@@ -1,3 +1,14 @@
+1.3071 26.07.2011
+
+ ** Security release based on 1.3070 **
+
+ [ SECURITY ]
+ * FIX directory traversal issue
+ Since 1.3070, it was possible to abuse the static file serving feature to
+ obtain files from a directory immediately above the directory configured to
+ serve static files from.
+ (Vladimir Lettiev and David Precious)
+
1.3070 14.07.2011
** Codename: The Exceptional Mr. Dams // Damien Krotkine (dams) **
@@ -168,6 +168,8 @@ t/03_route_handler/views/hello.tt
t/04_static_file/001_base.t
t/04_static_file/003_mime_types_reinit.t
t/04_static_file/01_mime_types.t
+t/04_static_file/02_dir_traversal.t
+t/04_static_file/secretfile
t/04_static_file/static/hello.foo
t/04_static_file/static/hello.txt
t/05_views/002_view_rendering.t
@@ -1,6 +1,6 @@
--- #YAML:1.0
name: Dancer
-version: 1.3070
+version: 1.3071
abstract: A minimal-effort oriented web application framework
author: []
license: perl
@@ -8,7 +8,7 @@ distribution_type: module
configure_requires:
ExtUtils::MakeMaker: 0
build_requires:
- ExtUtils::MakeMaker: 0
+ Test::More: 0.94
requires:
Encode: 0
File::Basename: 0
@@ -17,7 +17,6 @@ requires:
HTTP::Server::Simple::PSGI: 0.11
LWP: 0
MIME::Types: 0
- Test::More: 0.94
Time::HiRes: 0
URI: 0
resources:
@@ -28,7 +27,7 @@ no_index:
directory:
- t
- inc
-generated_by: ExtUtils::MakeMaker version 6.55_02
+generated_by: ExtUtils::MakeMaker version 6.56
meta-spec:
url: http://module-build.sourceforge.net/META-spec-v1.4.html
version: 1.4
@@ -103,6 +103,7 @@ sub normalize_path {
$path =~ s{/\./}{/}g;
$path =~ s{$seqregex}{}g;
+ $path =~ s{$seqregex}{};
return $path;
}
@@ -5,7 +5,7 @@ use warnings;
use Carp;
use Cwd 'realpath';
-our $VERSION = '1.3070';
+our $VERSION = '1.3071';
our $AUTHORITY = 'SUKRIA';
use Dancer::App;
@@ -0,0 +1,28 @@
+use strict;
+use warnings;
+
+
+use Test::More import => ['!pass'];
+use Dancer::Test;
+
+# All these paths should return 404; if we get a file served, we have a
+# directory traversal vulnerability!
+my @try_paths = qw(
+ /css/../../secretfile
+ ../secretfile
+ /etc/passwd
+ ../../../../../../../../../../../../etc/passwd
+);
+
+plan tests => scalar @try_paths;
+
+use Dancer ':syntax';
+
+set public => path( dirname(__FILE__), 'static' );
+my $public = setting('public');
+
+for my $path (@try_paths) {
+ my $resp = Dancer::Test::_get_file_response( [ GET => $path ] );
+ ok !$resp, "Request to $path did not return a file response";
+}
+
@@ -0,0 +1,2 @@
+This file is used by 02_dir_traversal.t to ensure that static file requests
+cannot traverse upwards out of the public/ dir.