diff options
| author | Chris 'BinGOs' Williams <chris@bingosnet.co.uk> | 2010-11-09 00:20:53 +0000 |
|---|---|---|
| committer | Chris 'BinGOs' Williams <chris@bingosnet.co.uk> | 2010-11-09 00:20:53 +0000 |
| commit | 84601d63a7e34958da47dad1e61e27cb3bd467d1 (patch) | |
| tree | 71c5904bd735be8b31cab3de0e76e5026dc94de5 | |
| parent | a0b94c2432b1d8c20653453a0f6970cb10f59aec (diff) | |
| download | perl-84601d63a7e34958da47dad1e61e27cb3bd467d1.tar.gz | |
Update CGI.pm to CPAN version 3.50
[DELTA]
Version 3.50
[SECURITY]
1. The MIME boundary in multipart_init is now random.
Thanks to Byron Jones, Masahiro Yamada, Reed Loden, and Mark Stosberg
2. Further improvements to handling of newlines embedded in header values.
An exception is thrown if header values contain invalid newlines.
Thanks to Michal Zalewski, Max Kanat-Alexander, Yanick Champoux,
Lincoln Stein, Fr�d�ric Buclin and Mark Stosberg
[DOCUMENTATION]
1. Correcting/clarifying documentation for param_fetch(). Thanks to
Ren�e B�cker. (RT#59132)
[INTERNALS]
1. Fixing https test in http.t. (RT#54768)
2. Tests were added for multipart_init(). Thanks to Mark Stosberg and CGI::Simple.
| -rwxr-xr-x | Porting/Maintainers.pl | 2 | ||||
| -rw-r--r-- | cpan/CGI/Changes | 18 | ||||
| -rw-r--r-- | cpan/CGI/lib/CGI.pm | 39 | ||||
| -rw-r--r-- | cpan/CGI/lib/CGI/Cookie.pm | 15 | ||||
| -rw-r--r-- | cpan/CGI/t/http.t | 9 | ||||
| -rw-r--r-- | pod/perldelta.pod | 10 |
6 files changed, 68 insertions, 25 deletions
diff --git a/Porting/Maintainers.pl b/Porting/Maintainers.pl index 31e09c5d74..1e17e61d01 100755 --- a/Porting/Maintainers.pl +++ b/Porting/Maintainers.pl @@ -299,7 +299,7 @@ use File::Glob qw(:case); 'CGI' => { 'MAINTAINER' => 'lstein', - 'DISTRIBUTION' => 'LDS/CGI.pm-3.49.tar.gz', + 'DISTRIBUTION' => 'LDS/CGI.pm-3.50.tar.gz', 'FILES' => q[cpan/CGI], 'EXCLUDED' => [ qr{^t/lib/Test}, qw( cgi-lib_porting.html diff --git a/cpan/CGI/Changes b/cpan/CGI/Changes index fb1644ff64..4b197ecbde 100644 --- a/cpan/CGI/Changes +++ b/cpan/CGI/Changes @@ -1,3 +1,21 @@ +Version 3.50 + + [SECURITY] + 1. The MIME boundary in multipart_init is now random. + Thanks to Byron Jones, Masahiro Yamada, Reed Loden, and Mark Stosberg + 2. Further improvements to handling of newlines embedded in header values. + An exception is thrown if header values contain invalid newlines. + Thanks to Michal Zalewski, Max Kanat-Alexander, Yanick Champoux, + Lincoln Stein, Frédéric Buclin and Mark Stosberg + + [DOCUMENTATION] + 1. Correcting/clarifying documentation for param_fetch(). Thanks to + Renée Bäcker. (RT#59132) + + [INTERNALS] + 1. Fixing https test in http.t. (RT#54768) + 2. Tests were added for multipart_init(). Thanks to Mark Stosberg and CGI::Simple. + Version 3.49 [BUG FIXES] diff --git a/cpan/CGI/lib/CGI.pm b/cpan/CGI/lib/CGI.pm index 355b8d1805..c0f6752dae 100644 --- a/cpan/CGI/lib/CGI.pm +++ b/cpan/CGI/lib/CGI.pm @@ -18,8 +18,9 @@ use Carp 'croak'; # The most recent version and complete docs are available at: # http://stein.cshl.org/WWW/software/CGI/ +# The revision is no longer being updated since moving to git. $CGI::revision = '$Id: CGI.pm,v 1.266 2009/07/30 16:32:34 lstein Exp $'; -$CGI::VERSION='3.49'; +$CGI::VERSION='3.50'; # HARD-CODED LOCATION FOR FILE UPLOAD TEMPORARY FILES. # UNCOMMENT THIS ONLY IF YOU KNOW WHAT YOU'RE DOING. @@ -1457,7 +1458,14 @@ END_OF_FUNC sub multipart_init { my($self,@p) = self_or_default(@_); my($boundary,@other) = rearrange_header([BOUNDARY],@p); - $boundary = $boundary || '------- =_aaaaaaaaaa0'; + if (!$boundary) { + $boundary = '------- =_'; + my @chrs = ('0'..'9', 'A'..'Z', 'a'..'z'); + for (1..17) { + $boundary .= $chrs[rand(scalar @chrs)]; + } + } + $self->{'separator'} = "$CRLF--$boundary$CRLF"; $self->{'final_separator'} = "$CRLF--$boundary--$CRLF"; $type = SERVER_PUSH($boundary); @@ -1545,12 +1553,19 @@ sub header { # CR escaping for values, per RFC 822 for my $header ($type,$status,$cookie,$target,$expires,$nph,$charset,$attachment,$p3p,@other) { if (defined $header) { - $header =~ s/ - (?<=\n) # For any character proceeded by a newline - (?