https://bugzilla.redhat.com/show_bug.cgi?id=1128978
Bug ID: 1128978
Summary: perl-Plack: trailing slashes removed leading to source
code disclosure
Product: Security Response
Component: vulnerability
Keywords: Security
Severity: medium
Priority: medium
Assignee: [email protected]
Reporter: [email protected]
CC: [email protected],
[email protected],
[email protected]
Plack 1.0031 fixes the following security issue:
- Plack::App::File would previously strip trailing slashes off
provided paths. This in combination with the common pattern
of serving files with Plack::Middleware::Static could allow
an attacker to bypass a whitelist of generated files (avar) #446
Upstream fix:
https://github.com/avar/Plack/commit/bc1731dbb53850c380875ad683cd87c8ec99eee3
References:
https://github.com/plack/Plack/issues/405
http://seclists.org/oss-sec/2014/q3/345
--
You are receiving this mail because:
You are on the CC list for the bug.
Unsubscribe from this bug
https://bugzilla.redhat.com/token.cgi?t=3o7im6lCPi&a=cc_unsubscribe
--
Fedora Extras Perl SIG
http://www.fedoraproject.org/wiki/Extras/SIGs/Perl
perl-devel mailing list
[email protected]
https://admin.fedoraproject.org/mailman/listinfo/perl-devel
