miyagawa

Aug 11, 2014

Plack::Middleware::Session::Cookie 0.21 has a security vulnerability where it allows an attacker to execute arbitrary code on the server, when the middleware is enabled without a secret.

If you use Plack::Middleware::Session::Cookie, you're required to pass a secret option to the middleware. The value of the secret key must obviously be kept private.

• Version 0.22 is released today, which gives you a big WARNING when it is enabled without a secret set.
• Version 0.23 TRIAL is released, which refuses to run without a secret set, giving an error message on the startup. This will become a non-trial release in a few days.

Solution

miyagawa

Carton

• carton install
  • Install modules locally
  • Collects artifacts (metadata)
  • Dumps versions to the snapshot file
• carton install --deployment
  • Recreate CPAN mirror from the snapshot
  • installs modules with cpanm

miyagawa

➜  cpanminus git:(devel) ✗ perl -Ilib script/cpanm.PL --info App::cpanminus@1.7006 
---
filtered:
  query:
    nested:
      path: module
      query:
        custom_score:
          metacpan_script: score_version_numified
          query:

miyagawa

cpanm 1.7008 had a packaging error where it might not run if you don't have the latest Parse::CPAN::Meta in your perl library paths. 1.7008 was available only for 20 minutes on PAUSE and the issue has been fixed on 1.7009. If you're one of the few people who has got 1.7008 from PAUSE and got a non-working cpanm, you can do the regular "first installation" method to get the fixed version.

• curl -L cpanmin.us | perl - App::cpanminus
• plenv install-cpanm
• perlbrew install-cpanm

miyagawa

➜  cpanminus git:(devel) grep JSON/PP.pm /Users/miyagawa/.plenv/versions/5.8.9/lib/perl5/**/.packlist
/Users/miyagawa/.plenv/versions/5.8.9/lib/perl5/5.8.9/darwin-2level/auto/ExtUtils/MakeMaker/.packlist:/Users/miyagawa/.plenv/versions/5.8.9/lib/perl5/5.8.9/JSON/PP.pm

➜  cpanminus git:(devel) PLENV_VERSION=5.8.9 perldoc -lm JSON::PP             
/Users/miyagawa/.plenv/versions/5.8.9/lib/perl5/5.8.9/JSON/PP.pm

➜  cpanminus git:(devel) PLENV_VERSION=5.8.9 cpanm --reinstall JSON::PP
Successfully reinstalled JSON-PP-2.27203
1 distribution installed

miyagawa

➜  ~  grep -irl miyagawa /System/Library/Perl/
/System/Library/Perl//5.12/pods/perlhist.pod
/System/Library/Perl//5.16/CPAN/HTTP/Client.pm
/System/Library/Perl//5.16/pods/perl5140delta.pod
/System/Library/Perl//5.16/pods/perlhist.pod
/System/Library/Perl//Extras/5.12/darwin-thread-multi-2level/DBI/Changes.pm
/System/Library/Perl//Extras/5.12/darwin-thread-multi-2level/JSON/Syck.pm
/System/Library/Perl//Extras/5.12/PPI.pm
/System/Library/Perl//Extras/5.12/Test/Requires.pm
/System/Library/Perl//Extras/5.12/URI/_punycode.pm

miyagawa

#!/usr/bin/env perl
use strict;
use warnings;
use JSON;

my $matching_path = qr!^/rebuildfm!;

my @UA = (
    [qr/^Podcasts?\/\d/ => "Apple Podcasts"],
    [qr/^iTunes\/[\d\.]+ \(Macintosh/ => "iTunes (OS X)"],

miyagawa

desc "upload to SoundCloud"
task :scupload do
  require 'soundcloud'

  ep = ENV['EP'] or raise 'EP is required'
  token = ENV['SOUNDCLOUD_TOKEN'] or raise 'SOUNDCLOUD_TOKEN is required'

  media = "_media/podcast-ep#{ep}.mp3"
  client = SoundCloud.new(access_token: token)

miyagawa

desc "Set up nginx redirects"
task :redirects do
  system "bundle exec jekyll build"
  system "scp _site/redirects.conf root@#{HOST}:/var/www/cache.rebuild.fm/"
  system "ssh -l root #{HOST} 'nginx -t && nginx -s reload'"
end

miyagawa

diff --git a/Rakefile b/Rakefile
index ca4af4d..0ba34e1 100644
--- a/Rakefile
+++ b/Rakefile
@@ -214,16 +214,11 @@ def next_episode
   }.max + 1
 end
 
-desc "ping updates to FeedPress"
+desc "ping updates to Superfeedr Hub"