The Perl Toolchain Summit needs more sponsors. If your company depends on Perl, please support this very important event.
CHANGES 011
MANIFEST 02
META.yml 43
lib/Dancer/FileUtils.pm 01
lib/Dancer.pm 11
t/04_static_file/02_dir_traversal.t 028
t/04_static_file/secretfile 02
7 files changed (This is a version diff) 548
@@ -1,3 +1,14 @@
+1.3071     26.07.2011
+
+    ** Security release based on 1.3070 **
+
+    [ SECURITY ]
+    * FIX directory traversal issue
+      Since 1.3070, it was possible to abuse the static file serving feature to
+      obtain files from a directory immediately above the directory configured to
+      serve static files from.
+      (Vladimir Lettiev and David Precious)
+
 1.3070      14.07.2011
     ** Codename: The Exceptional Mr. Dams // Damien Krotkine (dams) **
 
@@ -168,6 +168,8 @@ t/03_route_handler/views/hello.tt
 t/04_static_file/001_base.t
 t/04_static_file/003_mime_types_reinit.t
 t/04_static_file/01_mime_types.t
+t/04_static_file/02_dir_traversal.t
+t/04_static_file/secretfile
 t/04_static_file/static/hello.foo
 t/04_static_file/static/hello.txt
 t/05_views/002_view_rendering.t
@@ -1,6 +1,6 @@
 --- #YAML:1.0
 name:               Dancer
-version:            1.3070
+version:            1.3071
 abstract:           A minimal-effort oriented web application framework
 author:  []
 license:            perl
@@ -8,7 +8,7 @@ distribution_type:  module
 configure_requires:
     ExtUtils::MakeMaker:  0
 build_requires:
-    ExtUtils::MakeMaker:  0
+    Test::More:  0.94
 requires:
     Encode:               0
     File::Basename:       0
@@ -17,7 +17,6 @@ requires:
     HTTP::Server::Simple::PSGI:  0.11
     LWP:                  0
     MIME::Types:          0
-    Test::More:           0.94
     Time::HiRes:          0
     URI:                  0
 resources:
@@ -28,7 +27,7 @@ no_index:
     directory:
         - t
         - inc
-generated_by:       ExtUtils::MakeMaker version 6.55_02
+generated_by:       ExtUtils::MakeMaker version 6.56
 meta-spec:
     url:      http://module-build.sourceforge.net/META-spec-v1.4.html
     version:  1.4
@@ -103,6 +103,7 @@ sub normalize_path {
 
     $path =~ s{/\./}{/}g;
     $path =~ s{$seqregex}{}g;
+    $path =~ s{$seqregex}{};
 
     return $path;
 }
@@ -5,7 +5,7 @@ use warnings;
 use Carp;
 use Cwd 'realpath';
 
-our $VERSION   = '1.3070';
+our $VERSION   = '1.3071';
 our $AUTHORITY = 'SUKRIA';
 
 use Dancer::App;
@@ -0,0 +1,28 @@
+use strict;
+use warnings;
+
+
+use Test::More import => ['!pass'];
+use Dancer::Test;
+
+# All these paths should return 404; if we get a file served, we have a
+# directory traversal vulnerability!
+my @try_paths = qw(
+    /css/../../secretfile
+    ../secretfile
+    /etc/passwd
+    ../../../../../../../../../../../../etc/passwd
+);
+
+plan tests => scalar @try_paths;
+
+use Dancer ':syntax';
+
+set public => path( dirname(__FILE__), 'static' );
+my $public = setting('public');
+
+for my $path (@try_paths) {
+    my $resp = Dancer::Test::_get_file_response( [ GET => $path ] );
+    ok !$resp, "Request to $path did not return a file response";
+}
+
@@ -0,0 +1,2 @@
+This file is used by 02_dir_traversal.t to ensure that static file requests
+cannot traverse upwards out of the public/ dir.