Permalink
Switch branches/tags
Commits on Apr 2, 2014
Commits on Feb 7, 2014
  1. Merge pull request #446 from avar/avar/fix-issue-405

    miyagawa committed Feb 7, 2014
    Plack::App::File: Fix a security issue by not pruning trailing slashes
  2. Plack::App::File: Fix a security issue by not pruning trailing slashes

    avar committed Feb 7, 2014
    Before this Plack::App::File would prune trailing slashes via its split
    invocation. I.e. it would think this:
    
        $ perl -MData::Dumper -wle 'print Dumper [split /[\\\/]/, shift]' a/file.txt
        $VAR1 = [
                  'a',
                  'file.txt'
                ];
    
    Was the same as:
    
        $ perl -MData::Dumper -wle 'print Dumper [split /[\\\/]/, shift]' a/file.txt///
        $VAR1 = [
                  'a',
                  'file.txt'
                ];
    
    This can. turn into a nasty code exposure issue if you e.g. have an app
    that basically does this:
    
        1. I'd do a regex /.txt.pl\z/ on a file to see if it was a text file
        2. If so, do magic to generate text file via perl
        3. Else it's not a /.txt.pl\z/ file, so it must be some other static
           file with a different extension
        4. Serve it up with Plack::Middleware::Static
    
    This is also not how other webservers or Unix utilities work:
    
        $ touch /tmp/foo.txt
        $ file /tmp/foo.txt
        /tmp/foo.txt: empty
        $ file /tmp/foo.txt/
        /tmp/foo.txt/: ERROR: cannot open `/tmp/foo.txt/' (Not a directory)
    
    This resolves issue #405 that I filed around 9 months ago. I was
    previously working around it in my own code by doing:
    
        {
            # Let's see if someone's trying to be evil by
            # requesting e.g. /index.html/ instead of
            # /index.html. We don't want to fall through
            # and just serve up the raw content.
            my $plack_app_file = Plack::App::File->new({ root => PLACK_WEBSERVER_DOCUMENT_ROOT() });
            my ($file) = $plack_app_file->locate_file($env);
            if (
                # We'll get a reference if it's a full
                # Plack response. I.e. a 404 or whatever.
                ref $file ne 'ARRAY'
                and
                # WTF once we canonicalize the file and it
                # looks like a Mason handled path let's
                # not accept it, because we don't want to
                # serve up the raw unprocessed Mason page
                # via this hack.
                $file =~ $mason_handles_this_path_rx
            ) {
                TELL "Middleware::Static: Path <$path> request, doesn't match <$mason_handles_this_path_rx>, but actually resolves to it via resolved file <$file>" if DEBUG;
                # Tells our app to just serve up a
                # 400. Apache would do a 404 but I think
                # these requests are bad, so say so.
                $env->{$magic_marker_to_return_400} = 1;
                return;
            }
        }
Commits on Jan 31, 2014
  1. Merge pull request #445 from kazeburo/master

    miyagawa committed Jan 31, 2014
    parse query_string like "?foo+bar" into { "foo bar" => "" }
  2. encode path?foo+bar as { "foo bar" => "" }. not { "foo" => "", "bar" …

    kazeburo committed Jan 31, 2014
    …=> "" }
    
    Mojo::Parameter, ruby's Rack, python's WebOb and node.js parse query_string in this way
Commits on Jan 24, 2014
Commits on Jan 16, 2014
  1. Merge pull request #442 from dex4er/porting/no_locale

    miyagawa committed Jan 16, 2014
    POSIX::setlocale fails on system without locales (Android)
Commits on Jan 11, 2014
Commits on Jan 6, 2014
Commits on Dec 3, 2013
  1. cleanup

    miyagawa committed Dec 3, 2013
  2. Merge pull request #437 from wchristian/http-msg-invalid-response

    miyagawa committed Dec 3, 2013
    make HTTP::Message::PSGI complain loudly about invalid PSGI responses
Commits on Nov 23, 2013
  1. 1.0030

    miyagawa committed Nov 23, 2013
Commits on Nov 22, 2013
  1. make HTTP::Message::PSGI complain loudly about invalid PSGI responses

    wchristian committed Nov 22, 2013
    Without this, HTTP::Message::PSGI will silently suppress invalid responses,
    leading to confusing error messages from inside Plack::Test::MockHTTP.
Commits on Nov 20, 2013
  1. Make URLMap location match faster by pre-compiling the regexp

    miyagawa committed Nov 20, 2013
    Simple app with 100 mount() calls, before: 0.8 msec -> after: 0.19 msec
  2. Document mount() performance

    miyagawa committed Nov 20, 2013
Commits on Oct 22, 2013
  1. Merge pull request #433 from kazeburo/master

    miyagawa committed Oct 22, 2013
    Optimize Plack::Response->finalize
Commits on Oct 18, 2013
  1. Merge pull request #432 from mauzo/mauzo/keep-stderr

    miyagawa committed Oct 18, 2013
    Restore --keep-stderr for Handler::FCGI.
Commits on Oct 17, 2013
  1. Restore --keep-stderr for Handler::FCGI.

    mauzo committed Oct 17, 2013
    Commit cafa5db broke --keep-stderr for Handler::FCGI: psgi.errors ended
    up being set to an unopened filehandle, so errors disappeared into
    nowhere.
    
    The call to FCGI::Request was always wrong: that function behaves like
    'open' in that it points the passed-in filehandles at the FCGI streams,
    so it never makes sense to pass the same filehandle twice. If it had
    done anything it would have copied the response to the error log; in
    fact it did nothing.
    
    Also change the documentation to reflect reality: --keep-stderr has
    always send psgi.errors to STDERR, not STDOUT.
Commits on Sep 23, 2013
  1. Merge pull request #429 from plack/server-encode-utf8

    miyagawa committed Sep 23, 2013
    Encode strings as UTF-8 when it has wide characters
  2. Merge pull request #431 from wchristian/win32_harakiri_hang_fix

    miyagawa committed Sep 23, 2013
    prevent the harakiri test from taking 3 minutes on win32
Commits on Sep 9, 2013
  1. Merge pull request #430 from kazeburo/master

    miyagawa committed Sep 9, 2013
    PM::ErrorDocument: removing Content-Encoding and Transfer-Encoding.
Commits on Sep 8, 2013
Commits on Sep 5, 2013
  1. Merge pull request #427 from oalders/master

    miyagawa committed Sep 5, 2013
    Plack::Middleware::LogDispatch now stringifies objects.
  2. Plack::Middleware::LogDispatch now stringifies objects.

    oalders committed Sep 5, 2013
    This is something I poached from @autarch.  If you're passing (for
    instance) a Throwable exception to Log::Dispatch it will *not* stringify
    the exception for you.  This patch handles this case and also adds a
    test to make sure that code refs are not stringified, since
    Log::Dispatch does accept those as valid messages.
Commits on Aug 27, 2013
Commits on Aug 26, 2013
  1. add

    miyagawa committed Aug 26, 2013
Commits on Aug 22, 2013
  1. 1.0029

    miyagawa committed Aug 22, 2013
Commits on Aug 20, 2013
  1. Merge pull request #424 from nichtich/patch-1

    miyagawa committed Aug 20, 2013
    fixed typo