SECURITY patch: concat get directory traversal.

hachi hachi at kuiki.net
Thu Jan 17 00:50:55 UTC 2008


Prior to r746 in subversion, a single upward directory traversal was 
possible with concat get URL fetching. This could allow an arbitrary 
client to gain access to source code or system configuration files.

I suggest upgrading to at least r746 if you are running out of 
subversion, or applying the following patch manually until a new version 
of perlbal is released.

--hachi

Index: /trunk/lib/Perlbal/ClientHTTPBase.pm
===================================================================
--- /trunk/lib/Perlbal/ClientHTTPBase.pm (revision 725)
+++ /trunk/lib/Perlbal/ClientHTTPBase.pm (revision 746)
@@ -540,4 +540,5 @@
     return $self->_simple_response(403, "Multiple file serving isn't enabled") unless $svc->{enable_concatenate_get};
     return $self->_simple_response(403, "Too many files requested") if @multiple_files > 100;
+    return $self->_simple_response(403, "Bogus filenames") if grep { m!(?:\A|/)\.\./! } @multiple_files;
 
     my $remain = @multiple_file




More information about the perlbal mailing list