Package: libplack-perl / 0.9989-1+deb7u1

Metadata

Package Version Patches format
libplack-perl 0.9989-1+deb7u1 3.0 (quilt)

Patch series

view the series file
Patch File delta Description
01 fix CVE 2014 5269.patch | (download)

lib/Plack/App/File.pm | 2 1 + 1 - 0 !
t/Plack-Middleware/file.t | 19 19 + 0 - 0 !
2 files changed, 20 insertions(+), 1 deletion(-)

 [patch] plack::app::file: fix a security issue by not pruning
 trailing slashes

Before this Plack::App::File would prune trailing slashes via its split
invocation. I.e. it would think this:

    $ perl -MData::Dumper -wle 'print Dumper [split /[\\\/]/, shift]' a/file.txt
    $VAR1 = [
              'a',
              'file.txt'
            ];

Was the same as:

    $ perl -MData::Dumper -wle 'print Dumper [split /[\\\/]/, shift]' a/file.txt///
    $VAR1 = [
              'a',
              'file.txt'
            ];

This can. turn into a nasty code exposure issue if you e.g. have an app
that basically does this:

    1. I'd do a regex /.txt.pl\z/ on a file to see if it was a text file
    2. If so, do magic to generate text file via perl
    3. Else it's not a /.txt.pl\z/ file, so it must be some other static