Preferred bug tracker

Please visit the preferred bug tracker to report your issue.

This queue is for tickets about the Plack CPAN distribution.

Report information
The Basics
Id:
63020
Status:
resolved
Priority:
Low/Low
Queue:

People
Owner:
Nobody in particular
Requestors:
Cc:
AdminCc:

BugTracker
Severity:
Normal
Broken in:
0.9951
Fixed in:
(no value)



Subject: Directory traversal check incomplete
The directory traversal check in Plack::App::File still lets you list files in the parent directory. I'm not sure of the severity, it looks like it's probably just information disclosure but maybe someone who spends a bit more time can figure out a way to leverage it. Expected behaviour is a 403, actual behaviour is a listing with the contents of the parent directory. $ mkdir -p /tmp/test/in_parent_dir /tmp/test/child /tmp/test/child/childdir $ cd /tmp/test/child $ /opt/perl/bin/plackup -MPlack::App::Directory -e 'Plack::App::Directory->new' HTTP::Server::PSGI: Accepting connections at http://0:5000/ 127.0.0.1 - - [16/Nov/2010 04:54:39] "GET /.. HTTP/1.0" 200 1503 "-" "-" $ telnet localhost 5000 Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. GET /.. HTTP/1.0 HTTP/1.0 200 OK <snipped> <tr><td class='name'><a href='../'>Parent Directory</a></td><td class='size'></td><td class='type'></td><td class='mtime'></td></tr> <tr><td class='name'><a href='/../.'>./</a></td><td class='size'>4096</td><td class='type'>directory</td><td class='mtime'>Tue, 16 Nov 2010 05:01:36 GMT</td></tr> <tr><td class='name'><a href='/../..'>../</a></td><td class='size'>4096</td><td class='type'>directory</td><td class='mtime'>Tue, 16 Nov 2010 04:53:43 GMT</td></tr> <tr><td class='name'><a href='/../child'>child/</a></td><td class='size'>4096</td><td class='type'>directory</td><td class='mtime'>Tue, 16 Nov 2010 05:01:36 GMT</td></tr> <tr><td class='name'><a href='/../in_parent_dir'>in_parent_dir/</a></td><td class='size'>4096</td><td class='type'>directory</td><td class='mtime'>Tue, 16 Nov 2010 04:53:43 GMT</td></tr> Relevant line is 43 of Plack::App::File. The regex is also overly broad, it will reject legitimate paths with ../ in them, for example http://example.com/blog/Some_Title_That_Ends_In../
IMHO this is a serious security risk. Could this please be fixed?
Fixed in 0.9955


This service runs on Request Tracker, is sponsored by The Perl Foundation, and maintained by Best Practical Solutions.

Please report any issues with rt.cpan.org to rt-cpan-admin@bestpractical.com.