[Jifty-commit] r1497 - in jifty/trunk: lib/Jifty/View/Static

[jifty-commit at lists.jifty.org]

Author: jesse
Date: Fri Jul  7 00:34:28 2006
New Revision: 1497

Modified:
   jifty/trunk/   (props changed)
   jifty/trunk/lib/Jifty/View/Static/Handler.pm

Log:
 r13575 at pinglin:  jesse | 2006-07-06 20:06:01 -0400
 * SECURITY FIX: The static file server, when coupled with the standalone webserver did not 
   adequately protect against relative path injection attacks
 


Modified: jifty/trunk/lib/Jifty/View/Static/Handler.pm
==============================================================================
--- jifty/trunk/lib/Jifty/View/Static/Handler.pm	(original)
+++ jifty/trunk/lib/Jifty/View/Static/Handler.pm	Fri Jul  7 00:34:28 2006
@@ -118,6 +118,11 @@
 
     foreach my $path (@options) {
         my $abspath = Jifty::Util->absolute_path( $path . "/" . $file );
+        # If the user is trying to request something outside our static root, 
+        # decline the request
+        unless ($abspath =~ /^\Q$path\E/) {
+            return undef;
+        }
         return $abspath if ( -f $abspath && -r $abspath );
     }
     return undef;