| 1 |
diff -uNr Plack-1.0014/lib/Plack/App/File.pm Plack-1.0014p/lib/Plack/App/File.pm |
| 2 |
--- Plack-1.0014/lib/Plack/App/File.pm 2012-10-30 00:35:08.000000000 +0200 |
| 3 |
+++ Plack-1.0014p/lib/Plack/App/File.pm 2014-11-23 16:27:16.923493263 +0200 |
| 4 |
@@ -44,7 +44,7 @@ |
| 5 |
} |
| 6 |
|
| 7 |
my $docroot = $self->root || "."; |
| 8 |
- my @path = split '/', $path; |
| 9 |
+ my @path = split '/', $path, -1; # -1 *MUST* be here to avoid security issues! |
| 10 |
if (@path) { |
| 11 |
shift @path if $path[0] eq ''; |
| 12 |
} else { |
| 13 |
diff -uNr Plack-1.0014/t/Plack-Middleware/file.t Plack-1.0014p/t/Plack-Middleware/file.t |
| 14 |
--- Plack-1.0014/t/Plack-Middleware/file.t 2012-10-30 00:35:08.000000000 +0200 |
| 15 |
+++ Plack-1.0014p/t/Plack-Middleware/file.t 2014-11-23 16:21:09.557040213 +0200 |
| 16 |
@@ -3,6 +3,7 @@ |
| 17 |
use Test::More; |
| 18 |
use HTTP::Request::Common; |
| 19 |
use Plack::App::File; |
| 20 |
+use FindBin qw($Bin); |
| 21 |
|
| 22 |
my $app = Plack::App::File->new(file => 'README'); |
| 23 |
|
| 24 |
@@ -18,6 +19,26 @@ |
| 25 |
is $res->code, 200; |
| 26 |
}; |
| 27 |
|
| 28 |
+my $app_secure = Plack::App::File->new(root => $Bin); |
| 29 |
+ |
| 30 |
+test_psgi $app_secure, sub { |
| 31 |
+ my $cb = shift; |
| 32 |
+ |
| 33 |
+ my $res = $cb->(GET "/file.t"); |
| 34 |
+ is $res->code, 200; |
| 35 |
+ like $res->content, qr/We will find for this literal string/; |
| 36 |
+ |
| 37 |
+ my $res = $cb->(GET "/../Plack-Middleware/file.t"); |
| 38 |
+ is $res->code, 403; |
| 39 |
+ is $res->content, 'forbidden'; |
| 40 |
+ |
| 41 |
+ for my $i (1..100) { |
| 42 |
+ $res = $cb->(GET "/file.t" . ("/" x $i)); |
| 43 |
+ is $res->code, 404; |
| 44 |
+ is $res->content, 'not found'; |
| 45 |
+ } |
| 46 |
+}; |
| 47 |
+ |
| 48 |
my $app_content_type = Plack::App::File->new( |
| 49 |
file => 'README', |
| 50 |
content_type => 'text/x-readme' |
Parent Directory
| 
Revision Log