r67389 - in /branches/squeeze/libcgi-simple-perl: debian/changelog lib/CGI/Simple.pm t/050.simple.t t/070.standard.t t/headers.t

ntyni at users.alioth.debian.org ntyni at users.alioth.debian.org
Fri Jan 14 19:41:00 UTC 2011 

Author: ntyni
Date: Fri Jan 14 19:40:41 2011
New Revision: 67389

URL: http://svn.debian.org/wsvn/pkg-perl/?sc=1&rev=67389
Log:
[SECURITY] CVE-2010-2761 CVE-2010-4410 CVE-2010-4411:
backport MIME boundary and multiline header vulnerabilities fixes.
(Closes: #606379)

Added:
    branches/squeeze/libcgi-simple-perl/t/headers.t
Modified:
    branches/squeeze/libcgi-simple-perl/debian/changelog
    branches/squeeze/libcgi-simple-perl/lib/CGI/Simple.pm
    branches/squeeze/libcgi-simple-perl/t/050.simple.t
    branches/squeeze/libcgi-simple-perl/t/070.standard.t

Modified: branches/squeeze/libcgi-simple-perl/debian/changelog
URL: http://svn.debian.org/wsvn/pkg-perl/branches/squeeze/libcgi-simple-perl/debian/changelog?rev=67389&op=diff
==============================================================================
--- branches/squeeze/libcgi-simple-perl/debian/changelog (original)
+++ branches/squeeze/libcgi-simple-perl/debian/changelog Fri Jan 14 19:40:41 2011
@@ -1,3 +1,11 @@
+libcgi-simple-perl (1.111-2) UNRELEASED; urgency=low
+
+  * [SECURITY] CVE-2010-2761 CVE-2010-4410 CVE-2010-4411:
+    backport MIME boundary and multiline header vulnerabilities fixes.
+    (Closes: #606379)
+
+ -- Niko Tyni <ntyni at debian.org>  Fri, 14 Jan 2011 21:32:40 +0200
+
 libcgi-simple-perl (1.111-1) unstable; urgency=low
 
   * New upstream release

Modified: branches/squeeze/libcgi-simple-perl/lib/CGI/Simple.pm
URL: http://svn.debian.org/wsvn/pkg-perl/branches/squeeze/libcgi-simple-perl/lib/CGI/Simple.pm?rev=67389&op=diff
==============================================================================
--- branches/squeeze/libcgi-simple-perl/lib/CGI/Simple.pm (original)
+++ branches/squeeze/libcgi-simple-perl/lib/CGI/Simple.pm Fri Jan 14 19:40:41 2011
@@ -986,6 +986,31 @@
     ],
     @params
    );
+
+  my $CRLF = $self->crlf;
+
+  # CR escaping for values, per RFC 822
+  for my $header (
+    $type, $status,  $cookie,     $target, $expires,
+    $nph,  $charset, $attachment, $p3p,    @other
+   ) {
+    if ( defined $header ) {
+      # From RFC 822:
+      # Unfolding  is  accomplished  by regarding   CRLF   immediately
+      # followed  by  a  LWSP-char  as equivalent to the LWSP-char.
+      $header =~ s/$CRLF(\s)/$1/g;
+
+      # All other uses of newlines are invalid input.
+      if ($header =~ m/$CRLF|\015|\012/) {
+        # shorten very long values in the diagnostic
+        $header = substr( $header, 0, 72 ) . '...'
+         if ( length $header > 72 );
+        die
+         "Invalid header value contains a newline not followed by whitespace: $header";
+      }
+    }
+  }
+
   $nph ||= $self->{'.globals'}->{'NPH'};
   $charset = $self->charset( $charset )
    ;    # get charset (and set new charset if supplied)
@@ -1042,7 +1067,6 @@
    if $attachment;
   push @header, @other;
   push @header, "Content-Type: $type" if $type;
-  my $CRLF = $self->crlf;
   my $header = join $CRLF, @header;
   $header .= $CRLF . $CRLF;    # add the statutory two CRLFs
 
