RT#123754 Add security note to File::Spec::no_upwards

author David Golden <xdg@xdg.me>

Mon, 27 Feb 2017 14:14:04 +0000 (09:14 -0500)

committer David Golden <xdg@xdg.me>

Mon, 27 Feb 2017 14:48:57 +0000 (09:48 -0500)
author David Golden <xdg@xdg.me>
Mon, 27 Feb 2017 14:14:04 +0000 (09:14 -0500)
committer David Golden <xdg@xdg.me>
Mon, 27 Feb 2017 14:48:57 +0000 (09:48 -0500)
diff --git a/dist/PathTools/Changes b/dist/PathTools/Changes

index 46c9a9e..7d0c179 100644 (file)
--- a/dist/PathTools/Changes
+++ b/dist/PathTools/Changes
@@ -1,5 +1,8 @@
  Revision history for Perl distribution PathTools.
  
+3.67 - Mon Feb 27 09:33:04 EST 2017
+- Add security usage note to File::Spec::no_upwards
+
  3.66 - Sat Nov 19 10:30:19 MST 2016
  - white space change so can compile under C++11
  
diff --git a/dist/PathTools/Cwd.pm b/dist/PathTools/Cwd.pm

index 362a000..ce142cf 100644 (file)
--- a/dist/PathTools/Cwd.pm
+++ b/dist/PathTools/Cwd.pm
@@ -3,7 +3,7 @@ use strict;
  use Exporter;
  use vars qw(@ISA @EXPORT @EXPORT_OK $VERSION);
  
-$VERSION = '3.66';
+$VERSION = '3.67';
  my $xs_version = $VERSION;
  $VERSION =~ tr/_//d;
  
diff --git a/dist/PathTools/lib/File/Spec.pm b/dist/PathTools/lib/File/Spec.pm

index 85ad174..a9a7619 100644 (file)
--- a/dist/PathTools/lib/File/Spec.pm
+++ b/dist/PathTools/lib/File/Spec.pm
@@ -3,7 +3,7 @@ package File::Spec;
  use strict;
  use vars qw(@ISA $VERSION);
  
-$VERSION = '3.66';
+$VERSION = '3.67';
  $VERSION =~ tr/_//d;
  
  my %module = (MacOS   => 'Mac',
@@ -158,10 +158,13 @@ Returns a string representation of the parent directory.
  
  =item no_upwards
  
-Given a list of file names, strip out those that refer to a parent
-directory. (Does not strip symlinks, only '.', '..', and equivalents.)
+Given a list of files in a directory (such as from C<readdir()>),
+strip out C<'.'> and C<'..'>.
  
-    @paths = File::Spec->no_upwards( @paths );
+B<SECURITY NOTE:> This does NOT filter paths containing C<'..'>, like
+C<'../../../../etc/passwd'>, only literal matches to C<'.'> and C<'..'>.
+
+    @paths = File::Spec->no_upwards( readdir $dirhandle );
  
  =item case_tolerant
  
diff --git a/dist/PathTools/lib/File/Spec/AmigaOS.pm b/dist/PathTools/lib/File/Spec/AmigaOS.pm

index b288f22..8d3796e 100644 (file)
--- a/dist/PathTools/lib/File/Spec/AmigaOS.pm
+++ b/dist/PathTools/lib/File/Spec/AmigaOS.pm
@@ -4,7 +4,7 @@ use strict;
  use vars qw(@ISA $VERSION);
  require File::Spec::Unix;
  
-$VERSION = '3.66';
+$VERSION = '3.67';
  $VERSION =~ tr/_//d;
  
  @ISA = qw(File::Spec::Unix);
diff --git a/dist/PathTools/lib/File/Spec/Cygwin.pm b/dist/PathTools/lib/File/Spec/Cygwin.pm

index 48da542..745df86 100644 (file)
--- a/dist/PathTools/lib/File/Spec/Cygwin.pm
+++ b/dist/PathTools/lib/File/Spec/Cygwin.pm
@@ -4,7 +4,7 @@ use strict;
  use vars qw(@ISA $VERSION);
  require File::Spec::Unix;
  
-$VERSION = '3.66';
+$VERSION = '3.67';
  $VERSION =~ tr/_//d;
  
  @ISA = qw(File::Spec::Unix);
diff --git a/dist/PathTools/lib/File/Spec/Epoc.pm b/dist/PathTools/lib/File/Spec/Epoc.pm

index ef8af40..959261a 100644 (file)
--- a/dist/PathTools/lib/File/Spec/Epoc.pm
+++ b/dist/PathTools/lib/File/Spec/Epoc.pm
@@ -3,7 +3,7 @@ package File::Spec::Epoc;
  use strict;
  use vars qw($VERSION @ISA);
  
