More fixes for the directory traversal

jhannah · Dec 10, 2010 · ffd71d0 · ffd71d0
1 parent 4448aef
commit ffd71d0
Show file tree

Hide file tree

Showing 2 changed files with 12 additions and 0 deletions.
diff --git a/lib/Plack/App/File.pm b/lib/Plack/App/File.pm
@@ -41,6 +41,10 @@ sub locate_file {
 
     my $path = $env->{PATH_INFO} || '';
 
+    if ($path =~ /\0/) {
+        return $self->return_400;
+    }
+
     my $docroot = $self->root || ".";
     my @path = split '/', $path;
     if (@path) {
@@ -110,6 +114,11 @@ sub return_403 {
     return [403, ['Content-Type' => 'text/plain', 'Content-Length' => 9], ['forbidden']];
 }
 
+sub return_400 {
+    my $self = shift;
+    return [400, ['Content-Type' => 'text/plain', 'Content-Length' => 11], ['Bad Request']];
+}
+
 # Hint: subclasses can override this to return undef to pass through 404
 sub return_404 {
     my $self = shift;

diff --git a/t/Plack-Middleware/directory.t b/t/Plack-Middleware/directory.t
@@ -21,6 +21,9 @@ my %test = (
         $res = $cb->(GET "/..");
         is $res->code, 403;
 
+        $res = $cb->(GET "/..%00foo");
+        is $res->code, 400;
+
         $res = $cb->(GET "/stuff../Hello.txt");
         is $res->code, 200;
         is $res->content, "Hello\n";