On Thu, Mar 22, 2012 at 11:35:36PM +0100, Jakub Wilk wrote: > Package: apt-cacher-ng > Version: 0.7.2-1 > > $ apt-get download libpcre3 > Err Downloading libpcre3 8.30..-2 > 403 Forbidden file type or location: > http://ftp.debian.org/debian/pool/main/p/pcre3/libpcre3_8.30..-2_i386.deb > > But "8.30..-2" is a valid version number.
The attached patch should fix this. The problem comes from the check for accessing parent directories, which simply checks for ".." in the URI, instead of "../". -- Julian Andres Klode - Debian Developer, Ubuntu Member See http://wiki.debian.org/JulianAndresKlode and http://jak-linux.org/.
Description: Fix the check for parent directory access The previous check checked for the existence of ".." in the URI. This does not work correctly as ".." may appear in the package name or elsewhere, as can be seen in libpcre3_8.30..-2_i386.deb. Author: Julian Andres Klode <[email protected]> --- Bug-Debian: http://bugs.debian.org/665301 --- apt-cacher-ng-0.7.2.orig/source/job.cc +++ apt-cacher-ng-0.7.2/source/job.cc @@ -565,7 +565,7 @@ void job::PrepareDownload() { m_bClientWants2Close = 0==strncasecmp(m_pReqHead->h[header::CONNECTION], "close", 5); // "clever" file system browsing attempt? - if(stmiss != sRawUriPath.find("..") + if(stmiss != sRawUriPath.find("../") || stmiss != sRawUriPath.find("/_actmp") || startsWithSz(sRawUriPath, "/_")) goto report_notallowed;
