From 34f8331365bf6f70236b64e0db0b87d334c76919 Mon Sep 17 00:00:00 2001 From: swaggboi Date: Wed, 24 Mar 2021 14:54:38 -0400 Subject: [PATCH] Security-related changes I've added `apt-get -y upgrade` to the Dockerfile to ensure the latest security patches for Debian are pulled into the container and I've also hard-coded in the file extension for the CGI scripts/plugin due to some security vulnerability that's been patched in Mojolicious v9.11+ (probably should've been done this way in the first place) --- Dockerfile | 4 ++++ www-swagg.pl | 4 ++-- 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/Dockerfile b/Dockerfile index 3ceaebd..5d80bd7 100644 --- a/Dockerfile +++ b/Dockerfile @@ -2,6 +2,7 @@ FROM perl:5.32 # Dependency time RUN apt-get update +RUN apt-get -y upgrade RUN apt-get -y install fortune-mod ruby RUN cpanm CGI RUN cpanm CGI::Carp @@ -9,6 +10,9 @@ RUN cpanm Mojolicious RUN cpanm Mojolicious::Plugin::CGI RUN cpanm Number::Format RUN cpanm Regexp::Common +# Version 0.106 of Getopt::Long::Descriptive won't build for me; as +# it's just a dependency for WebService::Mattermost anyways let's just +# go with 0.105 since we know that works RUN cpanm RJBS/Getopt-Long-Descriptive-0.105.tar.gz RUN cpanm WebService::Mattermost RUN cpanm XML::LibXML diff --git a/www-swagg.pl b/www-swagg.pl index 8b10c82..ec43228 100755 --- a/www-swagg.pl +++ b/www-swagg.pl @@ -11,8 +11,8 @@ use Number::Format qw{format_number}; plugin 'Config'; # CGI scripts -plugin CGI => ['/cgi-bin/guest' => './cgi-bin/guest_mm.cgi']; -plugin CGI => ['/cgi-bin/whoami' => './cgi-bin/whoami.cgi' ]; +plugin CGI => ['/cgi-bin/guest.cgi' => './cgi-bin/guest_mm.cgi']; +plugin CGI => ['/cgi-bin/whoami.cgi' => './cgi-bin/whoami.cgi' ]; # Handle the session under sub {