r23127 - in /branches/upstream/libcgi-session-perl/current: Changes META.yml lib/CGI/Session.pm lib/CGI/Session/Driver/file.pm
gregoa at users.alioth.debian.org
gregoa at users.alioth.debian.org
Sun Jul 13 17:20:30 UTC 2008
Author: gregoa
Date: Sun Jul 13 17:20:29 2008
New Revision: 23127
URL: http://svn.debian.org/wsvn/pkg-perl/?sc=1&rev=23127
Log:
[svn-upgrade] Integrating new upstream version, libcgi-session-perl (4.34)
Modified:
branches/upstream/libcgi-session-perl/current/Changes
branches/upstream/libcgi-session-perl/current/META.yml
branches/upstream/libcgi-session-perl/current/lib/CGI/Session.pm
branches/upstream/libcgi-session-perl/current/lib/CGI/Session/Driver/file.pm
Modified: branches/upstream/libcgi-session-perl/current/Changes
URL: http://svn.debian.org/wsvn/pkg-perl/branches/upstream/libcgi-session-perl/current/Changes?rev=23127&op=diff
==============================================================================
--- branches/upstream/libcgi-session-perl/current/Changes (original)
+++ branches/upstream/libcgi-session-perl/current/Changes Sun Jul 13 17:20:29 2008
@@ -1,5 +1,18 @@
CGI::Session Change Log
=====================================================================
+
+4.34 - Sunday, July 13, 2008
+ * SECURITY: Patch CGI::Session::Driver::file to stop \ and / characters being used in
+ session ids and hence in file names. These characters, possibly combined with '..',
+ could have been used to access files outside the designated session file directory.
+ Reported by TAN Chew Keong of vuln.sg.
+ * FIX: Patch CGI::Session to propagate error upwards when _load_pluggables() fails.
+ See RT#37628 and http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=490198.
+ * INTERNAL: Ship a machine-readable version of this file under the name Changelog.ini.
+ The latter file is generated by ini.report.pl, which is shipped with Module::Metadata::Changes.
+ The reason Changelog.ini does not contain a separate section for each version in this file
+ is that some of the versions documented below have no datestamp, and ini.report.pl does not create
+ fake datestamps.
4.33 - Monday, July 7, 2008
* FIX: Patch CGI::Session::Driver::mysql to replace 'REPLACE INTO ...' with
@@ -352,4 +365,4 @@
* Bug in POD documentation is fixed (thanks to Graham Barr)
-$Id: Changes 420 2008-07-08 01:23:06Z markstos $
+$Id: Changes 421 2008-07-13 00:48:43Z ron $
Modified: branches/upstream/libcgi-session-perl/current/META.yml
URL: http://svn.debian.org/wsvn/pkg-perl/branches/upstream/libcgi-session-perl/current/META.yml?rev=23127&op=diff
==============================================================================
--- branches/upstream/libcgi-session-perl/current/META.yml (original)
+++ branches/upstream/libcgi-session-perl/current/META.yml Sun Jul 13 17:20:29 2008
@@ -1,7 +1,7 @@
# http://module-build.sourceforge.net/META-spec.html
#XXXXXXX This is a prototype!!! It will change in the future!!! XXXXX#
name: CGI-Session
-version: 4.33
+version: 4.34
version_from: lib/CGI/Session.pm
installdirs: site
requires:
Modified: branches/upstream/libcgi-session-perl/current/lib/CGI/Session.pm
URL: http://svn.debian.org/wsvn/pkg-perl/branches/upstream/libcgi-session-perl/current/lib/CGI/Session.pm?rev=23127&op=diff
==============================================================================
--- branches/upstream/libcgi-session-perl/current/lib/CGI/Session.pm (original)
+++ branches/upstream/libcgi-session-perl/current/lib/CGI/Session.pm Sun Jul 13 17:20:29 2008
@@ -1,13 +1,13 @@
package CGI::Session;
-# $Id: Session.pm 420 2008-07-08 01:23:06Z markstos $
+# $Id: Session.pm 425 2008-07-13 02:38:51Z markstos $
use strict;
use Carp;
use CGI::Session::ErrorHandler;
@CGI::Session::ISA = qw( CGI::Session::ErrorHandler );
-$CGI::Session::VERSION = '4.33';
+$CGI::Session::VERSION = '4.34';
$CGI::Session::NAME = 'CGISESSID';
$CGI::Session::IP_MATCH = 0;
@@ -447,7 +447,7 @@
return 1;
}
-# $Id: Session.pm 420 2008-07-08 01:23:06Z markstos $
+# $Id: Session.pm 425 2008-07-13 02:38:51Z markstos $
=pod
@@ -774,6 +774,12 @@
$self->_load_pluggables();
+ # Did load_pluggable fail? If so, tell our caller.
+ if ($class->errstr)
+ {
+ return $class->errstr;
+ }
+
if (not defined $self->{_CLAIMED_ID}) {
my $query = $self->query();
eval {
Modified: branches/upstream/libcgi-session-perl/current/lib/CGI/Session/Driver/file.pm
URL: http://svn.debian.org/wsvn/pkg-perl/branches/upstream/libcgi-session-perl/current/lib/CGI/Session/Driver/file.pm?rev=23127&op=diff
==============================================================================
--- branches/upstream/libcgi-session-perl/current/lib/CGI/Session/Driver/file.pm (original)
+++ branches/upstream/libcgi-session-perl/current/lib/CGI/Session/Driver/file.pm Sun Jul 13 17:20:29 2008
@@ -1,6 +1,6 @@
package CGI::Session::Driver::file;
-# $Id: file.pm 420 2008-07-08 01:23:06Z markstos $
+# $Id: file.pm 425 2008-07-13 02:38:51Z markstos $
use strict;
@@ -19,7 +19,7 @@
}
@CGI::Session::Driver::file::ISA = ( "CGI::Session::Driver" );
-$CGI::Session::Driver::file::VERSION = '4.33';
+$CGI::Session::Driver::file::VERSION = '4.34';
$FileName = "cgisess_%s";
$NoFlock = 0;
$UMask = 0660;
@@ -44,6 +44,14 @@
sub _file {
my ($self,$sid) = @_;
+ my $id = $sid;
+ $id =~ s|\\|/|g;
+
+ if ($id =~ m|/|)
+ {
+ return $self->set_error( "_file(): Session ids cannot contain \\ or / chars: $sid" );
+ }
+
return File::Spec->catfile($self->{Directory}, sprintf( $FileName, $sid ));
}
More information about the Pkg-perl-cvs-commits
mailing list