Permalink
Switch branches/tags
Commits on Feb 7, 2014
  1. Plack::App::File: Fix a security issue by not pruning trailing slashes

    avar committed Feb 7, 2014
    Before this Plack::App::File would prune trailing slashes via its split
    invocation. I.e. it would think this:
    
        $ perl -MData::Dumper -wle 'print Dumper [split /[\\\/]/, shift]' a/file.txt
        $VAR1 = [
                  'a',
                  'file.txt'
                ];
    
    Was the same as:
    
        $ perl -MData::Dumper -wle 'print Dumper [split /[\\\/]/, shift]' a/file.txt///
        $VAR1 = [
                  'a',
                  'file.txt'
                ];
    
    This can. turn into a nasty code exposure issue if you e.g. have an app
    that basically does this:
    
        1. I'd do a regex /.txt.pl\z/ on a file to see if it was a text file
        2. If so, do magic to generate text file via perl
        3. Else it's not a /.txt.pl\z/ file, so it must be some other static
           file with a different extension
        4. Serve it up with Plack::Middleware::Static
    
    This is also not how other webservers or Unix utilities work:
    
        $ touch /tmp/foo.txt
        $ file /tmp/foo.txt
        /tmp/foo.txt: empty
        $ file /tmp/foo.txt/
        /tmp/foo.txt/: ERROR: cannot open `/tmp/foo.txt/' (Not a directory)
    
    This resolves issue #405 that I filed around 9 months ago. I was
    previously working around it in my own code by doing:
    
        {
            # Let's see if someone's trying to be evil by
            # requesting e.g. /index.html/ instead of
            # /index.html. We don't want to fall through
            # and just serve up the raw content.
            my $plack_app_file = Plack::App::File->new({ root => PLACK_WEBSERVER_DOCUMENT_ROOT() });
            my ($file) = $plack_app_file->locate_file($env);
            if (
                # We'll get a reference if it's a full
                # Plack response. I.e. a 404 or whatever.
                ref $file ne 'ARRAY'
                and
                # WTF once we canonicalize the file and it
                # looks like a Mason handled path let's
                # not accept it, because we don't want to
                # serve up the raw unprocessed Mason page
                # via this hack.
                $file =~ $mason_handles_this_path_rx
            ) {
                TELL "Middleware::Static: Path <$path> request, doesn't match <$mason_handles_this_path_rx>, but actually resolves to it via resolved file <$file>" if DEBUG;
                # Tells our app to just serve up a
                # 400. Apache would do a 404 but I think
                # these requests are bad, so say so.
                $env->{$magic_marker_to_return_400} = 1;
                return;
            }
        }
Commits on Feb 19, 2013
  1. Plack::Request: minor alignment change in return() from content()

    avar committed Feb 19, 2013
    Doesn't change any semantics, just changes the alignment of the two
    "return" arguments to be the same.
Commits on Sep 27, 2012
  1. Plack::Handler::Apache[12]: delete $ENV{MOD_PERL}, don't just localiz…

    avar committed Sep 27, 2012
    …e it
    
    Some software such as CGI::Cookie does "exists $ENV{MOD_PERL}" to
    check if it's running under mod_perl instead of just checking whether
    $ENV{MOD_PERL} is true.
    
    So that code that does this doesn't assume it's running under Apache
    locally delete $ENV{MOD_PERL} instead of just setting its value to
    undef.
    
    Note that we're not doing "delete local $ENV{MOD_PERL}" because that
    construct was introduced in 5.12, also note why we're doing it this
    way in the code
    http://perldoc.perl.org/5.12.0/perldelta.html#delete-local
    
    So before we'd have:
    
        $ perl -MData::Dumper -wle 'our %hash = qw(MOD_PERL yes foo bar); { local $hash{MOD_PERL}; print Dumper \%hash; } print Dumper \%hash'
        $VAR1 = {
                  'foo' => 'bar',
                  'MOD_PERL' => undef
                };
        $VAR1 = {
                  'foo' => 'bar',
                  'MOD_PERL' => 'yes'
                };
    
    And now we have:
    
        $ perl -MData::Dumper -wle 'our %hash = qw(MOD_PERL yes foo bar); { local $hash{MOD_PERL}; delete $hash{MOD_PERL}; print Dumper \%hash; } print Dumper \%hash'
        $VAR1 = {
                  'foo' => 'bar'
                };
        $VAR1 = {
                  'foo' => 'bar',
                  'MOD_PERL' => 'yes'
                };
Commits on Sep 21, 2012
  1. t/Plack-Request/cookie.t: add documentation to some of the trickier t…

    avar committed Sep 21, 2012
    …ests
    
    Change the t/Plack-Request/cookie.t tests to use three-arg is() for
    the undef tests and the multi-cookie test.
Commits on Sep 11, 2012
  1. Plack::TempBuffer: pre-load Plack::TempBuffer::* modules

    avar committed Sep 11, 2012
    Change the Plack::TempBuffer module so that we pre-load the ::PerlIO,
    ::File and ::Auto modules. These modules are really small, and by
    use-ing them here we'll have them pre-loaded in pre-forking
    webservers.