Merge pull request #446 from avar/avar/fix-issue-405

Plack::App::File: Fix a security issue by not pruning trailing slashes

Changes

@@ -1,6 +1,17 @@
 Go to http://github.com/plack/Plack/issues for the roadmap and known issues.
 
 {{$NEXT}}
+    [SECURITY]
+        - Plack::App::File would previously strip trailing slashes off
+          provided paths.
+
+          This in combination with the common pattern of dynamically
+          generating some files in a tree and serving the rest up with
+          Plack::Middleware::Static could allow an attacker to bypass
+          a whitelist of generated files by just requesting
+          /file.disallowed/ instead of /file.disallowed, provided that
+          Plack::Middleware::Static was used for all paths except
+          those matching /\.disallowed$/
 
 1.0030  2013-11-23 08:54:01 CET
     [IMPROVEMENTS]

lib/Plack/App/File.pm

@@ -44,7 +44,7 @@ sub locate_file {
     }
 
     my $docroot = $self->root || ".";
-    my @path = split /[\\\/]/, $path;
+    my @path = split /[\\\/]/, $path, -1; # -1 *MUST* be here to avoid security issues!
     if (@path) {
         shift @path if $path[0] eq '';
     } else {

t/Plack-Middleware/file.t

@@ -3,6 +3,7 @@ use Plack::Test;
 use Test::More;
 use HTTP::Request::Common;
 use Plack::App::File;
+use FindBin qw($Bin);
 
 my $app = Plack::App::File->new(file => 'Changes');
 
@@ -35,6 +36,24 @@ test_psgi $app_content_type, sub {
     is $res->code, 200;
 };
 
+my $app_secure = Plack::App::File->new(root => $Bin);
 
+test_psgi $app_secure, sub {
+    my $cb = shift;
+
+    my $res = $cb->(GET "/file.t");
+    is $res->code, 200;
+    like $res->content, qr/We will find for this literal string/;
+
+    my $res = $cb->(GET "/../Plack-Middleware/file.t");
+    is $res->code, 403;
+    is $res->content, 'forbidden';
+
+    for my $i (1..100) {
+        $res = $cb->(GET "/file.t" . ("/" x $i));
+        is $res->code, 404;
+        is $res->content, 'not found';
+    }
+};
 
 done_testing;