Fix security vulnerability, when serving static files with dots in the names

diff --git a/Changes b/Changes
index 319147f..c11cf67 100755 (executable)
--- a/Changes
+++ b/Changes
@@ -1,5 +1,8 @@
 Revision history for Perl extension Catalyst::Plugin::Static::Simple
 
+       - Fix security vulnerability, when serving static files with dots in the
+         names (RT#120558)
+
 0.33   2014-09-26 17:00 BST
        - In the case where someone is trying to merge configurations
        and some config sets use the depracated 'static' keyword, the

diff --git a/lib/Catalyst/Plugin/Static/Simple.pm b/lib/Catalyst/Plugin/Static/Simple.pm
index 7aca818..e8cb1d2 100755 (executable)
--- a/lib/Catalyst/Plugin/Static/Simple.pm
+++ b/lib/Catalyst/Plugin/Static/Simple.pm
@@ -64,7 +64,7 @@ before prepare_action => sub {
     }
 
     # Does the path have an extension?
-    if ( $path =~ /.*\.(\S{1,})$/xms ) {
+    if ( $path =~ /\.([^\/\\]+)$/m ) {
         # and does it exist?
         $c->_locate_static_file( $path );
     }