r75230 - in /trunk/libdata-formvalidator-perl/debian: changelog patches/ patches/fix-re-when-untainting.patch patches/series

Tue Jun 7 10:11:19 UTC 2011

Author: dmn
Date: Tue Jun  7 10:11:11 2011
New Revision: 75230

URL: http://svn.debian.org/wsvn/pkg-perl/?sc=1&rev=75230
Log:
add a patch fixing a possible passing of invalid data in untaint mode
Closes: #629511

Added:
    trunk/libdata-formvalidator-perl/debian/patches/
    trunk/libdata-formvalidator-perl/debian/patches/fix-re-when-untainting.patch
    trunk/libdata-formvalidator-perl/debian/patches/series
Modified:
    trunk/libdata-formvalidator-perl/debian/changelog

Modified: trunk/libdata-formvalidator-perl/debian/changelog
URL: http://svn.debian.org/wsvn/pkg-perl/trunk/libdata-formvalidator-perl/debian/changelog?rev=75230&op=diff
==============================================================================

--- trunk/libdata-formvalidator-perl/debian/changelog (original)
+++ trunk/libdata-formvalidator-perl/debian/changelog Tue Jun  7 10:11:11 2011
@@ -1,3 +1,10 @@
+libdata-formvalidator-perl (4.66-3) UNRELEASED; urgency=low
+
+  * add a patch fixing a possible passing of invalid data in untaint mode
+    Closes: #629511
+
+ -- Damyan Ivanov <dmn at debian.org>  Tue, 07 Jun 2011 13:10:12 +0300
+
 libdata-formvalidator-perl (4.66-2) unstable; urgency=low
 
   [ Russ Allbery ]

Added: trunk/libdata-formvalidator-perl/debian/patches/fix-re-when-untainting.patch
URL: http://svn.debian.org/wsvn/pkg-perl/trunk/libdata-formvalidator-perl/debian/patches/fix-re-when-untainting.patch?rev=75230&op=file
==============================================================================
--- trunk/libdata-formvalidator-perl/debian/patches/fix-re-when-untainting.patch (added)
+++ trunk/libdata-formvalidator-perl/debian/patches/fix-re-when-untainting.patch Tue Jun  7 10:11:11 2011
@@ -1,0 +1,20 @@
+Description: Fix a matching check leading to passing (and mangling) invalid data
+ $match would be '' when $val doesn't match $re and '' is still defined...
+Origin: vendor
+Bug: https://rt.cpan.org/Ticket/Display.html?id=61792
+Bug-Debian: http://bugs.debian.org/629511
+Forwarded: yes
+Author: Damyan Ivanov <dmn at debian.org>
+Last-Update: 2011-06-07
+
+--- a/lib/Data/FormValidator/Results.pm
++++ b/lib/Data/FormValidator/Results.pm
+@@ -807,7 +807,7 @@ sub _create_sub_from_RE {
+             # With methods, the value is the second argument
+             my $val = $force_method_p ? $_[1] : $_[0];
+             my ($match) = scalar ($val =~ $re);
+-            if ($untaint_this && defined $match) {
++            if ($untaint_this && $match) {
+                 # pass the value through a RE that matches anything to untaint it.
+                 my ($untainted) = ($&  =~ m/(.*)/s);
+                 return $untainted;

Added: trunk/libdata-formvalidator-perl/debian/patches/series
URL: http://svn.debian.org/wsvn/pkg-perl/trunk/libdata-formvalidator-perl/debian/patches/series?rev=75230&op=file
==============================================================================
--- trunk/libdata-formvalidator-perl/debian/patches/series (added)
+++ trunk/libdata-formvalidator-perl/debian/patches/series Tue Jun  7 10:11:11 2011
@@ -1,0 +1,1 @@
+fix-re-when-untainting.patch