@@ -1105,7 +1129,14 @@
   my ( $self, @p ) = @_;
   use CGI::Simple::Util qw(rearrange);
   my ( $boundary, @other ) = rearrange( ['BOUNDARY'], @p );
-  $boundary = $boundary || '------- =_aaaaaaaaaa0';
+  if ( !$boundary ) {
+    $boundary = '------- =_';
+    my @chrs = ( '0' .. '9', 'A' .. 'Z', 'a' .. 'z' );
+    for ( 1 .. 17 ) {
+      $boundary .= $chrs[ rand( scalar @chrs ) ];
+    }
+  }
+
   my $CRLF = $self->crlf;    # get CRLF sequence
   my $warning
    = "WARNING: YOUR BROWSER DOESN'T SUPPORT THIS SERVER-PUSH TECHNOLOGY.";

Modified: branches/squeeze/libcgi-simple-perl/t/050.simple.t
URL: http://svn.debian.org/wsvn/pkg-perl/branches/squeeze/libcgi-simple-perl/t/050.simple.t?rev=67389&op=diff
==============================================================================
--- branches/squeeze/libcgi-simple-perl/t/050.simple.t (original)
+++ branches/squeeze/libcgi-simple-perl/t/050.simple.t Fri Jan 14 19:40:41 2011
@@ -1,4 +1,4 @@
-use Test::More tests => 318;
+use Test::More tests => 319;
 use Carp;
 use strict;
 use vars qw(%field %in);
@@ -940,17 +940,25 @@
 is( $sv, $header, 'redirect() - nph, 1' );
 ################# Server Push Methods #################
 
-$q = new CGI::Simple;
+$q = CGI::Simple->new;
 
 $sv = $q->multipart_init();
 like(
   $sv,
-  qr|Content-Type: multipart/x-mixed-replace;boundary="------- =_aaaaaaaaaa0"|,
+  qr|Content-Type: multipart/x-mixed-replace;boundary="------- =_[a-zA-Z0-9]{17}"|,
   'multipart_init(), 1'
 );
-like( $sv, qr/--------- =_aaaaaaaaaa0$CRLF/, 'multipart_init(), 2' );
+like( $sv, qr/--------- =_[a-zA-Z0-9]{17}$CRLF/,
+  'multipart_init(), 2' );
 $sv = $q->multipart_init( 'this_is_the_boundary' );
 like( $sv, qr/boundary="this_is_the_boundary"/, 'multipart_init(), 3' );
+{
+  my $sv1 = $q->multipart_init;
+  my $sv2 = $q->multipart_init;
+  isnt( $sv1, $sv2,
+    "due to random boundaries, multiple calls produce different results"
+  );
+}
 $sv = $q->multipart_init( -boundary => 'this_is_another_boundary' );
 like(
   $sv,

Modified: branches/squeeze/libcgi-simple-perl/t/070.standard.t
URL: http://svn.debian.org/wsvn/pkg-perl/branches/squeeze/libcgi-simple-perl/t/070.standard.t?rev=67389&op=diff
==============================================================================
--- branches/squeeze/libcgi-simple-perl/t/070.standard.t (original)
+++ branches/squeeze/libcgi-simple-perl/t/070.standard.t Fri Jan 14 19:40:41 2011
@@ -1,4 +1,4 @@
-use Test::More tests => 288;
+use Test::More tests => 289;
 use Carp;
 use strict;
 use vars qw(%field %in);
@@ -953,12 +953,21 @@
 $sv = multipart_init();
 like(
   $sv,
-  qr|Content-Type: multipart/x-mixed-replace;boundary="------- =_aaaaaaaaaa0"|,
+  qr|Content-Type: multipart/x-mixed-replace;boundary="------- =_[a-zA-Z0-9]{17}"|,
   'multipart_init(), 1'
 );
-like( $sv, qr/--------- =_aaaaaaaaaa0$CRLF/, 'multipart_init(), 2' );
+
+like( $sv, qr/--------- =_[a-zA-Z0-9]{17}$CRLF/,
+  'multipart_init(), 2' );
 $sv = multipart_init( 'this_is_the_boundary' );
 like( $sv, qr/boundary="this_is_the_boundary"/, 'multipart_init(), 3' );
+{
+  my $sv1 = multipart_init();
+  my $sv2 = multipart_init();
+  isnt( $sv1, $sv2,
+    "due to random boundaries, multiple calls produce different results"
+  );
+}
 $sv = multipart_init( -boundary => 'this_is_another_boundary' );
 like(
   $sv,

