r60507 - in /branches/lenny/libpoe-component-irc-perl/debian: changelog patches/filter-out-newline-in-arguments.patch patches/series

Fri Jul 23 16:59:41 UTC 2010

Author: ansgar-guest
Date: Fri Jul 23 16:59:30 2010
New Revision: 60507

URL: http://svn.debian.org/wsvn/pkg-perl/?sc=1&rev=60507
Log:
Filter out \r and \n in commands to prevent command injection.
(Closes: #581194)

Added:
    branches/lenny/libpoe-component-irc-perl/debian/patches/filter-out-newline-in-arguments.patch
Modified:
    branches/lenny/libpoe-component-irc-perl/debian/changelog
    branches/lenny/libpoe-component-irc-perl/debian/patches/series

Modified: branches/lenny/libpoe-component-irc-perl/debian/changelog
URL: http://svn.debian.org/wsvn/pkg-perl/branches/lenny/libpoe-component-irc-perl/debian/changelog?rev=60507&op=diff
==============================================================================

--- branches/lenny/libpoe-component-irc-perl/debian/changelog (original)
+++ branches/lenny/libpoe-component-irc-perl/debian/changelog Fri Jul 23 16:59:30 2010
@@ -1,3 +1,10 @@
+libpoe-component-irc-perl (5.84+dfsg-1+lenny1) UNRELEASED; urgency=high
+
+  * Filter out \r and \n in commands to prevent command injection.
+    (Closes: #581194)
+
+ -- Ansgar Burchardt <ansgar at 43-1.org>  Sat, 24 Jul 2010 00:42:34 +0900
+
 libpoe-component-irc-perl (5.84+dfsg-1) unstable; urgency=low
 
   * New upstream release(s).

Added: branches/lenny/libpoe-component-irc-perl/debian/patches/filter-out-newline-in-arguments.patch
URL: http://svn.debian.org/wsvn/pkg-perl/branches/lenny/libpoe-component-irc-perl/debian/patches/filter-out-newline-in-arguments.patch?rev=60507&op=file
==============================================================================
--- branches/lenny/libpoe-component-irc-perl/debian/patches/filter-out-newline-in-arguments.patch (added)
+++ branches/lenny/libpoe-component-irc-perl/debian/patches/filter-out-newline-in-arguments.patch Fri Jul 23 16:59:30 2010
@@ -1,0 +1,23 @@
+From: Ansgar Burchardt <ansgar at 43-1.org>
+Date: Sat, 24 Jul 2010 00:54:55 +0900
+Subject: Filter out newlines in arguments
+Bug-Debian: http://bugs.debian.org/581194
+Origin: backport, http://github.com/bingos/poe-component-irc/commit/675f55cd40ceebbc1bd2f309311a066bed41d869
+
+Filter out \n and \r passed as arguments to commands as this would allow the
+user to submit raw IRC commands.
+
+[ upstream patch by Hinrik Ã–rn SigurÃ°sson <hinrik.sig at gmail.com> ]
+
+--- libpoe-component-irc-perl.orig/lib/POE/Component/IRC.pm
++++ libpoe-component-irc-perl/lib/POE/Component/IRC.pm
+@@ -1203,6 +1203,9 @@
+     my $now = time();
+     $self->{send_time} = $now if $self->{send_time} < $now;
+     
++    # if we find a newline in the message, take that to be the end of it    
++    $msg =~ s/[\015\012].*//s;
++
+     if (bytes::length($msg) > $self->{msg_length} - bytes::length($self->nick_name())) {
+         $msg = bytes::substr($msg, 0, $self->{msg_length} - bytes::length($self->nick_name()));
+     }

Modified: branches/lenny/libpoe-component-irc-perl/debian/patches/series
URL: http://svn.debian.org/wsvn/pkg-perl/branches/lenny/libpoe-component-irc-perl/debian/patches/series?rev=60507&op=diff
==============================================================================
--- branches/lenny/libpoe-component-irc-perl/debian/patches/series (original)
+++ branches/lenny/libpoe-component-irc-perl/debian/patches/series Fri Jul 23 16:59:30 2010
@@ -1,1 +1,2 @@
 missing_shebang.patch
+filter-out-newline-in-arguments.patch


