Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP
Commits on Apr 2, 2014
  1. @doy
Commits on Feb 7, 2014
  1. @miyagawa

    Merge pull request #446 from avar/avar/fix-issue-405

    miyagawa authored
    Plack::App::File: Fix a security issue by not pruning trailing slashes
  2. @avar

    Plack::App::File: Fix a security issue by not pruning trailing slashes

    avar authored
    Before this Plack::App::File would prune trailing slashes via its split
    invocation. I.e. it would think this:
    
        $ perl -MData::Dumper -wle 'print Dumper [split /[\\\/]/, shift]' a/file.txt
        $VAR1 = [
                  'a',
                  'file.txt'
                ];
    
    Was the same as:
    
        $ perl -MData::Dumper -wle 'print Dumper [split /[\\\/]/, shift]' a/file.txt///
        $VAR1 = [
                  'a',
                  'file.txt'
                ];
    
    This can. turn into a nasty code exposure issue if you e.g. have an app
    that basically does this:
    
        1. I'd do a regex /.txt.pl\z/ on a file to see if it was a text file
        2. If so, do magic to generate text file via perl
        3. Else it's not a /.txt.pl\z/ file, so it must be some other static
           file with a different extension
        4. Serve it up with Plack::Middleware::Static
    
    This is also not how other webservers or Unix utilities work:
    
        $ touch /tmp/foo.txt
        $ file /tmp/foo.txt
        /tmp/foo.txt: empty
        $ file /tmp/foo.txt/
        /tmp/foo.txt/: ERROR: cannot open `/tmp/foo.txt/' (Not a directory)
    
    This resolves issue #405 that I filed around 9 months ago. I was
    previously working around it in my own code by doing:
    
        {
            # Let's see if someone's trying to be evil by
            # requesting e.g. /index.html/ instead of
            # /index.html. We don't want to fall through
            # and just serve up the raw content.
            my $plack_app_file = Plack::App::File->new({ root => PLACK_WEBSERVER_DOCUMENT_ROOT() });
            my ($file) = $plack_app_file->locate_file($env);
            if (
                # We'll get a reference if it's a full
                # Plack response. I.e. a 404 or whatever.
                ref $file ne 'ARRAY'
                and
                # WTF once we canonicalize the file and it
                # looks like a Mason handled path let's
                # not accept it, because we don't want to
                # serve up the raw unprocessed Mason page
                # via this hack.
                $file =~ $mason_handles_this_path_rx
            ) {
                TELL "Middleware::Static: Path <$path> request, doesn't match <$mason_handles_this_path_rx>, but actually resolves to it via resolved file <$file>" if DEBUG;
                # Tells our app to just serve up a
                # 400. Apache would do a 404 but I think
                # these requests are bad, so say so.
                $env->{$magic_marker_to_return_400} = 1;
                return;
            }
        }
Commits on Jan 31, 2014
  1. @miyagawa

    Merge pull request #445 from kazeburo/master

    miyagawa authored
    parse query_string like "?foo+bar" into { "foo bar" => "" }
  2. @kazeburo

    encode path?foo+bar as { "foo bar" => "" }. not { "foo" => "", "bar" …

    kazeburo authored
    …=> "" }
    
    Mojo::Parameter, ruby's Rack, python's WebOb and node.js parse query_string in this way
Commits on Jan 24, 2014
  1. @haarg
Commits on Jan 16, 2014
  1. @miyagawa

    Merge pull request #442 from dex4er/porting/no_locale

    miyagawa authored
    POSIX::setlocale fails on system without locales (Android)
  2. @dex4er
Commits on Jan 11, 2014
  1. @dex4er
Commits on Jan 6, 2014
  1. @doy
Commits on Dec 3, 2013
  1. @miyagawa

    cleanup

    miyagawa authored
  2. @miyagawa

    Merge pull request #437 from wchristian/http-msg-invalid-response

    miyagawa authored
    make HTTP::Message::PSGI complain loudly about invalid PSGI responses
Commits on Nov 23, 2013
  1. @miyagawa

    1.0030

    miyagawa authored
Commits on Nov 22, 2013
  1. @wchristian

    make HTTP::Message::PSGI complain loudly about invalid PSGI responses

    wchristian authored
    Without this, HTTP::Message::PSGI will silently suppress invalid responses,
    leading to confusing error messages from inside Plack::Test::MockHTTP.
Commits on Nov 20, 2013
  1. @miyagawa

    Make URLMap location match faster by pre-compiling the regexp

    miyagawa authored
    Simple app with 100 mount() calls, before: 0.8 msec -> after: 0.19 msec
  2. @miyagawa

    Document mount() performance

    miyagawa authored
Commits on Oct 22, 2013
  1. @miyagawa

    Merge pull request #433 from kazeburo/master

    miyagawa authored
    Optimize Plack::Response->finalize
  2. @kazeburo
Commits on Oct 18, 2013
  1. @miyagawa

    Merge pull request #432 from mauzo/mauzo/keep-stderr

    miyagawa authored
    Restore --keep-stderr for Handler::FCGI.
Commits on Oct 17, 2013
  1. @mauzo

    Restore --keep-stderr for Handler::FCGI.

    mauzo authored
    Commit cafa5db broke --keep-stderr for Handler::FCGI: psgi.errors ended
    up being set to an unopened filehandle, so errors disappeared into
    nowhere.
    
    The call to FCGI::Request was always wrong: that function behaves like
    'open' in that it points the passed-in filehandles at the FCGI streams,
    so it never makes sense to pass the same filehandle twice. If it had
    done anything it would have copied the response to the error log; in
    fact it did nothing.
    
    Also change the documentation to reflect reality: --keep-stderr has
    always send psgi.errors to STDERR, not STDOUT.
Commits on Sep 23, 2013
  1. @miyagawa

    Merge pull request #429 from plack/server-encode-utf8

    miyagawa authored
    Encode strings as UTF-8 when it has wide characters
  2. @miyagawa

    Merge pull request #431 from wchristian/win32_harakiri_hang_fix

    miyagawa authored
    prevent the harakiri test from taking 3 minutes on win32
  3. @wchristian
Commits on Sep 9, 2013
  1. @miyagawa

    Merge pull request #430 from kazeburo/master

    miyagawa authored
    PM::ErrorDocument: removing Content-Encoding and Transfer-Encoding.
  2. @kazeburo
Commits on Sep 8, 2013
  1. @miyagawa
Commits on Sep 5, 2013
  1. @miyagawa

    Merge pull request #427 from oalders/master

    miyagawa authored
    Plack::Middleware::LogDispatch now stringifies objects.
  2. @oalders

    Plack::Middleware::LogDispatch now stringifies objects.

    oalders authored
    This is something I poached from @autarch.  If you're passing (for
    instance) a Throwable exception to Log::Dispatch it will *not* stringify
    the exception for you.  This patch handles this case and also adds a
    test to make sure that code refs are not stringified, since
    Log::Dispatch does accept those as valid messages.
Commits on Aug 27, 2013
  1. @miyagawa
Commits on Aug 26, 2013
  1. @miyagawa

    add

    miyagawa authored
Commits on Aug 22, 2013
  1. @miyagawa

    1.0029

    miyagawa authored
  2. @miyagawa
  3. @miyagawa
  4. @miyagawa
Commits on Aug 20, 2013
  1. @miyagawa

    Merge pull request #424 from nichtich/patch-1

    miyagawa authored
    fixed typo
Something went wrong with that request. Please try again.