r65153 - in /branches/upstream/libcgi-pm-perl/current: Changes META.yml lib/CGI.pm lib/CGI/Cookie.pm t/http.t

periapt-guest at users.alioth.debian.org periapt-guest at users.alioth.debian.org
Sun Nov 21 10:39:39 UTC 2010 

Author: periapt-guest
Date: Sun Nov 21 10:39:29 2010
New Revision: 65153

URL: http://svn.debian.org/wsvn/pkg-perl/?sc=1&rev=65153
Log:
[svn-upgrade] new version libcgi-pm-perl (3.50)

Modified:
    branches/upstream/libcgi-pm-perl/current/Changes
    branches/upstream/libcgi-pm-perl/current/META.yml
    branches/upstream/libcgi-pm-perl/current/lib/CGI.pm
    branches/upstream/libcgi-pm-perl/current/lib/CGI/Cookie.pm
    branches/upstream/libcgi-pm-perl/current/t/http.t

Modified: branches/upstream/libcgi-pm-perl/current/Changes
URL: http://svn.debian.org/wsvn/pkg-perl/branches/upstream/libcgi-pm-perl/current/Changes?rev=65153&op=diff
==============================================================================
--- branches/upstream/libcgi-pm-perl/current/Changes (original)
+++ branches/upstream/libcgi-pm-perl/current/Changes Sun Nov 21 10:39:29 2010
@@ -1,3 +1,21 @@
+Version 3.50
+  
+  [SECURITY]
+  1. The MIME boundary in multipart_init is now random. 
+     Thanks to Byron Jones, Masahiro Yamada, Reed Loden, and  Mark Stosberg
+  2. Further improvements to handling of newlines embedded in header values. 
+     An exception is thrown if header values contain invalid newlines. 
+     Thanks to Michal Zalewski, Max Kanat-Alexander, Yanick Champoux,
+     Lincoln Stein, Frédéric Buclin and Mark Stosberg
+
+  [DOCUMENTATION]
+  1. Correcting/clarifying documentation for param_fetch(). Thanks to 
+        Renée Bäcker. (RT#59132)
+
+  [INTERNALS]
+  1. Fixing https test in http.t. (RT#54768)
+  2. Tests were added for multipart_init(). Thanks to Mark Stosberg and CGI::Simple. 
+
 Version 3.49
 
   [BUG FIXES]

Modified: branches/upstream/libcgi-pm-perl/current/META.yml
URL: http://svn.debian.org/wsvn/pkg-perl/branches/upstream/libcgi-pm-perl/current/META.yml?rev=65153&op=diff
==============================================================================
--- branches/upstream/libcgi-pm-perl/current/META.yml (original)
+++ branches/upstream/libcgi-pm-perl/current/META.yml Sun Nov 21 10:39:29 2010
@@ -1,15 +1,25 @@
 --- #YAML:1.0
-name:                CGI.pm
-version:             3.49
-abstract:            ~
-license:             ~
-author:              ~
-generated_by:        ExtUtils::MakeMaker version 6.42
-distribution_type:   module
-requires:     
-    FCGI:                          0.67
-    File::Spec:                    0.82
-    Test::More:                    0.8
+name:               CGI.pm
+version:            3.50
+abstract:           ~
+author:  []
+license:            unknown
+distribution_type:  module
+configure_requires:  {}
+build_requires:  {}
+requires:
+    FCGI:        0.67
+    File::Spec:  0.82
+    perl:        5.006000
+    Test::More:  0.8
+resources:
+    repository:  http://github.com/markstos/CGI.pm/tree/master
+no_index:
+    directory:
+        - t
+        - inc
+        - t
+generated_by:       ExtUtils::MakeMaker version 6.55_02
 meta-spec:
-    url:     http://module-build.sourceforge.net/META-spec-v1.3.html
-    version: 1.3
+    url:      http://module-build.sourceforge.net/META-spec-v1.4.html
+    version:  1.4

Modified: branches/upstream/libcgi-pm-perl/current/lib/CGI.pm
URL: http://svn.debian.org/wsvn/pkg-perl/branches/upstream/libcgi-pm-perl/current/lib/CGI.pm?rev=65153&op=diff
==============================================================================
--- branches/upstream/libcgi-pm-perl/current/lib/CGI.pm (original)
+++ branches/upstream/libcgi-pm-perl/current/lib/CGI.pm Sun Nov 21 10:39:29 2010
@@ -18,8 +18,9 @@
 # The most recent version and complete docs are available at:
 #   http://stein.cshl.org/WWW/software/CGI/
 
+# The revision is no longer being updated since moving to git. 
 $CGI::revision = '$Id: CGI.pm,v 1.266 2009/07/30 16:32:34 lstein Exp $';
-$CGI::VERSION='3.49';
+$CGI::VERSION='3.50';
 
