[libcgi-session-perl] 01/02: Untaint raw data coming from session storage backends
Niko Tyni
ntyni at moszumanska.debian.org
Fri Jan 15 16:55:14 UTC 2016
This is an automated email from the git hooks/post-receive script.
ntyni pushed a commit to annotated tag debian/4.48-1+deb8u1
in repository libcgi-session-perl.
commit 010a78c3edc4415f2ee26a1d0b27c0aaf308a231
Author: Niko Tyni <ntyni at debian.org>
Date: Tue Jan 12 23:40:53 2016 +0200
Untaint raw data coming from session storage backends
This fixes a taint regression caused by CVE-2015-8607 fixes in perl.
Closes: #810799
---
...-data-coming-from-session-storage-backend.patch | 77 ++++++++++++++++++++++
debian/patches/series | 1 +
2 files changed, 78 insertions(+)
diff --git a/debian/patches/0001-Untaint-raw-data-coming-from-session-storage-backend.patch b/debian/patches/0001-Untaint-raw-data-coming-from-session-storage-backend.patch
new file mode 100644
index 0000000..f19d4cf
--- /dev/null
+++ b/debian/patches/0001-Untaint-raw-data-coming-from-session-storage-backend.patch
@@ -0,0 +1,77 @@
+From ab199c765329638301105fd1884af14992bb1615 Mon Sep 17 00:00:00 2001
+From: Niko Tyni <ntyni at debian.org>
+Date: Tue, 12 Jan 2016 23:40:53 +0200
+Subject: [PATCH] Untaint raw data coming from session storage backends
+
+The various storage backends need to be considered trusted,
+so data coming out of them should be untainted.
+
+The _CLAIMED_ID comes from an HTTP cookie and is probably tainted,
+but presumably it's OK if it matched some data in the storage.
+
+Bug: https://rt.cpan.org/Public/Bug/Display.html?id=80346
+Bug-Debian: https://bugs.debian.org/810799
+---
+ lib/CGI/Session.pm | 4 ++++
+ t/taint_storage.t | 34 ++++++++++++++++++++++++++++++++++
+ 2 files changed, 38 insertions(+)
+ create mode 100644 t/taint_storage.t
+
+diff --git a/lib/CGI/Session.pm b/lib/CGI/Session.pm
+index 2788b04..6460d4d 100644
+--- a/lib/CGI/Session.pm
++++ b/lib/CGI/Session.pm
+@@ -724,6 +724,10 @@ sub load {
+ # Requested session couldn't be retrieved
+ return $self unless $raw_data;
+
++ # untaint; we trust the session backend,
++ # and presumably _CLAIMED_ID too at this point
++ $raw_data =~ /^(.*)$/s and $raw_data = $1;
++
+ my $serializer = $self->_serializer();
+ $self->{_DATA} = $serializer->thaw($raw_data);
+ unless ( defined $self->{_DATA} ) {
+diff --git a/t/taint_storage.t b/t/taint_storage.t
+new file mode 100644
+index 0000000..95f5f1a
+--- /dev/null
++++ b/t/taint_storage.t
+@@ -0,0 +1,34 @@
++#!/usr/bin/perl -T
++
++# https://rt.cpan.org/Public/Bug/Display.html?id=80346
++
++use strict;
++use warnings;
++use CGI::Session;
++use Scalar::Util qw(tainted);
++use Test::More tests => 6;
++
++my $sid;
++
++my $session = CGI::Session->new( "driver:file;serializer:storable", undef, {Directory=>'t'});
++ok($session, "new() with file+storable");
++
++$session->param('a', 1 );
++
++$sid = $session->id;
++ok(!tainted $sid, "sid not tainted after new");
++
++$session->flush;
++$session = CGI::Session->load( "driver:file;serializer:storable", $sid, {Directory=>'t'});
++
++ok($session, "load() with file+storable");
++$sid = $session->id;
++ok(!tainted $sid, "sid not tainted after load");
++
++is($session->param('a'), 1, "parameter stored");
++
++$session->flush;
++
++ok(1, "survived flush");
++
++$session->delete;
+--
+2.6.4
+
diff --git a/debian/patches/series b/debian/patches/series
new file mode 100644
index 0000000..e2cee36
--- /dev/null
+++ b/debian/patches/series
@@ -0,0 +1 @@
+0001-Untaint-raw-data-coming-from-session-storage-backend.patch
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-perl/packages/libcgi-session-perl.git
More information about the Pkg-perl-cvs-commits
mailing list