r72659 - in /branches/squeeze/libmojolicious-perl/debian: changelog patches/ patches/622952-path-traversal-vulnerability.patch patches/series
carnil at users.alioth.debian.org
carnil at users.alioth.debian.org
Sat Apr 16 08:22:17 UTC 2011
Author: carnil
Date: Sat Apr 16 08:19:53 2011
New Revision: 72659
URL: http://svn.debian.org/wsvn/pkg-perl/?sc=1&rev=72659
Log:
# TODO: FTBFS, tests in t/mojox/routes/routes.t
# # Failed test at t/mojox/routes/routes.t line 359.
# # got: 'http:/www.google.com'
# # expected: 'http://www.google.com'
# # Looks like you failed 1 test of 193.
# t/mojox/routes/routes.t .......................
# Dubious, test returned 1 (wstat 256, 0x100)
# Failed 1/193 subtests
* [SECURITY] Add 622952-path-traversal-vulnerability.patch to fix path
traversal security vulnerability (Closes: #622952).
Added:
branches/squeeze/libmojolicious-perl/debian/patches/
branches/squeeze/libmojolicious-perl/debian/patches/622952-path-traversal-vulnerability.patch
branches/squeeze/libmojolicious-perl/debian/patches/series
Modified:
branches/squeeze/libmojolicious-perl/debian/changelog
Modified: branches/squeeze/libmojolicious-perl/debian/changelog
URL: http://svn.debian.org/wsvn/pkg-perl/branches/squeeze/libmojolicious-perl/debian/changelog?rev=72659&op=diff
==============================================================================
--- branches/squeeze/libmojolicious-perl/debian/changelog (original)
+++ branches/squeeze/libmojolicious-perl/debian/changelog Sat Apr 16 08:19:53 2011
@@ -1,3 +1,19 @@
+libmojolicious-perl (0.999926-1+squeeze1) stable-security; urgency=high
+
+ # TODO: FTBFS, tests in t/mojox/routes/routes.t
+ # # Failed test at t/mojox/routes/routes.t line 359.
+ # # got: 'http:/www.google.com'
+ # # expected: 'http://www.google.com'
+ # # Looks like you failed 1 test of 193.
+ # t/mojox/routes/routes.t .......................
+ # Dubious, test returned 1 (wstat 256, 0x100)
+ # Failed 1/193 subtests
+
+ * [SECURITY] Add 622952-path-traversal-vulnerability.patch to fix path
+ traversal security vulnerability (Closes: #622952).
+
+ -- Salvatore Bonaccorso <carnil at debian.org> Sat, 16 Apr 2011 09:44:17 +0200
+
libmojolicious-perl (0.999926-1) unstable; urgency=low
* Initial Release (Closes: #578518)
Added: branches/squeeze/libmojolicious-perl/debian/patches/622952-path-traversal-vulnerability.patch
URL: http://svn.debian.org/wsvn/pkg-perl/branches/squeeze/libmojolicious-perl/debian/patches/622952-path-traversal-vulnerability.patch?rev=72659&op=file
==============================================================================
--- branches/squeeze/libmojolicious-perl/debian/patches/622952-path-traversal-vulnerability.patch (added)
+++ branches/squeeze/libmojolicious-perl/debian/patches/622952-path-traversal-vulnerability.patch Sat Apr 16 08:19:53 2011
@@ -1,0 +1,76 @@
+Description: Fix path traversal security vulnerability
+Origin: vendor
+Bug: https://github.com/kraih/mojo/issues/114
+Bug-Debian: http://bugs.debian.org/622952
+Forwarded: no
+Author: Salvatore Bonaccorso <carnil at debian.org>
+Last-Update: 2011-04-16
+
+--- a/lib/Mojo/Path.pm
++++ b/lib/Mojo/Path.pm
+@@ -85,6 +85,9 @@
+ $self->leading_slash(1) if $path =~ /^\//;
+ $self->trailing_slash(1) if $path =~ /\/$/;
+
++ # Unescape
++ $path = b($path)->url_unescape($Mojo::URL::PCHAR)->to_string;
++
+ # Parse
+ my @parts;
+ for my $part (split '/', $path) {
+@@ -93,7 +96,7 @@
+ next unless length $part;
+
+ # Store
+- push @parts, b($part)->url_unescape($Mojo::URL::PCHAR)->to_string;
++ push @parts, $part;
+ }
+
+ $self->parts(\@parts);
+--- a/t/mojo/path.t
++++ b/t/mojo/path.t
+@@ -5,7 +5,7 @@
+ use strict;
+ use warnings;
+
+-use Test::More tests => 3;
++use Test::More tests => 11;
+
+ # This is the greatest case of false advertising Iâve seen since I sued the
+ # movie âThe Never Ending Story.â
+@@ -14,3 +14,18 @@
+ my $path = Mojo::Path->new;
+ is($path->parse('/path')->to_string, '/path', 'right path');
+ is($path->parse('/path/0')->to_string, '/path/0', 'right path');
++
++# Canonicalizing
++$path = Mojo::Path->new(
++ '/%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd');
++is "$path", '/../../../../../../../../../../etc/passwd', 'rigth result';
++is $path->parts->[0], '..', 'right part';
++is $path->canonicalize, '/../../../../../../../../../../etc/passwd',
++ 'rigth result';
++is $path->parts->[0], '..', 'right part';
++$path = Mojo::Path->new(
++ '/%2ftest%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd');
++is "$path", '/test/../../../../../../../../../etc/passwd', 'rigth result';
++is $path->parts->[0], 'test', 'right part';
++is $path->canonicalize, '/../../../../../../../../etc/passwd', 'rigth result';
++is $path->parts->[0], '..', 'right part';
+--- a/t/mojo/url.t
++++ b/t/mojo/url.t
+@@ -121,12 +121,12 @@
+ is($url->userinfo, undef, 'no userinfo');
+ is($url->host, 'acme.s3.amazonaws.com', 'right host');
+ is($url->port, undef, 'no port');
+-is($url->path, '/mojo%2Fg++-4.2_4.2.3-2ubuntu7_i386.deb', 'right path');
++is($url->path, '/mojo/g++-4.2_4.2.3-2ubuntu7_i386.deb', 'right path');
+ ok(!$url->query, 'no query');
+ is_deeply($url->query->to_hash, {}, 'right structure');
+ is($url->fragment, undef, 'no fragment');
+ is("$url",
+- 'http://acme.s3.amazonaws.com/mojo%2Fg++-4.2_4.2.3-2ubuntu7_i386.deb',
++ 'http://acme.s3.amazonaws.com/mojo/g++-4.2_4.2.3-2ubuntu7_i386.deb',
+ 'right format');
+
+ # Clone (advanced)
Added: branches/squeeze/libmojolicious-perl/debian/patches/series
URL: http://svn.debian.org/wsvn/pkg-perl/branches/squeeze/libmojolicious-perl/debian/patches/series?rev=72659&op=file
==============================================================================
--- branches/squeeze/libmojolicious-perl/debian/patches/series (added)
+++ branches/squeeze/libmojolicious-perl/debian/patches/series Sat Apr 16 08:19:53 2011
@@ -1,0 +1,1 @@
+622952-path-traversal-vulnerability.patch
More information about the Pkg-perl-cvs-commits
mailing list