Re: [UPDATE] CVE-2017-16248: www/p5-Catalyst-Plugin-Static-Simple

Tue, 08 Jan 2019 18:20:22 -0800 

On Mon, Jan 07, 2019 at 09:08:44AM +0200, Paul Irofti wrote:
> > Same here, but i still made a diff for -stable as an exercise when it
> > happened, if needed :)
> 
> OK for the -stable diff. Andrew, will you commit this bit as well? If
> not, I will commit it myself when/if someone commits the update to
> -current.

I haven't tested the -stable one, but with your OK, I now think it would
be best to let cwen@ do all the commits.



> > Index: Makefile
> > ===================================================================
> > RCS file: /cvs/ports/www/p5-Catalyst-Plugin-Static-Simple/Makefile,v
> > retrieving revision 1.15
> > diff -u -p -u -p -r1.15 Makefile
> > --- Makefile        20 Mar 2016 19:57:16 -0000      1.15
> > +++ Makefile        7 Dec 2018 22:43:49 -0000
> > @@ -5,7 +5,7 @@ COMMENT=    serving static pages with cata
> >  MODULES=   cpan
> >  PKG_ARCH=  *
> >  DISTNAME=  Catalyst-Plugin-Static-Simple-0.29
> > -REVISION=  1
> > +REVISION=  2
> >  CATEGORIES=        www
> >  
> >  # Perl
> > @@ -17,7 +17,7 @@ RUN_DEPENDS=      devel/p5-Moose \
> >             www/p5-Catalyst-Runtime>=5.80008 \
> >             mail/p5-MIME-Types>=1.25
> >  BUILD_DEPENDS=     ${RUN_DEPENDS}
> > -TEST_DEPENDS=www/p5-Catalyst-Plugin-SubRequest>=0.15
> > +TEST_DEPENDS=      www/p5-Catalyst-Plugin-SubRequest>=0.15
> >  
> >  MAKE_ENV=  TEST_POD=Yes
> >  
> > Index: patches/patch-lib_Catalyst_Plugin_Static_Simple_pm
> > ===================================================================
> > RCS file: patches/patch-lib_Catalyst_Plugin_Static_Simple_pm
> > diff -N patches/patch-lib_Catalyst_Plugin_Static_Simple_pm
> > --- /dev/null       1 Jan 1970 00:00:00 -0000
> > +++ patches/patch-lib_Catalyst_Plugin_Static_Simple_pm      7 Dec 2018 
> > 22:43:49 -0000
> > @@ -0,0 +1,15 @@
> > +$OpenBSD$
> > +Fix for CVE-2017-16248 
> > +Can be dropped with version>=0.34
> > +Index: lib/Catalyst/Plugin/Static/Simple.pm
> > +--- lib/Catalyst/Plugin/Static/Simple.pm.orig
> > ++++ lib/Catalyst/Plugin/Static/Simple.pm
> > +@@ -54,7 +54,7 @@ before prepare_action => sub {
> > +     }
> > + 
> > +     # Does the path have an extension?
> > +-    if ( $path =~ /.*\.(\S{1,})$/xms ) {
> > ++    if ( $path =~ /\.([^\/\\]+)$/m ) {
> > +         # and does it exist?
> > +         $c->_locate_static_file( $path );
> > +     }
> >

Reply via email to