diff options
| -rwxr-xr-x | Porting/Maintainers.pl | 2 | ||||
| -rw-r--r-- | cpan/CGI/Changes | 6 | ||||
| -rw-r--r-- | cpan/CGI/lib/CGI.pm | 26 | ||||
| -rw-r--r-- | cpan/CGI/t/headers.t | 6 |
4 files changed, 26 insertions, 14 deletions
diff --git a/Porting/Maintainers.pl b/Porting/Maintainers.pl index e335b5b08a..4e41dff790 100755 --- a/Porting/Maintainers.pl +++ b/Porting/Maintainers.pl @@ -343,7 +343,7 @@ use File::Glob qw(:case); 'CGI' => { 'MAINTAINER' => 'lstein', - 'DISTRIBUTION' => 'MARKSTOS/CGI.pm-3.62.tar.gz', + 'DISTRIBUTION' => 'MARKSTOS/CGI.pm-3.63.tar.gz', 'FILES' => q[cpan/CGI], 'EXCLUDED' => [ qw( cgi_docs.html diff --git a/cpan/CGI/Changes b/cpan/CGI/Changes index 52f1d02c20..731f4f28b3 100644 --- a/cpan/CGI/Changes +++ b/cpan/CGI/Changes @@ -1,3 +1,9 @@ +Version 3.63 Nov 12, 2012 + + [SECURITY] + - CR escaping for Set-Cookie and P3P headers was improved. There was potential + for newline injection in these headers. + (Thanks to anazawa, https://github.com/markstos/CGI.pm/pull/23) Version 3.62, Nov 9th, 2012 diff --git a/cpan/CGI/lib/CGI.pm b/cpan/CGI/lib/CGI.pm index d8d91f49c6..df63490129 100644 --- a/cpan/CGI/lib/CGI.pm +++ b/cpan/CGI/lib/CGI.pm @@ -20,7 +20,7 @@ use Carp 'croak'; # The revision is no longer being updated since moving to git. $CGI::revision = '$Id: CGI.pm,v 1.266 2009/07/30 16:32:34 lstein Exp $'; -$CGI::VERSION='3.62'; +$CGI::VERSION='3.63'; # HARD-CODED LOCATION FOR FILE UPLOAD TEMPORARY FILES. # UNCOMMENT THIS ONLY IF YOU KNOW WHAT YOU'RE DOING. @@ -1497,8 +1497,17 @@ sub header { 'EXPIRES','NPH','CHARSET', 'ATTACHMENT','P3P'],@p); + # Since $cookie and $p3p may be array references, + # we must stringify them before CR escaping is done. + my @cookie; + for (ref($cookie) eq 'ARRAY' ? @{$cookie} : $cookie) { + my $cs = UNIVERSAL::isa($_,'CGI::Cookie') ? $_->as_string : $_; + push(@cookie,$cs) if defined $cs and $cs ne ''; + } + $p3p = join ' ',@$p3p if ref($p3p) eq 'ARRAY'; + # CR escaping for values, per RFC 822 - for my $header ($type,$status,$cookie,$target,$expires,$nph,$charset,$attachment,$p3p,@other) { + for my $header ($type,$status,@cookie,$target,$expires,$nph,$charset,$attachment,$p3p,@other) { if (defined $header) { # From RFC 822: # Unfolding is accomplished by regarding CRLF immediately @@ -1542,18 +1551,9 @@ sub header { push(@header,"Status: $status") if $status; push(@header,"Window-Target: $target") if $target; - if ($p3p) { - $p3p = join ' ',@$p3p if ref($p3p) eq 'ARRAY'; - push(@header,qq(P3P: policyref="/w3c/p3p.xml", CP="$p3p")); - } + push(@header,"P3P: policyref=\"/w3c/p3p.xml\", CP=\"$p3p\"") if $p3p; # push all the cookies -- there may be several - if ($cookie) { - my(@cookie) = ref($cookie) && ref($cookie) eq 'ARRAY' ? @{$cookie} : $cookie; - for (@cookie) { - my $cs = UNIVERSAL::isa($_,'CGI::Cookie') ? $_->as_string : $_; - push(@header,"Set-Cookie: $cs") if $cs ne ''; - } - } + push(@header,map {"Set-Cookie: $_"} @cookie); # if the user indicates an expiration time, then we need # both an Expires and a Date header (so that the browser is # uses OUR clock) diff --git a/cpan/CGI/t/headers.t b/cpan/CGI/t/headers.t index 661b74bb79..4b4922c35f 100644 --- a/cpan/CGI/t/headers.t +++ b/cpan/CGI/t/headers.t @@ -22,6 +22,12 @@ like($@,qr/contains a newline/,'invalid header blows up'); like $cgi->header( -type => "text/html".$CGI::CRLF." evil: stuff " ), qr#Content-Type: text/html evil: stuff#, 'known header, with leading and trailing whitespace on the continuation line'; +eval { $cgi->header( -p3p => ["foo".$CGI::CRLF."bar"] ) }; +like($@,qr/contains a newline/,'P3P header with CRLF embedded blows up'); + +eval { $cgi->header( -cookie => ["foo".$CGI::CRLF."bar"] ) }; +like($@,qr/contains a newline/,'Set-Cookie header with CRLF embedded blows up'); + eval { $cgi->header( -foobar => "text/html".$CGI::CRLF."evil: stuff" ) }; like($@,qr/contains a newline/,'unknown header with CRLF embedded blows up'); |