Attachment 704881 Details for Bug 877015 – Fix ported to perl-5.10.1

[patch] Fix ported to perl-5.10.1

perl-5.10.1-CVE-2012-5526.patch (text/plain), 3.22 KB, created by Petr Pisar on 2013-03-04 11:25:13 UTC

(hide)

Description:

Filename:

MIME Type:

Creator: Petr Pisar

Created: 2013-03-04 11:25:13 UTC

Size: 3.22 KB

patch

obsolete

>From 6b54e621a4d26b55311f6737b2036505343eefb8 Mon Sep 17 00:00:00 2001
>From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com>
>Date: Mon, 4 Mar 2013 11:03:15 +0100
>Subject: [PATCH] Escape new-lines in Cookie and P3P headers (CVE-2012-5526)
>
>This is relevant difference between CGI 3.62 and 3.63.
>See <https://bugzilla.redhat.com/show_bug.cgi?id=876974>.
>
>Port for CGI-3.51 bundled in perl-5.10.1.
>---
> lib/CGI.pm          | 24 ++++++++++++------------
> lib/CGI/t/headers.t |  6 ++++++
> 2 files changed, 18 insertions(+), 12 deletions(-)
>
>diff --git a/lib/CGI.pm b/lib/CGI.pm
>index d320d7f..7436a51 100644
>--- a/lib/CGI.pm
>+++ b/lib/CGI.pm
>@@ -1550,8 +1550,17 @@ sub header {
>                             'EXPIRES','NPH','CHARSET',
>                             'ATTACHMENT','P3P'],@p);
> 
>+    # Since $cookie and $p3p may be array references,
>+    # we must stringify them before CR escaping is done.
>+    my @cookie;
>+    for (ref($cookie) eq 'ARRAY' ? @{$cookie} : $cookie) {
>+        my $cs = UNIVERSAL::isa($_,'CGI::Cookie') ? $_->as_string : $_;
>+        push(@cookie,$cs) if defined $cs and $cs ne '';
>+    }
>+    $p3p = join ' ',@$p3p if ref($p3p) eq 'ARRAY';
>+
>     # CR escaping for values, per RFC 822
>-    for my $header ($type,$status,$cookie,$target,$expires,$nph,$charset,$attachment,$p3p,@other) {
>+    for my $header ($type,$status,@cookie,$target,$expires,$nph,$charset,$attachment,$p3p,@other) {
>         if (defined $header) {
>             # From RFC 822:
>             # Unfolding  is  accomplished  by regarding   CRLF   immediately
>@@ -1595,18 +1604,9 @@ sub header {
> 
>     push(@header,"Status: $status") if $status;
>     push(@header,"Window-Target: $target") if $target;
>-    if ($p3p) {
>-       $p3p = join ' ',@$p3p if ref($p3p) eq 'ARRAY';
>-       push(@header,qq(P3P: policyref="/w3c/p3p.xml", CP="$p3p"));
>-    }
>+    push(@header,"P3P: policyref=\"/w3c/p3p.xml\", CP=\"$p3p\"") if $p3p;
>     # push all the cookies -- there may be several
>-    if ($cookie) {
>-	my(@cookie) = ref($cookie) && ref($cookie) eq 'ARRAY' ? @{$cookie} : $cookie;
>-	for (@cookie) {
>-            my $cs = UNIVERSAL::isa($_,'CGI::Cookie') ? $_->as_string : $_;
>-	    push(@header,"Set-Cookie: $cs") if $cs ne '';
>-	}
>-    }
>+    push(@header,map {"Set-Cookie: $_"} @cookie);
>     # if the user indicates an expiration time, then we need
>     # both an Expires and a Date header (so that the browser is
>     # uses OUR clock)
>diff --git a/lib/CGI/t/headers.t b/lib/CGI/t/headers.t
>index 661b74b..4b4922c 100644
>--- a/lib/CGI/t/headers.t
>+++ b/lib/CGI/t/headers.t
>@@ -22,6 +22,12 @@ like($@,qr/contains a newline/,'invalid header blows up');
> like $cgi->header( -type => "text/html".$CGI::CRLF." evil: stuff " ),
>     qr#Content-Type: text/html evil: stuff#, 'known header, with leading and trailing whitespace on the continuation line';
> 
>+eval { $cgi->header( -p3p => ["foo".$CGI::CRLF."bar"] ) };
>+like($@,qr/contains a newline/,'P3P header with CRLF embedded blows up');
>+
>+eval { $cgi->header( -cookie => ["foo".$CGI::CRLF."bar"] ) };
>+like($@,qr/contains a newline/,'Set-Cookie header with CRLF embedded blows up');
>+
> eval { $cgi->header( -foobar => "text/html".$CGI::CRLF."evil: stuff" ) };
> like($@,qr/contains a newline/,'unknown header with CRLF embedded blows up');
> 
>-- 
>1.8.1.4
>

Actions: View | Diff

Attachments on bug 877015: 646250 | 704881 | 705046