 # HARD-CODED LOCATION FOR FILE UPLOAD TEMPORARY FILES.
 # UNCOMMENT THIS ONLY IF YOU KNOW WHAT YOU'RE DOING.
@@ -1457,7 +1458,14 @@
 sub multipart_init {
     my($self, at p) = self_or_default(@_);
     my($boundary, at other) = rearrange_header([BOUNDARY], at p);
-    $boundary = $boundary || '------- =_aaaaaaaaaa0';
+    if (!$boundary) {
+        $boundary = '------- =_';
+        my @chrs = ('0'..'9', 'A'..'Z', 'a'..'z');
+        for (1..17) {
+            $boundary .= $chrs[rand(scalar @chrs)];
+        }
+    }
+
     $self->{'separator'} = "$CRLF--$boundary$CRLF";
     $self->{'final_separator'} = "$CRLF--$boundary--$CRLF";
     $type = SERVER_PUSH($boundary);
@@ -1545,12 +1553,19 @@
     # CR escaping for values, per RFC 822
     for my $header ($type,$status,$cookie,$target,$expires,$nph,$charset,$attachment,$p3p, at other) {
         if (defined $header) {
-            $header =~ s/
-                (?<=\n)    # For any character proceeded by a newline
-                (?=\S)     # ... that is not whitespace
-            / /xg;         # ... inject a leading space in the new line
-        }
-    }
+            # From RFC 822:
+            # Unfolding  is  accomplished  by regarding   CRLF   immediately
+            # followed  by  a  LWSP-char  as equivalent to the LWSP-char.
+            $header =~ s/$CRLF(\s)/$1/g;
+
+            # All other uses of newlines are invalid input. 
+            if ($header =~ m/$CRLF/) {
+                # shorten very long values in the diagnostic
+                $header = substr($header,0,72).'...' if (length $header > 72);
+                die "Invalid header value contains a newline not followed by whitespace: $header";
+            }
+        } 
+   }
 
     $nph     ||= $NPH;
 
@@ -1614,7 +1629,6 @@
     return $header;
 }
 END_OF_FUNC
-
 
 #### Method: cache
 # Control whether header() will produce the no-cache
@@ -4707,9 +4721,10 @@
    unshift @{$q->param_fetch(-name=>'address')},'George Munster';
 
 If you need access to the parameter list in a way that isn't covered
-by the methods above, you can obtain a direct reference to it by
-calling the B<param_fetch()> method with the name of the .  This
-will return an array reference to the named parameters, which you then
+by the methods given in the previous sections, you can obtain a direct 
+reference to it by
+calling the B<param_fetch()> method with the name of the parameter.  This
+will return an array reference to the named parameter, which you then
 can manipulate in any way you like.
 
 You can also use a named argument style using the B<-name> argument.

Modified: branches/upstream/libcgi-pm-perl/current/lib/CGI/Cookie.pm
URL: http://svn.debian.org/wsvn/pkg-perl/branches/upstream/libcgi-pm-perl/current/lib/CGI/Cookie.pm?rev=65153&op=diff
==============================================================================
--- branches/upstream/libcgi-pm-perl/current/lib/CGI/Cookie.pm (original)
+++ branches/upstream/libcgi-pm-perl/current/lib/CGI/Cookie.pm Sun Nov 21 10:39:29 2010
@@ -305,7 +305,9 @@
 
 For full information on cookies see 
 
-	http://www.ics.uci.edu/pub/ietf/http/rfc2109.txt
+	http://tools.ietf.org/html/rfc2109
+	http://tools.ietf.org/html/rfc2965
+	http://tools.ietf.org/html/draft-ietf-httpstate-cookie
 
 =head1 USING CGI::Cookie
 
@@ -355,18 +357,19 @@
 If the "secure" attribute is set, the cookie will only be sent to your
 script if the CGI request is occurring on a secure channel, such as SSL.
 
-=item B<4. httponly flag>
+=item B<5. httponly flag>
 
 If the "httponly" attribute is set, the cookie will only be accessible
 through HTTP Requests. This cookie will be inaccessible via JavaScript
 (to prevent XSS attacks).
 
-But, currently this feature only used and recognised by 
-MS Internet Explorer 6 Service Pack 1 and later.
-
-See this URL for more information:
-
-L<http://msdn.microsoft.com/en-us/library/ms533046%28VS.85%29.aspx>
+This feature is only supported by recent browsers like Internet Explorer
+6 Service Pack 1, Firefox 3.0 and Opera 9.5 (and later of course).
+
+See these URLs for more information:
+
+	http://msdn.microsoft.com/en-us/library/ms533046.aspx
+	http://www.owasp.org/index.php/HTTPOnly#Browsers_Supporting_HTTPOnly
 
 =back
 

Modified: branches/upstream/libcgi-pm-perl/current/t/http.t
URL: http://svn.debian.org/wsvn/pkg-perl/branches/upstream/libcgi-pm-perl/current/t/http.t?rev=65153&op=diff
==============================================================================
--- branches/upstream/libcgi-pm-perl/current/t/http.t (original)
+++ branches/upstream/libcgi-pm-perl/current/t/http.t Sun Nov 21 10:39:29 2010
@@ -34,8 +34,8 @@
     # https()
     # The same as http(), but operates on the HTTPS environment variables present when the SSL protocol is in
     # effect.  Can be used to determine whether SSL is turned on.
-    local $ENV{'HTTPS'} = 'ON';
-    local $ENV{'HTTPS_KEYSIZE'} = 512;
+    local %ENV;
+    @ENV{qw/ HTTPS HTTPS_KEYSIZE /} = ('ON', 512);
     is $cgi->https(), 'ON', 'scalar context to check SSL is on';
     ok eq_set( [$cgi->https()], [qw(HTTPS HTTPS_KEYSIZE)]), 'list context returns https keys';
 }

More information about the Pkg-perl-cvs-commits mailing list