Package: libcatalyst-plugin-static-simple-perl Version: 0.31 Severity: important Tags: security upstream fixed-upstream Forwarded: https://rt.cpan.org/Public/Bug/Display.html?id=120558
>From upstream changelog for version 0.34: Fix security vulnerability, when serving static files with dots in the names (RT#120558) Catalyst::Plugin::Static::Simple is a plugin for Catalyst, a web framework in Perl. Its purpose is to serve static files, and it is supposed to only serve files with extensions (from which it determines the content type). Due to the bug, however, any file under a directory whose name contains a dot could be served. the upstream fix is as follows: --- a/lib/Catalyst/Plugin/Static/Simple.pm +++ b/lib/Catalyst/Plugin/Static/Simple.pm @@ -64,7 +64,7 @@ before prepare_action => sub { } # Does the path have an extension? - if ( $path =~ /.*\.(\S{1,})$/xms ) { + if ( $path =~ /\.([^\/\\]+)$/m ) { # and does it exist? $c->_locate_static_file( $path ); } That is, instead of matching one or more non-space characters between a dot (including "/") and the end of the path, match one or more characters different from "/" and "\" between a dot and the end of the path. Cheers, dam _______________________________________________ Secure-testing-team mailing list Secure-testing-team@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-team