Re: [UPDATE] CVE-2017-16248: www/p5-Catalyst-Plugin-Static-Simple

Sun, 06 Jan 2019 19:11:35 -0800 

On Sun, 6 Jan 2019 19:51:25 -0700
Andrew Hewus Fresh wrote:

> On Mon, Dec 17, 2018 at 03:21:27AM +0100, Charlene Wendling wrote:
> > Hi, 
> > 
> > I'm adding the quirks info as well. Can someone check this out
> > please? 
> 
> OK afresh1@, although I don't have a firm enough grasp on Quirks to
> know for sure this is right.
> 
> I also don't know whether it should be backported to -stable.
> 

Same here, but i still made a diff for -stable as an exercise when it
happened, if needed :)

Charlène. 

Index: Makefile
===================================================================
RCS file: /cvs/ports/www/p5-Catalyst-Plugin-Static-Simple/Makefile,v
retrieving revision 1.15
diff -u -p -u -p -r1.15 Makefile
--- Makefile    20 Mar 2016 19:57:16 -0000      1.15
+++ Makefile    7 Dec 2018 22:43:49 -0000
@@ -5,7 +5,7 @@ COMMENT=        serving static pages with cata
 MODULES=       cpan
 PKG_ARCH=      *
 DISTNAME=      Catalyst-Plugin-Static-Simple-0.29
-REVISION=      1
+REVISION=      2
 CATEGORIES=    www
 
 # Perl
@@ -17,7 +17,7 @@ RUN_DEPENDS=  devel/p5-Moose \
                www/p5-Catalyst-Runtime>=5.80008 \
                mail/p5-MIME-Types>=1.25
 BUILD_DEPENDS= ${RUN_DEPENDS}
-TEST_DEPENDS=www/p5-Catalyst-Plugin-SubRequest>=0.15
+TEST_DEPENDS=  www/p5-Catalyst-Plugin-SubRequest>=0.15
 
 MAKE_ENV=      TEST_POD=Yes
 
Index: patches/patch-lib_Catalyst_Plugin_Static_Simple_pm
===================================================================
RCS file: patches/patch-lib_Catalyst_Plugin_Static_Simple_pm
diff -N patches/patch-lib_Catalyst_Plugin_Static_Simple_pm
--- /dev/null   1 Jan 1970 00:00:00 -0000
+++ patches/patch-lib_Catalyst_Plugin_Static_Simple_pm  7 Dec 2018 22:43:49 
-0000
@@ -0,0 +1,15 @@
+$OpenBSD$
+Fix for CVE-2017-16248 
+Can be dropped with version>=0.34
+Index: lib/Catalyst/Plugin/Static/Simple.pm
+--- lib/Catalyst/Plugin/Static/Simple.pm.orig
++++ lib/Catalyst/Plugin/Static/Simple.pm
+@@ -54,7 +54,7 @@ before prepare_action => sub {
+     }
+ 
+     # Does the path have an extension?
+-    if ( $path =~ /.*\.(\S{1,})$/xms ) {
++    if ( $path =~ /\.([^\/\\]+)$/m ) {
+         # and does it exist?
+         $c->_locate_static_file( $path );
+     }




[diff zapped]
> andrew - http://afresh1.com
> 
> At the source of every error which is blamed on the computer, you
> will find at least two human errors, including the error of blaming
> it on the computer.
>

Reply via email to