r72659 - in /branches/squeeze/libmojolicious-perl/debian: changelog patches/ patches/622952-path-traversal-vulnerability.patch patches/series

Sat Apr 16 08:22:17 UTC 2011

Author: carnil
Date: Sat Apr 16 08:19:53 2011
New Revision: 72659

URL: http://svn.debian.org/wsvn/pkg-perl/?sc=1&rev=72659
Log:
# TODO: FTBFS, tests in t/mojox/routes/routes.t
#	#   Failed test at t/mojox/routes/routes.t line 359.
#	#          got: 'http:/www.google.com'
#	#     expected: 'http://www.google.com'
#	# Looks like you failed 1 test of 193.
#	t/mojox/routes/routes.t ....................... 
#	Dubious, test returned 1 (wstat 256, 0x100)
#	Failed 1/193 subtests 
* [SECURITY] Add 622952-path-traversal-vulnerability.patch to fix path
traversal security vulnerability (Closes: #622952). 

Added:
    branches/squeeze/libmojolicious-perl/debian/patches/
    branches/squeeze/libmojolicious-perl/debian/patches/622952-path-traversal-vulnerability.patch
    branches/squeeze/libmojolicious-perl/debian/patches/series
Modified:
    branches/squeeze/libmojolicious-perl/debian/changelog

Modified: branches/squeeze/libmojolicious-perl/debian/changelog
URL: http://svn.debian.org/wsvn/pkg-perl/branches/squeeze/libmojolicious-perl/debian/changelog?rev=72659&op=diff
==============================================================================

--- branches/squeeze/libmojolicious-perl/debian/changelog (original)
+++ branches/squeeze/libmojolicious-perl/debian/changelog Sat Apr 16 08:19:53 2011
@@ -1,3 +1,19 @@
+libmojolicious-perl (0.999926-1+squeeze1) stable-security; urgency=high
+
+  # TODO: FTBFS, tests in t/mojox/routes/routes.t
+  #	#   Failed test at t/mojox/routes/routes.t line 359.
+  #	#          got: 'http:/www.google.com'
+  #	#     expected: 'http://www.google.com'
+  #	# Looks like you failed 1 test of 193.
+  #	t/mojox/routes/routes.t ....................... 
+  #	Dubious, test returned 1 (wstat 256, 0x100)
+  #	Failed 1/193 subtests 
+
+  * [SECURITY] Add 622952-path-traversal-vulnerability.patch to fix path
+    traversal security vulnerability (Closes: #622952). 
+
+ -- Salvatore Bonaccorso <carnil at debian.org>  Sat, 16 Apr 2011 09:44:17 +0200
+
 libmojolicious-perl (0.999926-1) unstable; urgency=low
 
   * Initial Release (Closes: #578518)

Added: branches/squeeze/libmojolicious-perl/debian/patches/622952-path-traversal-vulnerability.patch
URL: http://svn.debian.org/wsvn/pkg-perl/branches/squeeze/libmojolicious-perl/debian/patches/622952-path-traversal-vulnerability.patch?rev=72659&op=file
==============================================================================
--- branches/squeeze/libmojolicious-perl/debian/patches/622952-path-traversal-vulnerability.patch (added)
+++ branches/squeeze/libmojolicious-perl/debian/patches/622952-path-traversal-vulnerability.patch Sat Apr 16 08:19:53 2011
@@ -1,0 +1,76 @@
+Description: Fix path traversal security vulnerability
+Origin: vendor
+Bug: https://github.com/kraih/mojo/issues/114
+Bug-Debian: http://bugs.debian.org/622952 
+Forwarded: no
+Author: Salvatore Bonaccorso <carnil at debian.org>
+Last-Update: 2011-04-16
+
+--- a/lib/Mojo/Path.pm
++++ b/lib/Mojo/Path.pm
+@@ -85,6 +85,9 @@
+     $self->leading_slash(1)  if $path =~ /^\//;
+     $self->trailing_slash(1) if $path =~ /\/$/;
+ 
++    # Unescape
++    $path = b($path)->url_unescape($Mojo::URL::PCHAR)->to_string;
++
+     # Parse
+     my @parts;
+     for my $part (split '/', $path) {
+@@ -93,7 +96,7 @@
+         next unless length $part;
+ 
+         # Store
+-        push @parts, b($part)->url_unescape($Mojo::URL::PCHAR)->to_string;
++        push @parts, $part;
+     }
+ 
+     $self->parts(\@parts);
+--- a/t/mojo/path.t
++++ b/t/mojo/path.t
+@@ -5,7 +5,7 @@
+ use strict;
+ use warnings;
+ 
+-use Test::More tests => 3;
++use Test::More tests => 11;
+ 
+ # This is the greatest case of false advertising Iâ€™ve seen since I sued the
+ # movie â€œThe Never Ending Story.â€
+@@ -14,3 +14,18 @@
+ my $path = Mojo::Path->new;
+ is($path->parse('/path')->to_string,   '/path',   'right path');
+ is($path->parse('/path/0')->to_string, '/path/0', 'right path');
++
++# Canonicalizing
++$path = Mojo::Path->new(
++  '/%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd');
++is "$path", '/../../../../../../../../../../etc/passwd', 'rigth result';
++is $path->parts->[0], '..', 'right part';
++is $path->canonicalize, '/../../../../../../../../../../etc/passwd',
++  'rigth result';
++is $path->parts->[0], '..', 'right part';
++$path = Mojo::Path->new(
++  '/%2ftest%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd');
++is "$path", '/test/../../../../../../../../../etc/passwd', 'rigth result';
++is $path->parts->[0], 'test', 'right part';
++is $path->canonicalize, '/../../../../../../../../etc/passwd', 'rigth result';
++is $path->parts->[0], '..', 'right part';
+--- a/t/mojo/url.t
++++ b/t/mojo/url.t
+@@ -121,12 +121,12 @@
+ is($url->userinfo, undef,                                     'no userinfo');
+ is($url->host,     'acme.s3.amazonaws.com',                   'right host');
+ is($url->port,     undef,                                     'no port');
+-is($url->path,     '/mojo%2Fg++-4.2_4.2.3-2ubuntu7_i386.deb', 'right path');
++is($url->path,     '/mojo/g++-4.2_4.2.3-2ubuntu7_i386.deb', 'right path');
+ ok(!$url->query, 'no query');
+ is_deeply($url->query->to_hash, {}, 'right structure');
+ is($url->fragment, undef, 'no fragment');
+ is("$url",
+-    'http://acme.s3.amazonaws.com/mojo%2Fg++-4.2_4.2.3-2ubuntu7_i386.deb',
++    'http://acme.s3.amazonaws.com/mojo/g++-4.2_4.2.3-2ubuntu7_i386.deb',
+     'right format');
+ 
+ # Clone (advanced)

Added: branches/squeeze/libmojolicious-perl/debian/patches/series
URL: http://svn.debian.org/wsvn/pkg-perl/branches/squeeze/libmojolicious-perl/debian/patches/series?rev=72659&op=file
==============================================================================
--- branches/squeeze/libmojolicious-perl/debian/patches/series (added)
+++ branches/squeeze/libmojolicious-perl/debian/patches/series Sat Apr 16 08:19:53 2011
@@ -1,0 +1,1 @@
+622952-path-traversal-vulnerability.patch


