[Jifty-commit] r1497 - in jifty/trunk: lib/Jifty/View/Static
jifty-commit at lists.jifty.org
jifty-commit at lists.jifty.org
Fri Jul 7 00:34:30 EDT 2006
Author: jesse
Date: Fri Jul 7 00:34:28 2006
New Revision: 1497
Modified:
jifty/trunk/ (props changed)
jifty/trunk/lib/Jifty/View/Static/Handler.pm
Log:
r13575 at pinglin: jesse | 2006-07-06 20:06:01 -0400
* SECURITY FIX: The static file server, when coupled with the standalone webserver did not
adequately protect against relative path injection attacks
Modified: jifty/trunk/lib/Jifty/View/Static/Handler.pm
==============================================================================
--- jifty/trunk/lib/Jifty/View/Static/Handler.pm (original)
+++ jifty/trunk/lib/Jifty/View/Static/Handler.pm Fri Jul 7 00:34:28 2006
@@ -118,6 +118,11 @@
foreach my $path (@options) {
my $abspath = Jifty::Util->absolute_path( $path . "/" . $file );
+ # If the user is trying to request something outside our static root,
+ # decline the request
+ unless ($abspath =~ /^\Q$path\E/) {
+ return undef;
+ }
return $abspath if ( -f $abspath && -r $abspath );
}
return undef;
More information about the Jifty-commit
mailing list