https://bugzilla.redhat.com/show_bug.cgi?id=1128978 Bug ID: 1128978 Summary: perl-Plack: trailing slashes removed leading to source code disclosure Product: Security Response Component: vulnerability Keywords: Security Severity: medium Priority: medium Assignee: security-response-team@xxxxxxxxxx Reporter: mmcallis@xxxxxxxxxx CC: jose.p.oliveira.oss@xxxxxxxxx, perl-devel@xxxxxxxxxxxxxxxxxxxxxxx, rc040203@xxxxxxxxxx Plack 1.0031 fixes the following security issue: - Plack::App::File would previously strip trailing slashes off provided paths. This in combination with the common pattern of serving files with Plack::Middleware::Static could allow an attacker to bypass a whitelist of generated files (avar) #446 Upstream fix: https://github.com/avar/Plack/commit/bc1731dbb53850c380875ad683cd87c8ec99eee3 References: https://github.com/plack/Plack/issues/405 http://seclists.org/oss-sec/2014/q3/345 -- You are receiving this mail because: You are on the CC list for the bug. Unsubscribe from this bug https://bugzilla.redhat.com/token.cgi?t=3o7im6lCPi&a=cc_unsubscribe -- Fedora Extras Perl SIG http://www.fedoraproject.org/wiki/Extras/SIGs/Perl perl-devel mailing list perl-devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/perl-devel
