Skip Menu |

This queue is for tickets about the Catalyst-Plugin-Static-Simple CPAN distribution.

Report information
The Basics
Id: 120558
Status: resolved
Priority: 0/
Queue: Catalyst-Plugin-Static-Simple
People
Owner: Nobody in particular
Requestors: mohammed.chaudhry [...] census.gov
Cc:
AdminCc:
Bug Information
Severity: (no value)
Broken in: (no value)
Fixed in: (no value)

History Show all quoted text
  Wed Mar 08 11:22:49 2017 mohammed.chaudhry [...] census.gov - Ticket created
Subject: Will inadvertantly serve any file if a directory in the path has a dot (.)
Date: Wed, 8 Mar 2017 16:21:32 +0000
To: "bug-Catalyst-Plugin-Static-Simple [...] rt.cpan.org" <bug-Catalyst-Plugin-Static-Simple [...] rt.cpan.org>
From: "Mohammed Chaudhry (CENSUS/ADSD FED)" <Mohammed.Chaudhry [...] census.gov>
The following code looks for a dot(.) in the path, but doesn't make sure it's an extension at the end of the path. So, if your path has say a dot directory, it ends up serving anything it. For instance, our security found out we were serving stuff like: /static/.svn/<every_file_in_here> # Does the path have an extension? if ( $path =~ /.*\.(\S{1,})$/xms ) { # and does it exist? $c->_locate_static_file( $path ); } We've been running Catalyst::Plugin::Static::Simple with the following patch for a few years now, and it solved the issue without any adverse affects. I just noticed it now because we updated our perl build and to a new Catalyst and noticed the bug was still there. --- Simple.pm.orig 2017-03-08 11:16:10.000000000 -0500 +++ Simple.pm 2017-03-08 11:12:52.000000000 -0500 @@ -64,7 +64,7 @@ } # Does the path have an extension? - if ( $path =~ /.*\.(\S{1,})$/xms ) { + if ( $path =~ /\.([^\/\\]+)$/m ) { # and does it exist? $c->_locate_static_file( $path ); } Thanks. -m
  Wed Mar 08 12:12:42 2017 abraxxa [...] cpan.org - Correspondence added
Thanks for the bug report! I wonder why the file has to have an extension at all to allow serving it? Note that the best practice is to let a webserver serve static files in production as Perl is way more resource intensive than nginx or apache. Shipping your (subversion) repository is the more severe issue in your case!
  Wed Mar 08 12:12:43 2017 The RT System itself - Status changed from 'new' to 'open'
  Wed Mar 08 12:23:26 2017 mohammed.chaudhry [...] census.gov - Correspondence added
Subject: Re: [rt.cpan.org #120558] AutoReply: Will inadvertantly serve any file if a directory in the path has a dot (.)
Date: Wed, 8 Mar 2017 17:22:06 +0000
To: "bug-Catalyst-Plugin-Static-Simple [...] rt.cpan.org" <bug-Catalyst-Plugin-Static-Simple [...] rt.cpan.org>
From: "Mohammed Chaudhry (CENSUS/ADSD FED)" <Mohammed.Chaudhry [...] census.gov>
Show quoted text
>> I wonder why the file has to have an extension at all to allow serving it?
That's what that bit of code is doing. That's what serve static file does. It detects static files by looking at the file extension in the URL. Show quoted text
>> Note that the best practice is to let a webserver serve static files in production as Perl is way more resource intensive than nginx or apache.
That's how it is setup in production for us. But, regardless of dev or prod deployment methods, the bug is report was to identify unanticipated behavior. Show quoted text
>> Shipping your (subversion) repository is the more severe issue in your case!
We don't. Again, that was a dev server example. Replace .svn with .anything Thanks. -m Show quoted text
________________________________ From: Bugs in Catalyst-Plugin-Static-Simple via RT <bug-Catalyst-Plugin-Static-Simple@rt.cpan.org> Sent: Wednesday, March 8, 2017 11:22 AM To: Mohammed Chaudhry (CENSUS/ADSD FED) Subject: [rt.cpan.org #120558] AutoReply: Will inadvertantly serve any file if a directory in the path has a dot (.) Greetings, This message has been automatically generated in response to the creation of a trouble ticket regarding: "Will inadvertantly serve any file if a directory in the path has a dot (.)", a summary of which appears below. There is no need to reply to this message right now. Your ticket has been assigned an ID of [rt.cpan.org #120558]. Your ticket is accessible on the web at: https://rt.cpan.org/Ticket/Display.html?id=120558 Please include the string: [rt.cpan.org #120558] in the subject line of all future correspondence about this issue. To do so, you may reply to this message. Thank you, bug-Catalyst-Plugin-Static-Simple@rt.cpan.org ------------------------------------------------------------------------- The following code looks for a dot(.) in the path, but doesn't make sure it's an extension at the end of the path. So, if your path has say a dot directory, it ends up serving anything it. For instance, our security found out we were serving stuff like: /static/.svn/<every_file_in_here> # Does the path have an extension? if ( $path =~ /.*\.(\S{1,})$/xms ) { # and does it exist? $c->_locate_static_file( $path ); } We've been running Catalyst::Plugin::Static::Simple with the following patch for a few years now, and it solved the issue without any adverse affects. I just noticed it now because we updated our perl build and to a new Catalyst and noticed the bug was still there. --- Simple.pm.orig 2017-03-08 11:16:10.000000000 -0500 +++ Simple.pm 2017-03-08 11:12:52.000000000 -0500 @@ -64,7 +64,7 @@ } # Does the path have an extension? - if ( $path =~ /.*\.(\S{1,})$/xms ) { + if ( $path =~ /\.([^\/\\]+)$/m ) { # and does it exist? $c->_locate_static_file( $path ); } Thanks. -m
  Wed Mar 08 14:16:17 2017 frioux [...] gmail.com - Correspondence added
On Wed Mar 08 11:22:49 2017, mohammed.chaudhry@census.gov wrote: Show quoted text
> The following code looks for a dot(.) in the path, but doesn't make > sure it's an extension at the end of the path. > > So, if your path has say a dot directory, it ends up serving anything > it. > > For instance, our security found out we were serving stuff like: > /static/.svn/<every_file_in_here> > > # Does the path have an extension? > if ( $path =~ /.*\.(\S{1,})$/xms ) { > # and does it exist? > $c->_locate_static_file( $path ); > } > > We've been running Catalyst::Plugin::Static::Simple with the following > patch for a few years now, and it solved the issue without any adverse > affects. > I just noticed it now because we updated our perl build and to a new > Catalyst and noticed the bug was still there. > > --- Simple.pm.orig 2017-03-08 11:16:10.000000000 -0500 > +++ Simple.pm 2017-03-08 11:12:52.000000000 -0500 > @@ -64,7 +64,7 @@ > } > > # Does the path have an extension? > - if ( $path =~ /.*\.(\S{1,})$/xms ) { > + if ( $path =~ /\.([^\/\\]+)$/m ) { > # and does it exist? > $c->_locate_static_file( $path ); > } > > Thanks. > -m
I'll release this fix later today unless someone else tells me not to for some reason. Thanks for the heads up.
  Wed Mar 08 14:22:12 2017 abraxxa [...] cpan.org - Correspondence added
+1 Thanks!
  Wed Aug 02 12:45:56 2017 frioux [...] gmail.com - Correspondence added
Fixed in next release
  Wed Aug 02 12:46:07 2017 frioux [...] gmail.com - Status changed from 'open' to 'resolved'