-$VERSION = '3.66';
+$VERSION = '3.67';
  $VERSION =~ tr/_//d;
  
  require File::Spec::Unix;
diff --git a/dist/PathTools/lib/File/Spec/Functions.pm b/dist/PathTools/lib/File/Spec/Functions.pm

index ccf1562..cb7532e 100644 (file)
--- a/dist/PathTools/lib/File/Spec/Functions.pm
+++ b/dist/PathTools/lib/File/Spec/Functions.pm
@@ -5,7 +5,7 @@ use strict;
  
  use vars qw(@ISA @EXPORT @EXPORT_OK %EXPORT_TAGS $VERSION);
  
-$VERSION = '3.66';
+$VERSION = '3.67';
  $VERSION =~ tr/_//d;
  
  require Exporter;
diff --git a/dist/PathTools/lib/File/Spec/Mac.pm b/dist/PathTools/lib/File/Spec/Mac.pm

index a7454e7..192cc8d 100644 (file)
--- a/dist/PathTools/lib/File/Spec/Mac.pm
+++ b/dist/PathTools/lib/File/Spec/Mac.pm
@@ -4,7 +4,7 @@ use strict;
  use vars qw(@ISA $VERSION);
  require File::Spec::Unix;
  
-$VERSION = '3.66';
+$VERSION = '3.67';
  $VERSION =~ tr/_//d;
  
  @ISA = qw(File::Spec::Unix);
diff --git a/dist/PathTools/lib/File/Spec/OS2.pm b/dist/PathTools/lib/File/Spec/OS2.pm

index a17f995..1e201eb 100644 (file)
--- a/dist/PathTools/lib/File/Spec/OS2.pm
+++ b/dist/PathTools/lib/File/Spec/OS2.pm
@@ -4,7 +4,7 @@ use strict;
  use vars qw(@ISA $VERSION);
  require File::Spec::Unix;
  
-$VERSION = '3.66';
+$VERSION = '3.67';
  $VERSION =~ tr/_//d;
  
  @ISA = qw(File::Spec::Unix);
diff --git a/dist/PathTools/lib/File/Spec/Unix.pm b/dist/PathTools/lib/File/Spec/Unix.pm

index 9f66dc2..ff3599a 100644 (file)
--- a/dist/PathTools/lib/File/Spec/Unix.pm
+++ b/dist/PathTools/lib/File/Spec/Unix.pm
@@ -3,7 +3,7 @@ package File::Spec::Unix;
  use strict;
  use vars qw($VERSION);
  
-$VERSION = '3.66';
+$VERSION = '3.67';
  my $xs_version = $VERSION;
  $VERSION =~ tr/_//d;
  
diff --git a/dist/PathTools/lib/File/Spec/VMS.pm b/dist/PathTools/lib/File/Spec/VMS.pm

index c055e6b..fb4351f 100644 (file)
--- a/dist/PathTools/lib/File/Spec/VMS.pm
+++ b/dist/PathTools/lib/File/Spec/VMS.pm
@@ -4,7 +4,7 @@ use strict;
  use vars qw(@ISA $VERSION);
  require File::Spec::Unix;
  
-$VERSION = '3.66';
+$VERSION = '3.67';
  $VERSION =~ tr/_//d;
  
  @ISA = qw(File::Spec::Unix);
diff --git a/dist/PathTools/lib/File/Spec/Win32.pm b/dist/PathTools/lib/File/Spec/Win32.pm

index 9036654..17f1c5a 100644 (file)
--- a/dist/PathTools/lib/File/Spec/Win32.pm
+++ b/dist/PathTools/lib/File/Spec/Win32.pm
@@ -5,7 +5,7 @@ use strict;
  use vars qw(@ISA $VERSION);
  require File::Spec::Unix;
  
-$VERSION = '3.66';
+$VERSION = '3.67';
  $VERSION =~ tr/_//d;
  
  @ISA = qw(File::Spec::Unix);
author	David Golden <xdg@xdg.me>
	Mon, 27 Feb 2017 14:14:04 +0000 (09:14 -0500)
committer	David Golden <xdg@xdg.me>
	Mon, 27 Feb 2017 14:48:57 +0000 (09:48 -0500)
dist/PathTools/Changes		patch \| blob \| blame \| history
dist/PathTools/Cwd.pm		patch \| blob \| blame \| history
dist/PathTools/lib/File/Spec.pm		patch \| blob \| blame \| history
dist/PathTools/lib/File/Spec/AmigaOS.pm		patch \| blob \| blame \| history
dist/PathTools/lib/File/Spec/Cygwin.pm		patch \| blob \| blame \| history
dist/PathTools/lib/File/Spec/Epoc.pm		patch \| blob \| blame \| history
dist/PathTools/lib/File/Spec/Functions.pm		patch \| blob \| blame \| history
dist/PathTools/lib/File/Spec/Mac.pm		patch \| blob \| blame \| history
dist/PathTools/lib/File/Spec/OS2.pm		patch \| blob \| blame \| history
dist/PathTools/lib/File/Spec/Unix.pm		patch \| blob \| blame \| history
dist/PathTools/lib/File/Spec/VMS.pm		patch \| blob \| blame \| history
dist/PathTools/lib/File/Spec/Win32.pm		patch \| blob \| blame \| history