Package: libplack-perl / 0.9989-1+deb7u1
Metadata
Package | Version | Patches format |
---|---|---|
libplack-perl | 0.9989-1+deb7u1 | 3.0 (quilt) |
Patch series
view the series filePatch | File delta | Description |
---|---|---|
01 fix CVE 2014 5269.patch | (download) |
lib/Plack/App/File.pm |
2 1 + 1 - 0 ! |
[patch] plack::app::file: fix a security issue by not pruning trailing slashes Before this Plack::App::File would prune trailing slashes via its split invocation. I.e. it would think this: $ perl -MData::Dumper -wle 'print Dumper [split /[\\\/]/, shift]' a/file.txt $VAR1 = [ 'a', 'file.txt' ]; Was the same as: $ perl -MData::Dumper -wle 'print Dumper [split /[\\\/]/, shift]' a/file.txt/// $VAR1 = [ 'a', 'file.txt' ]; This can. turn into a nasty code exposure issue if you e.g. have an app that basically does this: 1. I'd do a regex /.txt.pl\z/ on a file to see if it was a text file 2. If so, do magic to generate text file via perl 3. Else it's not a /.txt.pl\z/ file, so it must be some other static |
1