[Bug 1128978] New: perl-Plack: trailing slashes removed leading to source code disclosure
bugzilla at redhat.com
bugzilla at redhat.com
Tue Aug 12 02:43:39 UTC 2014
https://bugzilla.redhat.com/show_bug.cgi?id=1128978
Bug ID: 1128978
Summary: perl-Plack: trailing slashes removed leading to source
code disclosure
Product: Security Response
Component: vulnerability
Keywords: Security
Severity: medium
Priority: medium
Assignee: security-response-team at redhat.com
Reporter: mmcallis at redhat.com
CC: jose.p.oliveira.oss at gmail.com,
perl-devel at lists.fedoraproject.org,
rc040203 at freenet.de
Plack 1.0031 fixes the following security issue:
- Plack::App::File would previously strip trailing slashes off
provided paths. This in combination with the common pattern
of serving files with Plack::Middleware::Static could allow
an attacker to bypass a whitelist of generated files (avar) #446
Upstream fix:
https://github.com/avar/Plack/commit/bc1731dbb53850c380875ad683cd87c8ec99eee3
References:
https://github.com/plack/Plack/issues/405
http://seclists.org/oss-sec/2014/q3/345
--
You are receiving this mail because:
You are on the CC list for the bug.
Unsubscribe from this bug https://bugzilla.redhat.com/token.cgi?t=3o7im6lCPi&a=cc_unsubscribe
More information about the perl-devel
mailing list