| Subject: | Will inadvertantly serve any file if a directory in the path has a dot (.) |
| Date: | Wed, 8 Mar 2017 16:21:32 +0000 |
| To: | "bug-Catalyst-Plugin-Static-Simple@rt.cpan.org" <bug-Catalyst-Plugin-Static-Simple@rt.cpan.org> |
| From: | "Mohammed Chaudhry (CENSUS/ADSD FED)" <Mohammed.Chaudhry@census.gov> |
The following code looks for a dot(.) in the path, but doesn't make sure it's an extension at the end of the path.
So, if your path has say a dot directory, it ends up serving anything it.
For instance, our security found out we were serving stuff like:
/static/.svn/<every_file_in_here>
# Does the path have an extension?
if ( $path =~ /.*\.(\S{1,})$/xms ) {
# and does it exist?
$c->_locate_static_file( $path );
}
We've been running Catalyst::Plugin::Static::Simple with the following patch for a few years now, and it solved the issue without any adverse affects.
I just noticed it now because we updated our perl build and to a new Catalyst and noticed the bug was still there.
Thanks.
-m
For instance, our security found out we were serving stuff like:
/static/.svn/<every_file_in_here>
# Does the path have an extension?
if ( $path =~ /.*\.(\S{1,})$/xms ) {
# and does it exist?
$c->_locate_static_file( $path );
}
We've been running Catalyst::Plugin::Static::Simple with the following patch for a few years now, and it solved the issue without any adverse affects.
I just noticed it now because we updated our perl build and to a new Catalyst and noticed the bug was still there.
--- Simple.pm.orig 2017-03-08 11:16:10.000000000 -0500
+++ Simple.pm 2017-03-08 11:12:52.000000000 -0500
@@ -64,7 +64,7 @@
}
# Does the path have an extension?
- if ( $path =~ /.*\.(\S{1,})$/xms ) {
+ if ( $path =~ /\.([^\/\\]+)$/m ) {
# and does it exist?
$c->_locate_static_file( $path );
}
+++ Simple.pm 2017-03-08 11:12:52.000000000 -0500
@@ -64,7 +64,7 @@
}
# Does the path have an extension?
- if ( $path =~ /.*\.(\S{1,})$/xms ) {
+ if ( $path =~ /\.([^\/\\]+)$/m ) {
# and does it exist?
$c->_locate_static_file( $path );
}
Thanks.
-m