@@ -1,5 +1,9 @@
This file documents the revision history for Perl extension Mojolicious.
+1.16 2011-04-15 00:00:00
+ - Emergency release for a critical security issue that can expose
+ files on your system, everybody should update!
+
1.15 2011-03-18 00:00:00
- Changed default log level in "production" mode from "error" to
"info".
@@ -103,6 +103,7 @@ LICENSE
Makefile.PL
MANIFEST This list of files
MANIFEST.SKIP
+META.yml
README.pod
script/hypnotoad
script/mojo
@@ -218,4 +219,3 @@ t/mojolicious/websocket_proxy_lite_app.t
t/mojolicious/websocket_tls_proxy_lite_app.t
t/pod.t
t/pod_coverage.t
-META.yml Module meta-data (added by MakeMaker)
@@ -1,6 +1,6 @@
--- #YAML:1.0
name: Mojolicious
-version: 1.15
+version: 1.16
abstract: The Web In A Box!
author:
- Sebastian Riedel <sri@cpan.org>
@@ -80,6 +80,9 @@ sub parse {
$path =~ /^\// ? $self->leading_slash(1) : $self->leading_slash(0);
$path =~ /\/$/ ? $self->trailing_slash(1) : $self->trailing_slash(0);
+ # Unescape
+ url_unescape $path;
+
# Parse
my @parts;
for my $part (split '/', $path) {
@@ -91,7 +94,6 @@ sub parse {
$part = '' unless defined $part;
# Store
- url_unescape $part;
push @parts, $part;
}
@@ -29,7 +29,7 @@ has static => sub { Mojolicious::Static->new };
has types => sub { Mojolicious::Types->new };
our $CODENAME = 'Smiling Cat Face With Heart-Shaped Eyes';
-our $VERSION = '1.15';
+our $VERSION = '1.16';
# "These old doomsday devices are dangerously unstable.
# I'll rest easier not knowing where they are."
@@ -3,7 +3,7 @@
use strict;
use warnings;
-use Test::More tests => 3;
+use Test::More tests => 11;
# "This is the greatest case of false advertising I’ve seen since I sued the
# movie 'The Never Ending Story.'"
@@ -12,3 +12,18 @@ use_ok 'Mojo::Path';
my $path = Mojo::Path->new;
is $path->parse('/path')->to_string, '/path', 'right path';
is $path->parse('/path/0')->to_string, '/path/0', 'right path';
+
+# Canonicalizing
+$path = Mojo::Path->new(
+ '/%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd');
+is "$path", '/../../../../../../../../../../etc/passwd', 'rigth result';
+is $path->parts->[0], '..', 'right part';
+is $path->canonicalize, '/../../../../../../../../../../etc/passwd',
+ 'rigth result';
+is $path->parts->[0], '..', 'right part';
+$path = Mojo::Path->new(
+ '/%2ftest%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd');
+is "$path", '/test/../../../../../../../../../etc/passwd', 'rigth result';
+is $path->parts->[0], 'test', 'right part';
+is $path->canonicalize, '/../../../../../../../../etc/passwd', 'rigth result';
+is $path->parts->[0], '..', 'right part';
@@ -135,17 +135,17 @@ is $url->to_abs->base, 'http://kraih.com/bar/baz/', 'right base';
# Real world tests
$url = Mojo::URL->new('http://acme.s3.amazonaws.com'
. '/mojo%2Fg%2B%2B-4%2E2_4%2E2%2E3-2ubuntu7_i386%2Edeb');
-is $url->is_abs, 1, 'is absolute';
-is $url->scheme, 'http', 'right scheme';
-is $url->userinfo, undef, 'no userinfo';
-is $url->host, 'acme.s3.amazonaws.com', 'right host';
-is $url->port, undef, 'no port';
-is $url->path, '/mojo%2Fg++-4.2_4.2.3-2ubuntu7_i386.deb', 'right path';
+is $url->is_abs, 1, 'is absolute';
+is $url->scheme, 'http', 'right scheme';
+is $url->userinfo, undef, 'no userinfo';
+is $url->host, 'acme.s3.amazonaws.com', 'right host';
+is $url->port, undef, 'no port';
+is $url->path, '/mojo/g++-4.2_4.2.3-2ubuntu7_i386.deb', 'right path';
ok !$url->query->to_string, 'no query';
is_deeply $url->query->to_hash, {}, 'right structure';
is $url->fragment, undef, 'no fragment';
is "$url",
- 'http://acme.s3.amazonaws.com/mojo%2Fg++-4.2_4.2.3-2ubuntu7_i386.deb',
+ 'http://acme.s3.amazonaws.com/mojo/g++-4.2_4.2.3-2ubuntu7_i386.deb',
'right format';
# Clone (advanced)