updated to 0.10

diff --git a/Changes b/Changes
index f7beee5..7bf6604 100644 (file)
--- a/Changes
+++ b/Changes
@@ -1,5 +1,7 @@
 Tis file documents the revision history for Perl extension Catalyst.
 
+5.52    2005-11-14 10:57:00
+        - Strip '..'s in static urls to fix security issue.
 5.51    2005-11-14 00:45:00
         - Changed uri_for to use namespace instead of match.
 

diff --git a/lib/Catalyst.pm b/lib/Catalyst.pm
index 23ad038..8cb5af5 100644 (file)
--- a/lib/Catalyst.pm
+++ b/lib/Catalyst.pm
@@ -54,7 +54,7 @@ __PACKAGE__->engine_class('Catalyst::Engine::CGI');
 __PACKAGE__->request_class('Catalyst::Request');
 __PACKAGE__->response_class('Catalyst::Response');
 
-our $VERSION = '5.51';
+our $VERSION = '5.52';
 
 sub import {
     my ( $class, @arguments ) = @_;

diff --git a/lib/Catalyst/Plugin/Static/Simple.pm b/lib/Catalyst/Plugin/Static/Simple.pm
index 7e79cac..ea5c86e 100644 (file)
--- a/lib/Catalyst/Plugin/Static/Simple.pm
+++ b/lib/Catalyst/Plugin/Static/Simple.pm
@@ -4,6 +4,7 @@ use strict;
 use warnings;
 use base qw/Class::Accessor::Fast Class::Data::Inheritable/;
 use File::stat;
+use File::Spec::Functions qw/catdir no_upwards splitdir/;
 use IO::File;
 use MIME::Types;
 use NEXT;
@@ -111,7 +112,7 @@ sub setup {
 sub _locate_static_file {
     my $c = shift;
     
-    my $path = $c->req->path;
+    my $path = catdir(no_upwards(splitdir( $c->req->path )));
     
     my @ipaths = @{ $c->config->{static}->{include_path} };
     my $dpaths;