[libcgi-application-perl] 01/02: Add CVE-2013-7329.patch patch
Salvatore Bonaccorso
carnil at debian.org
Thu Apr 3 19:56:13 UTC 2014
This is an automated email from the git hooks/post-receive script.
carnil pushed a commit to branch master
in repository libcgi-application-perl.
commit 9f5d569466afb762149af792535684f8cdd91fbe
Author: Salvatore Bonaccorso <carnil at debian.org>
Date: Thu Apr 3 21:48:50 2014 +0200
Add CVE-2013-7329.patch patch
CVE-2013-7329: In certain cases, CGI::Application would unexpectedly
dump a complete set of web query data and server environment information
as an error page. This could allow unintended disclosure of sensitive
information.
Closes: #739505
---
debian/patches/CVE-2013-7329.patch | 133 +++++++++++++++++++++++++++++++++++++
debian/patches/series | 1 +
2 files changed, 134 insertions(+)
diff --git a/debian/patches/CVE-2013-7329.patch b/debian/patches/CVE-2013-7329.patch
new file mode 100644
index 0000000..0db5555
--- /dev/null
+++ b/debian/patches/CVE-2013-7329.patch
@@ -0,0 +1,133 @@
+Description: Fix CVE-2013-7329
+ In certain cases, CGI::Application would unexpectedly dump a complete
+ set of web query data and server environment information as an error
+ page. This could allow unintended disclosure of sensitive information.
+Origin: backport, https://github.com/markstos/CGI--Application/pull/15
+Bug: https://github.com/markstos/CGI--Application/pull/15
+Bug-Debian: http://bugs.debian.org/739505
+Bug-RedHat: https://bugzilla.redhat.com/show_bug.cgi?id=1067180
+Forwarded: not-needed
+Author: Emmanuel Seyman <emmanuel at seyman.fr>
+Author: Salvatore Bonaccorso <carnil at debian.org>
+Last-Update: 2014-04-03
+
+--- a/lib/CGI/Application.pm
++++ b/lib/CGI/Application.pm
+@@ -359,6 +359,27 @@
+ }
+
+
++sub no_runmodes {
++
++ my $self = shift;
++ my $query = $self->query();
++
++ # If no runmodes specified by app return error message
++ my $current_runmode = $self->get_current_runmode();
++ my $query_params = $query->Dump;
++
++ my $output = qq{
++ <h2>Error - No runmodes specified.</h2>
++ <p>Runmode called: $current_runmode"</p>
++ <p>Query paramaters:</p> $query_params
++ <p>Your application has not specified any runmodes.</p>
++ <p>Please read the <a href="http://search.cpan.org/~markstos/CGI-Appli
++ cation/">CGI::Application</a> documentation.</p>
++ };
++ return $output;
++}
++
++
+ sub header_add {
+ my $self = shift;
+ return $self->_header_props_update(\@_,add=>1);
+@@ -513,7 +534,7 @@
+ my (@data) = (@_);
+
+ # First use? Create new __RUN_MODES!
+- $self->{__RUN_MODES} = { 'start' => 'dump_html' } unless (exists($self->{__RUN_MODES}));
++ $self->{__RUN_MODES} = { 'start' => 'no_runmodes' } unless (exists($self->{__RUN_MODES}));
+
+ my $rr_m = $self->{__RUN_MODES};
+
+@@ -1653,7 +1674,8 @@
+ The dump_html() method is a debugging function which will return
+ a chunk of text which contains all the environment and web form
+ data of the request, formatted nicely for human readability via
+-a web browser. Useful for outputting to a browser.
++a web browser. Useful for outputting to a browser. Please consider
++the security implications of using this in production code.
+
+ =head3 error_mode()
+
+--- a/t/basic.t
++++ b/t/basic.t
+@@ -1,6 +1,6 @@
+
+ use strict;
+-use Test::More tests => 110;
++use Test::More tests => 112;
+
+ BEGIN{use_ok('CGI::Application');}
+
+@@ -28,7 +28,7 @@
+ }
+
+ # Instantiate CGI::Application
+-# run() CGI::Application object. Expect header + output dump_html()
++# run() CGI::Application object. Expect header + output no_runmodes()
+ {
+ my $app = CGI::Application->new();
+ isa_ok($app, 'CGI::Application');
+@@ -39,11 +39,29 @@
+ response_like(
+ $app,
+ qr{^Content-Type: text/html},
+- qr/Query Environment:/,
++ qr/Error - No runmodes specified./,
+ 'base class response',
+ );
+ }
+
++# Instantiate CGI::Application
++# run() CGI::Application sub-class.
++# Expect header + output dump_html()
++{
++
++ my $app = TestApp->new();
++ $app->query(CGI->new({'test_rm' => 'dump_htm'}));
++
++ response_like(
++ $app,
++ qr{^Content-Type: text/html},
++ qr/Query Environment:/,
++ 'dump_html class response'
++
++ );
++
++}
++
+ # Instantiate CGI::Application sub-class.
+ # run() CGI::Application sub-class.
+ # Expect HTTP header + 'Hello World: basic_test'.
+--- a/t/lib/TestApp.pm
++++ b/t/lib/TestApp.pm
+@@ -27,6 +27,7 @@
+ 'header_props_before_header_add' => \&header_props_before_header_add,
+ 'header_add_after_header_props' => \&header_add_after_header_props,
+
++ 'dump_htm' => 'dump_html',
+ 'dump_txt' => 'dump',
+ 'eval_test' => 'eval_test',
+ );
+--- a/t/load_tmpl_hook.t
++++ b/t/load_tmpl_hook.t
+@@ -8,7 +8,7 @@
+ my $app = CGI::Application->new();
+ my $out = $app->run;
+
+-like($out, qr/start/, "normal app output contains start");
++like($out, qr/Error - No runmodes specified/, "normal app output contains start");
+ unlike($out, qr/load_tmpl_hook/, "normal app output doesn't contain load_tmpl_hook");
+
+ {
diff --git a/debian/patches/series b/debian/patches/series
index 5299247..3abbdd3 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1 +1,2 @@
spelling.patch
+CVE-2013-7329.patch
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-perl/packages/libcgi-application-perl.git
More information about the Pkg-perl-cvs-commits
mailing list