oss-sec mailing list archives
CVE Request: Plack::App::File does not prune trailing slashes: possible code exposure / information disclosure
From: Salvatore Bonaccorso <carnil () debian org>
Date: Mon, 11 Aug 2014 20:38:22 +0200
Hi Plack 1.0031 contains the following Changes entry[1]: [SECURITY] - Plack::App::File would previously strip trailing slashes off provided paths. This in combination with the common pattern of serving files with Plack::Middleware::Static could allow an attacker to bypass a whitelist of generated files (avar) #446 See [2,3] for more details about this issue, which might lead to information disclosure. [1] http://api.metacpan.org/source/MIYAGAWA/Plack-1.0031/Changes [2] https://github.com/plack/Plack/issues/405 [3] https://github.com/plack/Plack/pull/446 Can a CVE be assigned for this isssue (as an example, CVE-2013-7329 was previously also assigned for CGI::Application). Regards, Salvatore
Current thread:
- CVE Request: Plack::App::File does not prune trailing slashes: possible code exposure / information disclosure Salvatore Bonaccorso (Aug 11)