[Jifty-commit] jifty branch, master, updated. jifty-1.10228-11-g533dfea
Jifty commits
jifty-commit at lists.jifty.org
Fri Apr 22 22:05:56 EDT 2011
The branch, master has been updated
via 533dfeaa305af6fe12ca72a2eb0c6c8b069cd3ea (commit)
via 1520243fbd2a084d9e0016f2a5c30c8c63a2af31 (commit)
via b0677f555b0ed6b5c1c4708b4aa12b5d4fc0646b (commit)
from bab8aa1f75ed7c1479516fc39d781a00b891835b (commit)
Summary of changes:
lib/Jifty/Dispatcher.pm | 11 +++++------
lib/Jifty/Request.pm | 7 +++++--
lib/Jifty/Web.pm | 6 ++++++
3 files changed, 16 insertions(+), 8 deletions(-)
- Log -----------------------------------------------------------------
commit b0677f555b0ed6b5c1c4708b4aa12b5d4fc0646b
Author: Alex Vandiver <alexmv at bestpractical.com>
Date: Fri Apr 22 16:14:21 2011 -0400
Move directory traversal check to the more centralized ->render_template
diff --git a/lib/Jifty/Dispatcher.pm b/lib/Jifty/Dispatcher.pm
index 618c214..c911401 100644
--- a/lib/Jifty/Dispatcher.pm
+++ b/lib/Jifty/Dispatcher.pm
@@ -816,12 +816,6 @@ sub _do_show {
# a relative path, prepend the working directory
$path = "$self->{cwd}/$path" unless $path =~ m{^/};
- # Check for ../../../../../etc/passwd
- my $abs_template_path = Jifty::Util->absolute_path( Jifty->config->framework('Web')->{'TemplateRoot'} . $path );
- my $abs_root_path = Jifty::Util->absolute_path( Jifty->config->framework('Web')->{'TemplateRoot'} );
- Jifty->web->render_template('/errors/500')
- if $abs_template_path !~ /^\Q$abs_root_path\E/;
-
Jifty->web->render_template( $path );
last_rule;
diff --git a/lib/Jifty/Web.pm b/lib/Jifty/Web.pm
index c9a65bc..4eec267 100644
--- a/lib/Jifty/Web.pm
+++ b/lib/Jifty/Web.pm
@@ -967,6 +967,12 @@ sub render_template {
my $content;
my $void_context = ( defined wantarray ? 0 :1);
+ # Check for ../../../../../etc/passwd
+ my $abs_template_path = Jifty::Util->absolute_path( Jifty->config->framework('Web')->{'TemplateRoot'} . $template );
+ my $abs_root_path = Jifty::Util->absolute_path( Jifty->config->framework('Web')->{'TemplateRoot'} );
+ $template = "/errors/500"
+ if $abs_template_path !~ /^\Q$abs_root_path\E/;
+
# Look for a possible handler, and cache it for future requests.
# With DevelMode, always look it up.
if ( not exists $TEMPLATE_CACHE{$template} or Jifty->config->framework('DevelMode')) {
commit 1520243fbd2a084d9e0016f2a5c30c8c63a2af31
Author: Alex Vandiver <alexmv at bestpractical.com>
Date: Fri Apr 22 17:51:15 2011 -0400
Canonicalize all request paths; this catches fragment requests as well
Previously, the path as passed in the fragment request data structure
was used verbatim in the dispatcher and other locations. This possibly
allowed requests to walk around ACLs by requesting
'/some/safe/place/../../../dangerous' as a fragment. As a non-fragment,
this would have been canonicalized to '/dangerous', but fragment paths
were not being so canonicalized.
diff --git a/lib/Jifty/Request.pm b/lib/Jifty/Request.pm
index bdeaf9b..d060a5b 100644
--- a/lib/Jifty/Request.pm
+++ b/lib/Jifty/Request.pm
@@ -42,7 +42,10 @@ sub body { $_[0]->env->{'psgi.input'} }
sub input { $_[0]->env->{'psgi.input'} }
sub header { shift->headers->header(@_) }
-sub path { shift->uri->path(@_) }
+sub path {
+ return @_ == 1 ? $_[0]->uri->path
+ : $_[0]->uri->path( Jifty::Util->canonicalize_path( $_[1], 1 ) )
+}
sub content_length { shift->headers->content_length(@_) }
sub content_type { shift->headers->content_type(@_) }
sub referer { shift->headers->referer(@_) }
@@ -290,7 +293,7 @@ sub from_data_structure {
my $path = $data->{'path'};
$path ||= $self->path || '/';
- $self->path( Jifty::Util->canonicalize_path( $path, 1 ) );
+ $self->path( $path );
$self->just_validating( $data->{validating} ) if $data->{validating};
if ( ref $data->{continuation} eq "HASH" ) {
commit 533dfeaa305af6fe12ca72a2eb0c6c8b069cd3ea
Author: Alex Vandiver <alexmv at bestpractical.com>
Date: Fri Apr 22 16:28:55 2011 -0400
Allow a shortcut around the dispatcher for fragments
Re-dispatching through the application's dispatcher can be a significant
performance hit on pageregion-heavy pages. Allow dispatchers to declare
a fragment_handler method which will be used in place of the full
dispatcher.
Care must be taken to ensure that this does not allow walking around
ACLs. Anything which runs on every request (sessions, Jifty->api
limiting) will have already run once on the original
/__jifty/webservices/json request; however, since that page is in no way
ACL protected by the dispatcher, a fragment_handler method which does
not adequately express the ACL checks of the rest of the dispatcher is a
security vulnerability. Whitelisting, rather than blacklisting, is most
likely the correct course of action.
diff --git a/lib/Jifty/Dispatcher.pm b/lib/Jifty/Dispatcher.pm
index c911401..f4ec962 100644
--- a/lib/Jifty/Dispatcher.pm
+++ b/lib/Jifty/Dispatcher.pm
@@ -498,6 +498,11 @@ sub handle_request {
local $SIG{__DIE__} = 'DEFAULT';
local $Request = Jifty->web->request;
+ my $handler = $Dispatcher->can("fragment_handler");
+ if ($Request->is_subrequest and $handler) {
+ $handler->();
+ return undef;
+ }
eval {
$Dispatcher->_do_dispatch( Jifty->web->request->path);
};
-----------------------------------------------------------------------
More information about the Jifty-commit
mailing list