From: Marcus Ramberg <marcus@nordaaker.com>
Date: Mon, 14 Nov 2005 11:17:20 +0000 (+0000)
Subject: updated to 0.10
X-Git-Tag: 5.7099_04~926
X-Git-Url: http://git.shadowcat.co.uk/gitweb/gitweb.cgi?p=catagits%2FCatalyst-Runtime.git;a=commitdiff_plain;h=df755a7a2fe2851b9010f2cdbc48b8c494af89f0;hp=ff74d61643a93f58996c2f3db8d91d9a70b8478f

updated to 0.10
---

diff --git a/Changes b/Changes
index f7beee5..7bf6604 100644
--- a/Changes
+++ b/Changes
@@ -1,5 +1,7 @@
 Tis file documents the revision history for Perl extension Catalyst.
 
+5.52    2005-11-14 10:57:00
+        - Strip '..'s in static urls to fix security issue.
 5.51    2005-11-14 00:45:00
         - Changed uri_for to use namespace instead of match.
 
diff --git a/lib/Catalyst.pm b/lib/Catalyst.pm
index 23ad038..8cb5af5 100644
--- a/lib/Catalyst.pm
+++ b/lib/Catalyst.pm
@@ -54,7 +54,7 @@ __PACKAGE__->engine_class('Catalyst::Engine::CGI');
 __PACKAGE__->request_class('Catalyst::Request');
 __PACKAGE__->response_class('Catalyst::Response');
 
-our $VERSION = '5.51';
+our $VERSION = '5.52';
 
 sub import {
     my ( $class, @arguments ) = @_;
diff --git a/lib/Catalyst/Plugin/Static/Simple.pm b/lib/Catalyst/Plugin/Static/Simple.pm
index 7e79cac..ea5c86e 100644
--- a/lib/Catalyst/Plugin/Static/Simple.pm
+++ b/lib/Catalyst/Plugin/Static/Simple.pm
@@ -4,6 +4,7 @@ use strict;
 use warnings;
 use base qw/Class::Accessor::Fast Class::Data::Inheritable/;
 use File::stat;
+use File::Spec::Functions qw/catdir no_upwards splitdir/;
 use IO::File;
 use MIME::Types;
 use NEXT;
@@ -111,7 +112,7 @@ sub setup {
 sub _locate_static_file {
     my $c = shift;
     
-    my $path = $c->req->path;
+    my $path = catdir(no_upwards(splitdir( $c->req->path )));
     
     my @ipaths = @{ $c->config->{static}->{include_path} };
     my $dpaths;