From: Arthur Axel 'fREW' Schmidt <frioux@gmail.com>
Date: Wed, 2 Aug 2017 16:31:57 +0000 (-0700)
Subject: Fix security vulnerability, when serving static files with dots in the names
X-Git-Tag: v0.34~5
X-Git-Url: http://git.shadowcat.co.uk/gitweb/gitweb.cgi?p=catagits%2FCatalyst-Plugin-Static-Simple.git;a=commitdiff_plain;h=45d45d1c43d860bd411ca208c9f130ddb229c90b

Fix security vulnerability, when serving static files with dots in the names
---

diff --git a/Changes b/Changes
index 319147f..c11cf67 100755
--- a/Changes
+++ b/Changes
@@ -1,5 +1,8 @@
 Revision history for Perl extension Catalyst::Plugin::Static::Simple
 
+       - Fix security vulnerability, when serving static files with dots in the
+         names (RT#120558)
+
 0.33   2014-09-26 17:00 BST
        - In the case where someone is trying to merge configurations
        and some config sets use the depracated 'static' keyword, the
diff --git a/lib/Catalyst/Plugin/Static/Simple.pm b/lib/Catalyst/Plugin/Static/Simple.pm
index 7aca818..e8cb1d2 100755
--- a/lib/Catalyst/Plugin/Static/Simple.pm
+++ b/lib/Catalyst/Plugin/Static/Simple.pm
@@ -64,7 +64,7 @@ before prepare_action => sub {
     }
 
     # Does the path have an extension?
-    if ( $path =~ /.*\.(\S{1,})$/xms ) {
+    if ( $path =~ /\.([^\/\\]+)$/m ) {
         # and does it exist?
         $c->_locate_static_file( $path );
     }