Overview

File perl-Plack-CVE-2014-5269.patch of Package perl-Plack.openSUSE_13.1_Update

Index: Plack-1.0028/Changes
===================================================================
--- Plack-1.0028.orig/Changes	2014-12-03 17:18:43.457875014 +0100
+++ Plack-1.0028/Changes	2014-12-03 17:19:10.939218272 +0100
@@ -1,5 +1,17 @@
 Go to http://github.com/plack/Plack/issues for the roadmap and known issues.
 
+    [SECURITY]
+        - Plack::App::File would previously strip trailing slashes off
+          provided paths.
+
+          This in combination with the common pattern of dynamically
+          generating some files in a tree and serving the rest up with
+          Plack::Middleware::Static could allow an attacker to bypass
+          a whitelist of generated files by just requesting
+          /file.disallowed/ instead of /file.disallowed, provided that
+          Plack::Middleware::Static was used for all paths except
+          those matching /\.disallowed$/
+
 1.0028  2013-06-15 01:42:52 PDT
     [IMPROVEMENTS]
         - Skip cgi related tests for Win32 (chorny) #413
Index: Plack-1.0028/lib/Plack/App/File.pm
===================================================================
--- Plack-1.0028.orig/lib/Plack/App/File.pm	2014-12-03 17:18:42.120858314 +0100
+++ Plack-1.0028/lib/Plack/App/File.pm	2014-12-03 17:18:43.457875014 +0100
@@ -44,7 +44,7 @@ sub locate_file {
     }
 
     my $docroot = $self->root || ".";
-    my @path = split /[\\\/]/, $path;
+    my @path = split /[\\\/]/, $path, -1; # -1 *MUST* be here to avoid security issues!
     if (@path) {
         shift @path if $path[0] eq '';
     } else {
Index: Plack-1.0028/t/Plack-Middleware/file.t
===================================================================
--- Plack-1.0028.orig/t/Plack-Middleware/file.t	2014-12-03 17:18:42.120858314 +0100
+++ Plack-1.0028/t/Plack-Middleware/file.t	2014-12-03 17:18:43.457875014 +0100
@@ -3,6 +3,7 @@ use Plack::Test;
 use Test::More;
 use HTTP::Request::Common;
 use Plack::App::File;
+use FindBin qw($Bin);
 
 my $app = Plack::App::File->new(file => 'Changes');
 
@@ -35,6 +36,24 @@ test_psgi $app_content_type, sub {
     is $res->code, 200;
 };
 
+my $app_secure = Plack::App::File->new(root => $Bin);
 
+test_psgi $app_secure, sub {
+    my $cb = shift;
+
+    my $res = $cb->(GET "/file.t");
+    is $res->code, 200;
+    like $res->content, qr/We will find for this literal string/;
+
+    my $res = $cb->(GET "/../Plack-Middleware/file.t");
+    is $res->code, 403;
+    is $res->content, 'forbidden';
+
+    for my $i (1..100) {
+        $res = $cb->(GET "/file.t" . ("/" x $i));
+        is $res->code, 404;
+        is $res->content, 'not found';
+    }
+};
 
 done_testing;
openSUSE Build Service is sponsored by
Places