In perl.git, the branch blead has been updated <http://perl5.git.perl.org/perl.git/commitdiff/daa60504d01976b7c4027ff3c85f9968137d9fcf?hp=f49e84642c2886177a0ec4ddff2ef186df4c6441>
- Log ----------------------------------------------------------------- commit daa60504d01976b7c4027ff3c85f9968137d9fcf Author: David Golden <[email protected]> Date: Mon Feb 27 09:14:04 2017 -0500 RT#123754 Add security note to File::Spec::no_upwards As discussed with Dave Mitchell in private email. ----------------------------------------------------------------------- Summary of changes: dist/PathTools/Changes | 3 +++ dist/PathTools/Cwd.pm | 2 +- dist/PathTools/lib/File/Spec.pm | 11 +++++++---- dist/PathTools/lib/File/Spec/AmigaOS.pm | 2 +- dist/PathTools/lib/File/Spec/Cygwin.pm | 2 +- dist/PathTools/lib/File/Spec/Epoc.pm | 2 +- dist/PathTools/lib/File/Spec/Functions.pm | 2 +- dist/PathTools/lib/File/Spec/Mac.pm | 2 +- dist/PathTools/lib/File/Spec/OS2.pm | 2 +- dist/PathTools/lib/File/Spec/Unix.pm | 2 +- dist/PathTools/lib/File/Spec/VMS.pm | 2 +- dist/PathTools/lib/File/Spec/Win32.pm | 2 +- 12 files changed, 20 insertions(+), 14 deletions(-) diff --git a/dist/PathTools/Changes b/dist/PathTools/Changes index 46c9a9e558..7d0c1798b8 100644 --- a/dist/PathTools/Changes +++ b/dist/PathTools/Changes @@ -1,5 +1,8 @@ Revision history for Perl distribution PathTools. +3.67 - Mon Feb 27 09:33:04 EST 2017 +- Add security usage note to File::Spec::no_upwards + 3.66 - Sat Nov 19 10:30:19 MST 2016 - white space change so can compile under C++11 diff --git a/dist/PathTools/Cwd.pm b/dist/PathTools/Cwd.pm index 362a000e7a..ce142cfe69 100644 --- a/dist/PathTools/Cwd.pm +++ b/dist/PathTools/Cwd.pm @@ -3,7 +3,7 @@ use strict; use Exporter; use vars qw(@ISA @EXPORT @EXPORT_OK $VERSION); -$VERSION = '3.66'; +$VERSION = '3.67'; my $xs_version = $VERSION; $VERSION =~ tr/_//d; diff --git a/dist/PathTools/lib/File/Spec.pm b/dist/PathTools/lib/File/Spec.pm index 85ad17426c..a9a7619470 100644 --- a/dist/PathTools/lib/File/Spec.pm +++ b/dist/PathTools/lib/File/Spec.pm @@ -3,7 +3,7 @@ package File::Spec; use strict; use vars qw(@ISA $VERSION); -$VERSION = '3.66'; +$VERSION = '3.67'; $VERSION =~ tr/_//d; my %module = (MacOS => 'Mac', @@ -158,10 +158,13 @@ Returns a string representation of the parent directory. =item no_upwards -Given a list of file names, strip out those that refer to a parent -directory. (Does not strip symlinks, only '.', '..', and equivalents.) +Given a list of files in a directory (such as from C<readdir()>), +strip out C<'.'> and C<'..'>. - @paths = File::Spec->no_upwards( @paths ); +B<SECURITY NOTE:> This does NOT filter paths containing C<'..'>, like +C<'../../../../etc/passwd'>, only literal matches to C<'.'> and C<'..'