/libdancer-perl/lib/Dancer.pm?rev=74933&op=diff
==============================================================================
--- trunk/libdancer-perl/lib/Dancer.pm (original)
+++ trunk/libdancer-perl/lib/Dancer.pm Sat May 28 13:45:13 2011
@@ -5,7 +5,7 @@
 use Carp;
 use Cwd 'realpath';
 
-our $VERSION   = '1.3050';
+our $VERSION   = '1.3051';
 our $AUTHORITY = 'SUKRIA';
 
 use Dancer::App;

Modified: trunk/libdancer-perl/lib/Dancer/FileUtils.pm
URL: http://svn.debian.org/wsvn/pkg-perl/trunk/libdancer-perl/lib/Dancer/FileUtils.pm?rev=74933&op=diff
==============================================================================
--- trunk/libdancer-perl/lib/Dancer/FileUtils.pm (original)
+++ trunk/libdancer-perl/lib/Dancer/FileUtils.pm Sat May 28 13:45:13 2011
@@ -11,7 +11,7 @@
 use base 'Exporter';
 use vars '@EXPORT_OK';
 
- at EXPORT_OK = qw(path dirname read_file_content read_glob_content open_file set_file_mode);
+ at EXPORT_OK = qw(path real_path dirname read_file_content read_glob_content open_file set_file_mode);
 
 # Undo UNC special-casing catfile-voodoo on cygwin
 sub _trim_UNC {
@@ -37,6 +37,8 @@
 sub d_splitpath { File::Spec->splitpath(_trim_UNC(@_)) }
 
 sub path { d_catfile(@_) }
+
+sub real_path { realpath( d_catfile(@_) ) }
 
 sub path_no_verify {
     my @nodes = File::Spec->splitpath(d_catdir(@_)); # 0=vol,1=dirs,2=file

Modified: trunk/libdancer-perl/lib/Dancer/Renderer.pm
URL: http://svn.debian.org/wsvn/pkg-perl/trunk/libdancer-perl/lib/Dancer/Renderer.pm?rev=74933&op=diff
==============================================================================
--- trunk/libdancer-perl/lib/Dancer/Renderer.pm (original)
+++ trunk/libdancer-perl/lib/Dancer/Renderer.pm Sat May 28 13:45:13 2011
@@ -13,7 +13,7 @@
 use Dancer::Response;
 use Dancer::Serializer;
 use Dancer::Config 'setting';
-use Dancer::FileUtils qw(path dirname read_file_content open_file);
+use Dancer::FileUtils qw(path real_path dirname read_file_content open_file);
 use Dancer::SharedData;
 use Dancer::Logger;
 use Dancer::MIME;
@@ -145,10 +145,20 @@
 }
 
 sub get_file_response {
-    my $request     = Dancer::SharedData->request;
-    my $path_info   = $request->path_info;
-    my $app         = Dancer::App->current;
-    my $static_file = path($app->setting('public'), $path_info);
+    my $request   = Dancer::SharedData->request;
+    my $path_info = $request->path_info;
+
+    # requests that have \0 in path are forbidden
+    if ( $path_info =~ /\0/ ) {
+        _bad_request();
+        return 1;
+    }
+
+    my $app = Dancer::App->current;
+    my $static_file = real_path( $app->setting('public'), $path_info );
+
+    return if ( !$static_file
+        || index( $static_file, real_path( $app->setting('public') ) ) != 0 );
 
     return Dancer::Renderer->get_file_response_for_path( $static_file, undef,
         $request->content_type );
@@ -187,6 +197,12 @@
     my $file = shift;
     my $mime = Dancer::MIME->instance();
     return $mime->for_file($file);
+}
+
+sub _bad_request{
+    my $response = Dancer::SharedData->response() || Dancer::Response->new();
+    $response->status(400);
+    $response->content('Bad Request');
 }
 
 # set of builtin templates needed by Dancer when rendering HTML pages

Modified: trunk/libdancer-perl/t/00_base/14_changelog.t
URL: http://svn.debian.org/wsvn/pkg-perl/trunk/libdancer-perl/t/00_base/14_changelog.t?rev=74933&op=diff
==============================================================================
--- trunk/libdancer-perl/t/00_base/14_changelog.t (original)
+++ trunk/libdancer-perl/t/00_base/14_changelog.t Sat May 28 13:45:13 2011
@@ -16,7 +16,7 @@
 my $stop_checking_version = '1.3014';
 
 # ordered list of possible sections
-my @possible_sections = ('API CHANGES', 'BUG FIXES', 'ENHANCEMENTS', 'DOCUMENTATION', );
+my @possible_sections = ('SECURITY', 'API CHANGES', 'BUG FIXES', 'ENHANCEMENTS', 'DOCUMENTATION', );
 
 #################
 

Modified: trunk/libdancer-perl/t/04_static_file/001_base.t
URL: http://svn.debian.org/wsvn/pkg-perl/trunk/libdancer-perl/t/04_static_file/001_base.t?rev=74933&op=diff
==============================================================================
--- trunk/libdancer-perl/t/04_static_file/001_base.t (original)
+++ trunk/libdancer-perl/t/04_static_file/001_base.t Sat May 28 13:45:13 2011
@@ -1,17 +1,60 @@
 use strict;
 use warnings;
 
-use Test::More tests => 3, import => ['!pass'];
+# There is an issue with HTTP::Parser::XS while parsing an URI with \0
+# Using the pure perl via PERL_ONLY works
+BEGIN { $ENV{PERL_ONLY} = 1; }
+
+use Test::More tests => 8, import => ['!pass'];
 use Dancer::Test;
 
 use Dancer ':syntax';
 
-set public => path(dirname(__FILE__), 'static');
+set public => path( dirname(__FILE__), 'static' );
 my $public = setting('public');
 
 my $req = [ GET => '/hello.txt' ];
 response_is_file $req;
 
 my $resp = Dancer::Test::_get_file_response($req);
-is_deeply($resp->headers_to_array, ['Content-Type' => 'text/plain'], "response header looks good for @$req");
-is(ref($resp->{content}), 'GLOB', "response content looks good for @$req");
+is_deeply(
+    $resp->headers_to_array,
+    [ 'Content-Type' => 'text/plain' ],
+    "response header looks good for @$req"
+);
+is( ref( $resp->{content} ), 'GLOB', "response content looks good for @$req" );
+
+ok $resp = Dancer::Test::_get_file_response( [ GET => "/hello\0.txt" ] );
+my $r = Dancer::SharedData->response();
+is $r->status,  400;
+is $r->content, 'Bad Request';
+
+SKIP: {
+    skip "Test::TCP is required", 2
+      unless Dancer::ModuleLoader->load('Test::TCP');
+    skip "Plack is required", 2
+      unless Dancer::ModuleLoader->load('Plack::Loader');
+    require HTTP::Request;
+    require LWP::UserAgent;
+
+    Test::TCP::test_tcp(
+        client => sub {
+            my $port = shift;
+            my $req =
+              HTTP::Request->new(
+                GET => "http://127.0.0.1:$port/hello%00.txt" );
+            my $ua  = LWP::UserAgent->new();
+            my $res = $ua->request($req);
+            ok !$res->is_success;
+            is $res->code, 400;
+        },
+        server => sub {
+            my $port = shift;
+            setting apphandler => 'PSGI';
+            Dancer::Config->load;
+            my $app = Dancer::Handler->psgi_app;
+            Plack::Loader->auto( port => $port )->run($app);
+            Dancer->dance();
+        }
+    );
+}

More information about the Pkg-perl-cvs-commits mailing list