1 |
diff -uNr Plack-1.0014/lib/Plack/App/File.pm Plack-1.0014p/lib/Plack/App/File.pm |
2 |
--- Plack-1.0014/lib/Plack/App/File.pm 2012-10-30 00:35:08.000000000 +0200 |
3 |
+++ Plack-1.0014p/lib/Plack/App/File.pm 2014-11-23 16:27:16.923493263 +0200 |
4 |
@@ -44,7 +44,7 @@ |
5 |
} |
6 |
|
7 |
my $docroot = $self->root || "."; |
8 |
- my @path = split '/', $path; |
9 |
+ my @path = split '/', $path, -1; # -1 *MUST* be here to avoid security issues! |
10 |
if (@path) { |
11 |
shift @path if $path[0] eq ''; |
12 |
} else { |
13 |
diff -uNr Plack-1.0014/t/Plack-Middleware/file.t Plack-1.0014p/t/Plack-Middleware/file.t |
14 |
--- Plack-1.0014/t/Plack-Middleware/file.t 2012-10-30 00:35:08.000000000 +0200 |
15 |
+++ Plack-1.0014p/t/Plack-Middleware/file.t 2014-11-23 16:21:09.557040213 +0200 |
16 |
@@ -3,6 +3,7 @@ |
17 |
use Test::More; |
18 |
use HTTP::Request::Common; |
19 |
use Plack::App::File; |
20 |
+use FindBin qw($Bin); |
21 |
|
22 |
my $app = Plack::App::File->new(file => 'README'); |
23 |
|
24 |
@@ -18,6 +19,26 @@ |
25 |
is $res->code, 200; |
26 |
}; |
27 |
|
28 |
+my $app_secure = Plack::App::File->new(root => $Bin); |
29 |
+ |
30 |
+test_psgi $app_secure, sub { |
31 |
+ my $cb = shift; |
32 |
+ |
33 |
+ my $res = $cb->(GET "/file.t"); |
34 |
+ is $res->code, 200; |
35 |
+ like $res->content, qr/We will find for this literal string/; |
36 |
+ |
37 |
+ my $res = $cb->(GET "/../Plack-Middleware/file.t"); |
38 |
+ is $res->code, 403; |
39 |
+ is $res->content, 'forbidden'; |
40 |
+ |
41 |
+ for my $i (1..100) { |
42 |
+ $res = $cb->(GET "/file.t" . ("/" x $i)); |
43 |
+ is $res->code, 404; |
44 |
+ is $res->content, 'not found'; |
45 |
+ } |
46 |
+}; |
47 |
+ |
48 |
my $app_content_type = Plack::App::File->new( |
49 |
file => 'README', |
50 |
content_type => 'text/x-readme' |