[libcgi-application-perl] 01/02: Add CVE-2013-7329.patch patch

Salvatore Bonaccorso carnil at debian.org
Thu Apr 3 19:56:13 UTC 2014 

This is an automated email from the git hooks/post-receive script.

carnil pushed a commit to branch master
in repository libcgi-application-perl.

commit 9f5d569466afb762149af792535684f8cdd91fbe
Author: Salvatore Bonaccorso <carnil at debian.org>
Date:   Thu Apr 3 21:48:50 2014 +0200

    Add CVE-2013-7329.patch patch
    
    CVE-2013-7329: In certain cases, CGI::Application would unexpectedly
    dump a complete set of web query data and server environment information
    as an error page. This could allow unintended disclosure of sensitive
    information.
    
    Closes: #739505
---
 debian/patches/CVE-2013-7329.patch | 133 +++++++++++++++++++++++++++++++++++++
 debian/patches/series              |   1 +
 2 files changed, 134 insertions(+)

diff --git a/debian/patches/CVE-2013-7329.patch b/debian/patches/CVE-2013-7329.patch
new file mode 100644
index 0000000..0db5555
--- /dev/null
+++ b/debian/patches/CVE-2013-7329.patch
@@ -0,0 +1,133 @@
+Description: Fix CVE-2013-7329
+ In certain cases, CGI::Application would unexpectedly dump a complete
+ set of web query data and server environment information as an error
+ page. This could allow unintended disclosure of sensitive information.
+Origin: backport, https://github.com/markstos/CGI--Application/pull/15
+Bug: https://github.com/markstos/CGI--Application/pull/15
+Bug-Debian: http://bugs.debian.org/739505
+Bug-RedHat: https://bugzilla.redhat.com/show_bug.cgi?id=1067180
+Forwarded: not-needed
+Author: Emmanuel Seyman <emmanuel at seyman.fr> 
+Author: Salvatore Bonaccorso <carnil at debian.org>
+Last-Update: 2014-04-03
+
+--- a/lib/CGI/Application.pm
++++ b/lib/CGI/Application.pm
+@@ -359,6 +359,27 @@
+ }
+ 
+ 
++sub no_runmodes {
++
++       my $self   = shift;
++       my $query  = $self->query();
++       
++       # If no runmodes specified by app return error message 
++       my $current_runmode = $self->get_current_runmode();
++       my $query_params = $query->Dump;
++       
++       my $output = qq{
++               <h2>Error - No runmodes specified.</h2>
++               <p>Runmode called: $current_runmode"</p>
++               <p>Query paramaters:</p> $query_params
++               <p>Your application has not specified any runmodes.</p>
++               <p>Please read the <a href="http://search.cpan.org/~markstos/CGI-Appli
++               cation/">CGI::Application</a> documentation.</p>
++       };
++       return $output;
++}
++
++
+ sub header_add {
+ 	my $self = shift;
+ 	return $self->_header_props_update(\@_,add=>1);
+@@ -513,7 +534,7 @@
+ 	my (@data) = (@_);
+ 
+ 	# First use?  Create new __RUN_MODES!
+-    $self->{__RUN_MODES} = { 'start' => 'dump_html' } unless (exists($self->{__RUN_MODES}));
++    $self->{__RUN_MODES} = { 'start' => 'no_runmodes' } unless (exists($self->{__RUN_MODES}));
+ 
+ 	my $rr_m = $self->{__RUN_MODES};
+ 
+@@ -1653,7 +1674,8 @@
+ The dump_html() method is a debugging function which will return
+ a chunk of text which contains all the environment and web form
+ data of the request, formatted nicely for human readability via
+-a web browser.  Useful for outputting to a browser.
++a web browser.  Useful for outputting to a browser. Please consider
++the security implications of using this in production code.
+ 
+ =head3 error_mode()
+ 
+--- a/t/basic.t
++++ b/t/basic.t
+@@ -1,6 +1,6 @@
+ 
+ use strict;
+-use Test::More tests => 110;
++use Test::More tests => 112;
+ 
+ BEGIN{use_ok('CGI::Application');}
+ 
+@@ -28,7 +28,7 @@
+ }
+ 
+ # Instantiate CGI::Application
+-# run() CGI::Application object.	Expect header + output dump_html()
++# run() CGI::Application object.       Expect header + output no_runmodes()
+ {
+ 	my $app = CGI::Application->new();
+ 	isa_ok($app, 'CGI::Application');
+@@ -39,11 +39,29 @@
+ 	response_like(
+ 		$app,
+ 		qr{^Content-Type: text/html},
+-		qr/Query Environment:/,
++		qr/Error - No runmodes specified./,
+ 		'base class response',
+ 	);
+ }
+ 
++# Instantiate CGI::Application
++# run() CGI::Application sub-class.
++# Expect header + output dump_html()
++{
++
++       my $app = TestApp->new();
++       $app->query(CGI->new({'test_rm' => 'dump_htm'}));
++
++       response_like(
++               $app,
++               qr{^Content-Type: text/html},
++               qr/Query Environment:/,
++               'dump_html class response'
++
++       );
++
++}
++
+ # Instantiate CGI::Application sub-class.
+ # run() CGI::Application sub-class. 
+ # Expect HTTP header + 'Hello World: basic_test'.
+--- a/t/lib/TestApp.pm
++++ b/t/lib/TestApp.pm
+@@ -27,6 +27,7 @@
+  		'header_props_before_header_add'		=> \&header_props_before_header_add,
+  		'header_add_after_header_props'		=> \&header_add_after_header_props,
+ 
++    'dump_htm'    => 'dump_html',
+     'dump_txt'    => 'dump',
+ 		'eval_test'		=> 'eval_test',
+ 	);
+--- a/t/load_tmpl_hook.t
++++ b/t/load_tmpl_hook.t
+@@ -8,7 +8,7 @@
+ my $app = CGI::Application->new();
+ my $out = $app->run;
+ 
+-like($out, qr/start/, "normal app output contains start");
++like($out, qr/Error - No runmodes specified/, "normal app output contains start");
+ unlike($out, qr/load_tmpl_hook/, "normal app output doesn't contain load_tmpl_hook");
+ 
+  {
diff --git a/debian/patches/series b/debian/patches/series
index 5299247..3abbdd3 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1 +1,2 @@
 spelling.patch
+CVE-2013-7329.patch

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-perl/packages/libcgi-application-perl.git

More information about the Pkg-perl-cvs-commits mailing list