fixed Mojolicious::Static to hide files without extensions in DATA se…

…ctions
mojolicious · Oct 9, 2014 · cf65e4b · cf65e4b
1 parent 1d916ba
commit cf65e4b
Show file tree

Hide file tree

Showing 3 changed files with 10 additions and 2 deletions.
diff --git a/Changes b/Changes
@@ -3,6 +3,8 @@
   - Improved form content generator to allow custom content types.
   - Improved Mojo::Server to load applications consistently for all servers.
     (tianon, sri)
+  - Fixed Mojolicious::Static to hide files without extensions in DATA
+    sections.
 
 5.48  2014-10-07
   - Emergency release for a serious security issue that can result in

diff --git a/lib/Mojolicious/Static.pm b/lib/Mojolicious/Static.pm
@@ -120,8 +120,8 @@ sub _epoch { Mojo::Date->new(shift)->epoch }
 sub _get_data_file {
   my ($self, $rel) = @_;
 
-  # Protect templates
-  return undef if $rel =~ /\.\w+\.\w+$/;
+  # Protect files without extensions and templates with two extensions
+  return undef if $rel !~ /\.\w+$/ || $rel =~ /\.\w+\.\w+$/;
 
   $self->_warmup unless $self->{index};
 

diff --git a/t/mojolicious/static_lite_app.t b/t/mojolicious/static_lite_app.t
@@ -184,6 +184,9 @@ $t->get_ok('/hello4.txt' => {Range => 'bytes=0-0'})->status_is(416)
   ->header_is(Server          => 'Mojolicious (Perl)')
   ->header_is('Accept-Ranges' => 'bytes')->content_is('');
 
+# Hidden inline file
+$t->get_ok('/hidden')->status_is(404)->content_unlike(qr/Unreachable file/);
+
 # Base64 static inline file, If-Modified-Since
 my $modified = Mojo::Date->new->epoch(time - 3600);
 $t->get_ok('/static.txt' => {'If-Modified-Since' => $modified})
@@ -222,5 +225,8 @@ $t->get_ok('/static.txt' => {Range => 'bytes=45-50'})->status_is(416)
 done_testing();
 
 __DATA__
+@@ hidden
+Unreachable file.
+
 @@ static.txt (base64)
 dGVzdCAxMjMKbGFsYWxh