Bug #12879 for POE-Component-Server-HTTPServer: StaticHandler gives "dangerous path error"

Thu May 19 09:07:34 2005 Guest - Ticket created

Subject:

StaticHandler gives "dangerous path error"

POE::Component::Server::HTTPServer::StaticHandler.pm Windows XP perl 5.8.3 Using this simple web page, the first image is not rendered but the other are rendered OK. <html> <head> </head> <body> <img src="/art/fmtv10/04/qd04t07.wmf"> <img src="/ems_wd01/icons/xplode.bmp"> <img src="/ems_wd01/icons/qd04t07.wmf"> </body> </html> This seems to be related to fact there is a subdirectory with a length of 2 characters. In the example above, the first link has an image file in the "04" directory. I am confused by the reason for the if statement on lines 39 to 42 in StaticHandler.pm. If this code is commented out, the file is rendered OK. if ( $cpath =~ m[(^|/)..(/|$)] ) { warn "Will not serve dangerous path '$cpath'\n"; # should keep silent here return H_CONT; }

Tue May 24 14:26:53 2005 Guest - Correspondence added

[guest - Thu May 19 09:07:34 2005]: This bug has been fixed as version 0.9.2. Thanks Greg. Show quoted text

> POE::Component::Server::HTTPServer::StaticHandler.pm > > Windows XP > perl 5.8.3 > > Using this simple web page, the first image is not rendered but the > other are rendered OK. > > <html> > <head> > </head> > <body> > <img src="/art/fmtv10/04/qd04t07.wmf"> > <img src="/ems_wd01/icons/xplode.bmp"> > <img src="/ems_wd01/icons/qd04t07.wmf"> > </body> > </html> > > This seems to be related to fact there is a subdirectory with a length > of 2 characters. In the example above, the first link has an image > file in the "04" directory. > > I am confused by the reason for the if statement on lines 39 to 42 in > StaticHandler.pm. If this code is commented out, the file is rendered > OK. > > if ( $cpath =~ m[(^|/)..(/|$)] ) { > warn "Will not serve dangerous path '$cpath'\n"; # should keep > silent here > return H_CONT; > }

Tue May 24 15:18:38 2005 gdf [...] speakeasy.net - Status changed from 'new' to 'resolved'