building a debian package (and a random buxfix)

[jbj at forbidden.co.uk]

On Sat, Jan 20, 2007 at 04:51:20PM -0800, Jonathan Steinert wrote:
> And then it should say "Done" and you can do
> $ dpkg-buildpackage -rfakeroot

I've built various debian packages of perlbal recently, but the
changelog in SVN has a version number of 1.41 (whereas we're currently
on at least 1.53 at the moment) - it might be worth updating that
before you build, so as not to confuse yourself later on.

Is there any chance somebody with commit access can keep the changelog
up-to-date? Pavel? (or perhaps adds a script that gets the latest
version number from CHANGES on build...)


Oh, and a minor bug fix, or at least a request for comments on one; We
serve a number of files in directories called things like
'blah...234089', and can't through the perlbal web server as-is. I'm
using the following fix (ie. Don't just check for two '.'s, but make
sure it has slashes around it). Is there anything obviously worse with
this from a security point of view?

===================================================================
--- lib/Perlbal/ClientHTTPBase.pm       (revision 623)
+++ lib/Perlbal/ClientHTTPBase.pm       (working copy)
@@ -362,7 +362,7 @@
     return 1 if $self->{service}->run_hook('start_serve_request', $self, \$uri);

     # don't allow directory traversal
-    if ($uri =~ /\.\./ || $uri !~ m!^/!) {
+    if ($uri =~ /\/\.\.\// || $uri !~ m!^/!) {
         return $self->_simple_response(403, "Bogus URL");
     }

Best wishes,
Jeremy