Added: branches/squeeze/libcgi-simple-perl/t/headers.t
URL: http://svn.debian.org/wsvn/pkg-perl/branches/squeeze/libcgi-simple-perl/t/headers.t?rev=67389&op=file
==============================================================================
--- branches/squeeze/libcgi-simple-perl/t/headers.t (added)
+++ branches/squeeze/libcgi-simple-perl/t/headers.t Fri Jan 14 19:40:41 2011
@@ -1,0 +1,84 @@
+
+# Test that header generation is spec compliant.
+# References:
+#   http://www.w3.org/Protocols/rfc2616/rfc2616.html
+#   http://www.w3.org/Protocols/rfc822/3_Lexical.html
+
+use strict;
+use warnings;
+
+use Test::More 'no_plan';
+
+use CGI::Simple;
+
+my $cgi = CGI::Simple->new;
+
+like $cgi->header( -type => "text/html" ),
+ qr#Type: text/html#, 'known header, basic case: type => "text/html"';
+
+eval {
+  like $cgi->header(
+    -type => "text/html" . $cgi->crlf . "evil: stuff" ),
+   qr#Type: text/html evil: stuff#, 'known header';
+};
+like( $@, qr/contains a newline/, 'invalid header blows up' );
+
+like $cgi->header(
+  -type => "text/html" . $cgi->crlf . " evil: stuff " ),
+ qr#Content-Type: text/html evil: stuff#,
+ 'known header, with leading and trailing whitespace on the continuation line';
+
+eval {
+  like $cgi->header(
+    -foobar => "text/html" . $cgi->crlf . "evil: stuff" ),
+   qr#Foobar: text/htmlevil: stuff#, 'unknown header';
+};
+like(
+  $@,
+  qr/contains a newline/,
+  'unknown header with CRLF embedded blows up'
+);
+
+like $cgi->header( -foobar => "Content-type: evil/header" ),
+ qr#^Foobar: Content-type: evil/header#m,
+ 'unknown header with leading newlines';
+
+eval {
+  like $cgi->redirect(
+    -type => "text/html" . $cgi->crlf . "evil: stuff" ),
+   qr#Type: text/htmlevil: stuff#, 'redirect w/ known header';
+};
+like(
+  $@,
+  qr/contains a newline/,
+  'redirect with known header with CRLF embedded blows up'
+);
+
+eval {
+  like $cgi->redirect(
+    -foobar => "text/html" . $cgi->crlf . "evil: stuff" ),
+   qr#Foobar: text/htmlevil: stuff#, 'redirect w/ unknown header';
+};
+like(
+  $@,
+  qr/contains a newline/,
+  'redirect with unknown header with CRLF embedded blows up'
+);
+
+eval {
+  like $cgi->redirect(
+    $cgi->crlf . $cgi->crlf . "Content-Type: text/html" ),
+   qr#Location: Content-Type#, 'redirect w/ leading newline ';
+};
+like(
+  $@,
+  qr/contains a newline/,
+  'redirect with leading newlines blows up'
+);
+
+{
+    my $cgi = CGI::Simple->new('t=bogus%0A%0A<html>');
+    my $out;
+    eval { $out = $cgi->redirect( $cgi->param('t') ) };
+    like($@,qr/contains a newline/, "redirect does not allow double-newline injection");
+}

More information about the Pkg-perl-cvs-commits mailing list