[libplack-perl] 01/01: Imported Debian patch 0.9941-1+deb6u1
gregor herrmann
gregoa at debian.org
Thu Oct 9 14:58:48 UTC 2014
This is an automated email from the git hooks/post-receive script.
gregoa pushed a commit to branch squeeze-lts
in repository libplack-perl.
commit 3cffe06a2a48ff44e6fd70bc26bd80e8603523b7
Author: Holger Levsen <holger at debian.org>
Date: Wed Sep 24 19:08:52 2014 +0200
Imported Debian patch 0.9941-1+deb6u1
---
debian/changelog | 11 +++
debian/patches/01-fix-CVE-2014-5269.patch | 129 ++++++++++++++++++++++++++++++
debian/patches/series | 1 +
3 files changed, 141 insertions(+)
diff --git a/debian/changelog b/debian/changelog
index 2c7e79d..c7b40aa 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,14 @@
+libplack-perl (0.9941-1+deb6u1) squeeze-lts; urgency=medium
+
+ * Non-maintainer upload by the Squeeze LTS Team.
+ * Include bc1731d from 1.0031 release to fix CVE-2014-5269.
+ Plack::App::File would previously strip trailing slashes off provided
+ paths. This could under specific circumstances lead to the unintended
+ delivery of files. For details see the pull request message preserved
+ in debian/patches/01-fix-CVE-2014-5269.patch.
+
+ -- Holger Levsen <holger at debian.org> Wed, 24 Sep 2014 19:08:52 +0200
+
libplack-perl (0.9941-1) unstable; urgency=low
* New upstream release.
diff --git a/debian/patches/01-fix-CVE-2014-5269.patch b/debian/patches/01-fix-CVE-2014-5269.patch
new file mode 100644
index 0000000..dfda7b9
--- /dev/null
+++ b/debian/patches/01-fix-CVE-2014-5269.patch
@@ -0,0 +1,129 @@
+From eaece0f775e4aa1dd7ab4b05411ffadf8080a6ee Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?=C3=86var=20Arnfj=C3=B6r=C3=B0=20Bjarmason?=
+ <avarab at gmail.com>
+Date: Fri, 7 Feb 2014 10:13:45 +0000
+Subject: [PATCH] Plack::App::File: Fix a security issue by not pruning
+ trailing slashes
+
+Before this Plack::App::File would prune trailing slashes via its split
+invocation. I.e. it would think this:
+
+ $ perl -MData::Dumper -wle 'print Dumper [split /[\\\/]/, shift]' a/file.txt
+ $VAR1 = [
+ 'a',
+ 'file.txt'
+ ];
+
+Was the same as:
+
+ $ perl -MData::Dumper -wle 'print Dumper [split /[\\\/]/, shift]' a/file.txt///
+ $VAR1 = [
+ 'a',
+ 'file.txt'
+ ];
+
+This can. turn into a nasty code exposure issue if you e.g. have an app
+that basically does this:
+
+ 1. I'd do a regex /.txt.pl\z/ on a file to see if it was a text file
+ 2. If so, do magic to generate text file via perl
+ 3. Else it's not a /.txt.pl\z/ file, so it must be some other static
+ file with a different extension
+ 4. Serve it up with Plack::Middleware::Static
+
+This is also not how other webservers or Unix utilities work:
+
+ $ touch /tmp/foo.txt
+ $ file /tmp/foo.txt
+ /tmp/foo.txt: empty
+ $ file /tmp/foo.txt/
+ /tmp/foo.txt/: ERROR: cannot open `/tmp/foo.txt/' (Not a directory)
+
+This resolves issue #405 that I filed around 9 months ago. I was
+previously working around it in my own code by doing:
+
+ {
+ # Let's see if someone's trying to be evil by
+ # requesting e.g. /index.html/ instead of
+ # /index.html. We don't want to fall through
+ # and just serve up the raw content.
+ my $plack_app_file = Plack::App::File->new({ root => PLACK_WEBSERVER_DOCUMENT_ROOT() });
+ my ($file) = $plack_app_file->locate_file($env);
+ if (
+ # We'll get a reference if it's a full
+ # Plack response. I.e. a 404 or whatever.
+ ref $file ne 'ARRAY'
+ and
+ # WTF once we canonicalize the file and it
+ # looks like a Mason handled path let's
+ # not accept it, because we don't want to
+ # serve up the raw unprocessed Mason page
+ # via this hack.
+ $file =~ $mason_handles_this_path_rx
+ ) {
+ TELL "Middleware::Static: Path <$path> request, doesn't match <$mason_handles_this_path_rx>, but actually resolves to it via resolved file <$file>" if DEBUG;
+ # Tells our app to just serve up a
+ # 400. Apache would do a 404 but I think
+ # these requests are bad, so say so.
+ $env->{$magic_marker_to_return_400} = 1;
+ return;
+ }
+ }
+---
+ lib/Plack/App/File.pm | 2 +-
+ t/Plack-Middleware/file.t | 19 +++++++++++++++++++
+ 2 files changed, 20 insertions(+), 1 deletion(-)
+
+diff --git a/lib/Plack/App/File.pm b/lib/Plack/App/File.pm
+index ae6e363..34f744b 100644
+--- a/lib/Plack/App/File.pm
++++ b/lib/Plack/App/File.pm
+@@ -45,7 +45,7 @@ sub locate_file {
+ }
+
+ my $docroot = $self->root || ".";
+- my @path = split '/', $path;
++ my @path = split /[\\\/]/, $path, -1; # -1 *MUST* be here to avoid security issues!
+ if (@path) {
+ shift @path if $path[0] eq '';
+ } else {
+diff --git a/t/Plack-Middleware/file.t b/t/Plack-Middleware/file.t
+index 82cd6e5..d6f8932 100644
+--- a/t/Plack-Middleware/file.t
++++ b/t/Plack-Middleware/file.t
+@@ -3,6 +3,7 @@ use Plack::Test;
+ use Test::More;
+ use HTTP::Request::Common;
+ use Plack::App::File;
++use FindBin qw($Bin);
+
+ my $app = Plack::App::File->new(file => 'README');
+
+@@ -18,6 +19,24 @@ test_psgi $app, sub {
+ is $res->code, 200;
+ };
+
++my $app_secure = Plack::App::File->new(root => $Bin);
+
++test_psgi $app_secure, sub {
++ my $cb = shift;
++
++ my $res = $cb->(GET "/file.t");
++ is $res->code, 200;
++ like $res->content, qr/We will find for this literal string/;
++
++ my $res = $cb->(GET "/../Plack-Middleware/file.t");
++ is $res->code, 403;
++ is $res->content, 'forbidden';
++
++ for my $i (1..100) {
++ $res = $cb->(GET "/file.t" . ("/" x $i));
++ is $res->code, 404;
++ is $res->content, 'not found';
++ }
++};
+
+ done_testing;
+--
+1.9.1
+
diff --git a/debian/patches/series b/debian/patches/series
new file mode 100644
index 0000000..694081c
--- /dev/null
+++ b/debian/patches/series
@@ -0,0 +1 @@
+01-fix-CVE-2014-5269.patch
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-perl/packages/libplack-perl.git
More information about the Pkg-perl-cvs-commits
mailing list