SECURITY patch: concat get directory traversal.
hachi
hachi at kuiki.net
Thu Jan 17 00:50:55 UTC 2008
Prior to r746 in subversion, a single upward directory traversal was
possible with concat get URL fetching. This could allow an arbitrary
client to gain access to source code or system configuration files.
I suggest upgrading to at least r746 if you are running out of
subversion, or applying the following patch manually until a new version
of perlbal is released.
--hachi
Index: /trunk/lib/Perlbal/ClientHTTPBase.pm
===================================================================
--- /trunk/lib/Perlbal/ClientHTTPBase.pm (revision 725)
+++ /trunk/lib/Perlbal/ClientHTTPBase.pm (revision 746)
@@ -540,4 +540,5 @@
return $self->_simple_response(403, "Multiple file serving isn't enabled") unless $svc->{enable_concatenate_get};
return $self->_simple_response(403, "Too many files requested") if @multiple_files > 100;
+ return $self->_simple_response(403, "Bogus filenames") if grep { m!(?:\A|/)\.\./! } @multiple_files;
my $remain = @multiple_file
More information about the perlbal
mailing list