>. + + @paths = File::Spec->no_upwards( readdir $dirhandle ); =item case_tolerant diff --git a/dist/PathTools/lib/File/Spec/AmigaOS.pm b/dist/PathTools/lib/File/Spec/AmigaOS.pm index b288f224ae..8d3796e123 100644 --- a/dist/PathTools/lib/File/Spec/AmigaOS.pm +++ b/dist/PathTools/lib/File/Spec/AmigaOS.pm @@ -4,7 +4,7 @@ use strict; use vars qw(@ISA $VERSION); require File::Spec::Unix; -$VERSION = '3.66'; +$VERSION = '3.67'; $VERSION =~ tr/_//d; @ISA = qw(File::Spec::Unix); diff --git a/dist/PathTools/lib/File/Spec/Cygwin.pm b/dist/PathTools/lib/File/Spec/Cygwin.pm index 48da5426b8..745df86ee5 100644 --- a/dist/PathTools/lib/File/Spec/Cygwin.pm +++ b/dist/PathTools/lib/File/Spec/Cygwin.pm @@ -4,7 +4,7 @@ use strict; use vars qw(@ISA $VERSION); require File::Spec::Unix; -$VERSION = '3.66'; +$VERSION = '3.67'; $VERSION =~ tr/_//d; @ISA = qw(File::Spec::Unix); diff --git a/dist/PathTools/lib/File/Spec/Epoc.pm b/dist/PathTools/lib/File/Spec/Epoc.pm index ef8af40145..959261a58e 100644 --- a/dist/PathTools/lib/File/Spec/Epoc.pm +++ b/dist/PathTools/lib/File/Spec/Epoc.pm @@ -3,7 +3,7 @@ package File::Spec::Epoc; use strict; use vars qw($VERSION @ISA); -$VERSION = '3.66'; +$VERSION = '3.67'; $VERSION =~ tr/_//d; require File::Spec::Unix; diff --git a/dist/PathTools/lib/File/Spec/Functions.pm b/dist/PathTools/lib/File/Spec/Functions.pm index ccf1562599..cb7532e57f 100644 --- a/dist/PathTools/lib/File/Spec/Functions.pm +++ b/dist/PathTools/lib/File/Spec/Functions.pm @@ -5,7 +5,7 @@ use strict; use vars qw(@ISA @EXPORT @EXPORT_OK %EXPORT_TAGS $VERSION); -$VERSION = '3.66'; +$VERSION = '3.67'; $VERSION =~ tr/_//d; require Exporter; diff --git a/dist/PathTools/lib/File/Spec/Mac.pm b/dist/PathTools/lib/File/Spec/Mac.pm index a7454e7ded..192cc8da9b 100644 --- a/dist/PathTools/lib/File/Spec/Mac.pm +++ b/dist/PathTools/lib/File/Spec/Mac.pm @@ -4,7 +4,7 @@ use strict; use vars qw(@ISA $VERSION); require File::Spec::Unix; -$VERSION = '3.66'; +$VERSION = '3.67'; $VERSION =~ tr/_//d; @ISA = qw(File::Spec::Unix); diff --git a/dist/PathTools/lib/File/Spec/OS2.pm b/dist/PathTools/lib/File/Spec/OS2.pm index a17f995674..1e201ebade 100644 --- a/dist/PathTools/lib/File/Spec/OS2.pm +++ b/dist/PathTools/lib/File/Spec/OS2.pm @@ -4,7 +4,7 @@ use strict; use vars qw(@ISA $VERSION); require File::Spec::Unix; -$VERSION = '3.66'; +$VERSION = '3.67'; $VERSION =~ tr/_//d; @ISA = qw(File::Spec::Unix); diff --git a/dist/PathTools/lib/File/Spec/Unix.pm b/dist/PathTools/lib/File/Spec/Unix.pm index 9f66dc2035..ff3599acf6 100644 --- a/dist/PathTools/lib/File/Spec/Unix.pm +++ b/dist/PathTools/lib/File/Spec/Unix.pm @@ -3,7 +3,7 @@ package File::Spec::Unix; use strict; use vars qw($VERSION); -$VERSION = '3.66'; +$VERSION = '3.67'; my $xs_version = $VERSION; $VERSION =~ tr/_//d; diff --git a/dist/PathTools/lib/File/Spec/VMS.pm b/dist/PathTools/lib/File/Spec/VMS.pm index c055e6b853..fb4351f086 100644 --- a/dist/PathTools/lib/File/Spec/VMS.pm +++ b/dist/PathTools/lib/File/Spec/VMS.pm @@ -4,7 +4,7 @@ use strict; use vars qw(@ISA $VERSION); require File::Spec::Unix; -$VERSION = '3.66'; +$VERSION = '3.67'; $VERSION =~ tr/_//d; @ISA = qw(File::Spec::Unix); diff --git a/dist/PathTools/lib/File/Spec/Win32.pm b/dist/PathTools/lib/File/Spec/Win32.pm index 9036654d4c..17f1c5a190 100644 --- a/dist/PathTools/lib/File/Spec/Win32.pm +++ b/dist/PathTools/lib/File/Spec/Win32.pm @@ -5,7 +5,7 @@ use strict; use vars qw(@ISA $VERSION); require File::Spec::Unix; -$VERSION = '3.66'; +$VERSION = '3.67'; $VERSION =~ tr/_//d; @ISA = qw(File::Spec::Unix); -- Perl5 Master Repository
