|
| On Sat, Jan 20, 2007 at 04:51:20PM -0800, Jonathan Steinert wrote:
> And then it should say "Done" and you can do
> $ dpkg-buildpackage -rfakeroot
I've built various debian packages of perlbal recently, but the
changelog in SVN has a version number of 1.41 (whereas we're currently
on at least 1.53 at the moment) - it might be worth updating that
before you build, so as not to confuse yourself later on.
Is there any chance somebody with commit access can keep the changelog
up-to-date? Pavel? (or perhaps adds a script that gets the latest
version number from CHANGES on build...)
Oh, and a minor bug fix, or at least a request for comments on one; We
serve a number of files in directories called things like
'blah...234089', and can't through the perlbal web server as-is. I'm
using the following fix (ie. Don't just check for two '.'s, but make
sure it has slashes around it). Is there anything obviously worse with
this from a security point of view?
========================================
===========================
--- lib/Perlbal/ClientHTTPBase.pm (revision 623)
+++ lib/Perlbal/ClientHTTPBase.pm (working copy)
@@ -362,7 +362,7 @@
return 1 if $self->{service}->run_hook('start_serve_request', $self, \$uri);
# don't allow directory traversal
- if ($uri =~ /\.\./ || $uri !~ m!^/!) {
+ if ($uri =~ /\/\.\.\// || $uri !~ m!^/!) {
return $self->_simple_response(403, "Bogus URL");
}
Best wishes,
Jeremy
|
|