Re: [UPDATE] CVE-2017-16248: www/p5-Catalyst-Plugin-Static-Simple

Sun, 06 Jan 2019 23:09:16 -0800 

> Same here, but i still made a diff for -stable as an exercise when it
> happened, if needed :)

OK for the -stable diff. Andrew, will you commit this bit as well? If
not, I will commit it myself when/if someone commits the update to
-current.

> Index: Makefile
> ===================================================================
> RCS file: /cvs/ports/www/p5-Catalyst-Plugin-Static-Simple/Makefile,v
> retrieving revision 1.15
> diff -u -p -u -p -r1.15 Makefile
> --- Makefile  20 Mar 2016 19:57:16 -0000      1.15
> +++ Makefile  7 Dec 2018 22:43:49 -0000
> @@ -5,7 +5,7 @@ COMMENT=      serving static pages with cata
>  MODULES=     cpan
>  PKG_ARCH=    *
>  DISTNAME=    Catalyst-Plugin-Static-Simple-0.29
> -REVISION=    1
> +REVISION=    2
>  CATEGORIES=  www
>  
>  # Perl
> @@ -17,7 +17,7 @@ RUN_DEPENDS=        devel/p5-Moose \
>               www/p5-Catalyst-Runtime>=5.80008 \
>               mail/p5-MIME-Types>=1.25
>  BUILD_DEPENDS=       ${RUN_DEPENDS}
> -TEST_DEPENDS=www/p5-Catalyst-Plugin-SubRequest>=0.15
> +TEST_DEPENDS=        www/p5-Catalyst-Plugin-SubRequest>=0.15
>  
>  MAKE_ENV=    TEST_POD=Yes
>  
> Index: patches/patch-lib_Catalyst_Plugin_Static_Simple_pm
> ===================================================================
> RCS file: patches/patch-lib_Catalyst_Plugin_Static_Simple_pm
> diff -N patches/patch-lib_Catalyst_Plugin_Static_Simple_pm
> --- /dev/null 1 Jan 1970 00:00:00 -0000
> +++ patches/patch-lib_Catalyst_Plugin_Static_Simple_pm        7 Dec 2018 
> 22:43:49 -0000
> @@ -0,0 +1,15 @@
> +$OpenBSD$
> +Fix for CVE-2017-16248 
> +Can be dropped with version>=0.34
> +Index: lib/Catalyst/Plugin/Static/Simple.pm
> +--- lib/Catalyst/Plugin/Static/Simple.pm.orig
> ++++ lib/Catalyst/Plugin/Static/Simple.pm
> +@@ -54,7 +54,7 @@ before prepare_action => sub {
> +     }
> + 
> +     # Does the path have an extension?
> +-    if ( $path =~ /.*\.(\S{1,})$/xms ) {
> ++    if ( $path =~ /\.([^\/\\]+)$/m ) {
> +         # and does it exist?
> +         $c->_locate_static_file( $path );
> +     }
> 
> 
> 
> 
> [diff zapped]
> > andrew - http://afresh1.com
> > 
> > At the source of every error which is blamed on the computer, you
> > will find at least two human errors, including the error of blaming
> > it on the computer.
> >

Reply via email to