[perl-Mojolicious/f13/master] Security bugfix attempt.
Yanko Kaneti
yaneti at fedoraproject.org
Sun Apr 17 09:32:39 UTC 2011
commit d445f342367e9bb7e8eb04f388d4ac607d93aa5b
Author: Yanko Kaneti <yaneti at declera.com>
Date: Sun Apr 17 12:32:45 2011 +0300
Security bugfix attempt.
perl-Mojolicious-security-bug697230.patch | 47 +++++++++++++++++++++++++++++
perl-Mojolicious.spec | 7 ++++-
2 files changed, 53 insertions(+), 1 deletions(-)
---
diff --git a/perl-Mojolicious-security-bug697230.patch b/perl-Mojolicious-security-bug697230.patch
new file mode 100644
index 0000000..05f622d
--- /dev/null
+++ b/perl-Mojolicious-security-bug697230.patch
@@ -0,0 +1,47 @@
+diff -ur Mojolicious-0.999925/lib/Mojo/Path.pm Mojolicious-0.999925.path/lib/Mojo/Path.pm
+--- Mojolicious-0.999925/lib/Mojo/Path.pm 2010-04-24 02:00:52.000000000 +0300
++++ Mojolicious-0.999925.path/lib/Mojo/Path.pm 2011-04-17 12:29:48.846565679 +0300
+@@ -85,6 +85,9 @@
+ $self->leading_slash(1) if $path =~ /^\//;
+ $self->trailing_slash(1) if $path =~ /\/$/;
+
++ # Unescape
++ $path = b($path)->url_unescape($Mojo::URL::PCHAR)->to_string;
++
+ # Parse
+ my @parts;
+ for my $part (split '/', $path) {
+Only in Mojolicious-0.999925.path/lib/Mojo: Path.pm.orig
+diff -ur Mojolicious-0.999925/t/mojo/url.t Mojolicious-0.999925.path/t/mojo/url.t
+--- Mojolicious-0.999925/t/mojo/url.t 2010-05-23 22:32:10.000000000 +0300
++++ Mojolicious-0.999925.path/t/mojo/url.t 2011-04-17 12:29:48.847565679 +0300
+@@ -121,12 +121,12 @@
+ is($url->userinfo, undef, 'no userinfo');
+ is($url->host, 'acme.s3.amazonaws.com', 'right host');
+ is($url->port, undef, 'no port');
+-is($url->path, '/mojo%2Fg++-4.2_4.2.3-2ubuntu7_i386.deb', 'right path');
++is($url->path, '/mojo/g++-4.2_4.2.3-2ubuntu7_i386.deb', 'right path');
+ ok(!$url->query, 'no query');
+ is_deeply($url->query->to_hash, {}, 'right structure');
+ is($url->fragment, undef, 'no fragment');
+ is("$url",
+- 'http://acme.s3.amazonaws.com/mojo%2Fg++-4.2_4.2.3-2ubuntu7_i386.deb',
++ 'http://acme.s3.amazonaws.com/mojo/g++-4.2_4.2.3-2ubuntu7_i386.deb',
+ 'right format');
+
+ # Clone (advanced)
+Only in Mojolicious-0.999925.path/t/mojo: url.t.orig
+diff -ur Mojolicious-0.999925/t/mojox/routes/routes.t Mojolicious-0.999925.path/t/mojox/routes/routes.t
+--- Mojolicious-0.999925/t/mojox/routes/routes.t 2010-05-25 13:29:01.000000000 +0300
++++ Mojolicious-0.999925.path/t/mojox/routes/routes.t 2011-04-17 12:30:26.285565676 +0300
+@@ -356,7 +356,7 @@
+ $m = MojoX::Routes::Match->new($tx)->match($r);
+ is($m->stack->[0]->{controller}, 'wild');
+ is($m->stack->[0]->{action}, 'card');
+-is($m->stack->[0]->{wildcard}, 'http://www.google.com');
++is($m->stack->[0]->{wildcard}, 'http:/www.google.com');
+ is($m->url_for, '/wildcards/1/http:/www.google.com');
+ is(@{$m->stack}, 1);
+
+Only in Mojolicious-0.999925.path/t/mojox/routes: routes.t.orig
+Only in Mojolicious-0.999925.path/t/mojox/routes: routes.t.rej
diff --git a/perl-Mojolicious.spec b/perl-Mojolicious.spec
index eccba94..82a81c1 100644
--- a/perl-Mojolicious.spec
+++ b/perl-Mojolicious.spec
@@ -1,11 +1,12 @@
Name: perl-Mojolicious
Version: 0.999925
-Release: 2%{?dist}
+Release: 3%{?dist}
Summary: A next generation web framework for Perl
License: Artistic 2.0
Group: Development/Libraries
URL: http://mojolicious.org/
Source0: http://www.cpan.org/authors/id/K/KR/KRAIH/Mojolicious-%{version}.tar.gz
+Patch0: perl-Mojolicious-security-bug697230.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
BuildArch: noarch
BuildRequires: perl >= 0:5.008007
@@ -25,6 +26,7 @@ a new attempt at implementing this idea using state of the art technology.
%prep
%setup -q -n Mojolicious-%{version}
+%patch0 -p1 -b .bug697230
chmod -x lib/Mojo/CookieJar.pm
%build
@@ -59,6 +61,9 @@ rm -rf $RPM_BUILD_ROOT
%{_mandir}/man3/*
%changelog
+* Sun Apr 17 2011 Yanko Kaneti <yaneti at declera.com> 0.999925-3
+- Security bugfix attempt.
+
* Fri Jun 11 2010 Yanko Kaneti <yaneti at declera.com> 0.999925-2
- Initial import. Include examples as doc.
More information about the perl-devel
mailing list