=\S) # ... that is not whitespace - / /xg; # ... inject a leading space in the new line - } - } + # From RFC 822: + # Unfolding is accomplished by regarding CRLF immediately + # followed by a LWSP-char as equivalent to the LWSP-char. + $header =~ s/$CRLF(\s)/$1/g; + + # All other uses of newlines are invalid input. + if ($header =~ m/$CRLF/) { + # shorten very long values in the diagnostic + $header = substr($header,0,72).'...' if (length $header > 72); + die "Invalid header value contains a newline not followed by whitespace: $header"; + } + } + } $nph ||= $NPH; @@ -1615,7 +1630,6 @@ sub header { } END_OF_FUNC - #### Method: cache # Control whether header() will produce the no-cache # Pragma directive. @@ -4707,9 +4721,10 @@ specialized tasks.) unshift @{$q->param_fetch(-name=>'address')},'George Munster'; If you need access to the parameter list in a way that isn't covered -by the methods above, you can obtain a direct reference to it by -calling the B<param_fetch()> method with the name of the . This -will return an array reference to the named parameters, which you then +by the methods given in the previous sections, you can obtain a direct +reference to it by +calling the B<param_fetch()> method with the name of the parameter. This +will return an array reference to the named parameter, which you then can manipulate in any way you like. You can also use a named argument style using the B<-name> argument. diff --git a/cpan/CGI/lib/CGI/Cookie.pm b/cpan/CGI/lib/CGI/Cookie.pm index 7bc090d418..3567c7f108 100644 --- a/cpan/CGI/lib/CGI/Cookie.pm +++ b/cpan/CGI/lib/CGI/Cookie.pm @@ -305,7 +305,9 @@ it internally), you can use this module independently. For full information on cookies see - http://www.ics.uci.edu/pub/ietf/http/rfc2109.txt + http://tools.ietf.org/html/rfc2109 + http://tools.ietf.org/html/rfc2965 + http://tools.ietf.org/html/draft-ietf-httpstate-cookie =head1 USING CGI::Cookie @@ -355,18 +357,19 @@ that all scripts at your site will receive the cookie. If the "secure" attribute is set, the cookie will only be sent to your script if the CGI request is occurring on a secure channel, such as SSL. -=item B<4. httponly flag> +=item B<5. httponly flag> If the "httponly" attribute is set, the cookie will only be accessible through HTTP Requests. This cookie will be inaccessible via JavaScript (to prevent XSS attacks). -But, currently this feature only used and recognised by -MS Internet Explorer 6 Service Pack 1 and later. +This feature is only supported by recent browsers like Internet Explorer +6 Service Pack 1, Firefox 3.0 and Opera 9.5 (and later of course). -See this URL for more information: +See these URLs for more information: -L<http://msdn.microsoft.com/en-us/library/ms533046%28VS.85%29.aspx> + http://msdn.microsoft.com/en-us/library/ms533046.aspx + http://www.owasp.org/index.php/HTTPOnly#Browsers_Supporting_HTTPOnly =back diff --git a/cpan/CGI/t/http.t b/cpan/CGI/t/http.t index 2ed38631d6..324da26fd4 100644 --- a/cpan/CGI/t/http.t +++ b/cpan/CGI/t/http.t @@ -34,11 +34,8 @@ my $cgi = CGI->new(); # https() # The same as http(), but operates on the HTTPS environment variables present when the SSL protocol is in # effect. Can be used to determine whether SSL is turned on. - my @expect = grep /^HTTPS/, keys %ENV; - push @expect, 'HTTPS' if not exists $ENV{HTTPS}; - push @expect, 'HTTPS_KEYSIZE' if not exists $ENV{HTTPS_KEYSIZE}; - local $ENV{'HTTPS'} = 'ON'; - local $ENV{'HTTPS_KEYSIZE'} = 512; + local %ENV; + @ENV{qw/ HTTPS HTTPS_KEYSIZE /} = ('ON', 512); is $cgi->https(), 'ON', 'scalar context to check SSL is on'; - ok eq_set( [$cgi->https()], \@expect), 'list context returns https keys'; + ok eq_set( [$cgi->https()], [qw(HTTPS HTTPS_KEYSIZE)]), 'list context returns https keys'; } diff --git a/pod/perldelta.pod b/pod/perldelta.pod index 89d99fec25..7b8bd095c5 100644 --- a/pod/perldelta.pod +++ b/pod/perldelta.pod @@ -270,6 +270,16 @@ L<[perl #33752]|http://rt.perl.org/rt3/Public/Bug/Display.html?id=33752>. =item * +C<CGI> has been upgraded from 3.49 to 3.50 + +This provides the following security fixes: the MIME boundary in +multipart_init is now random and improvements to the handling of +newlines embedded in header values. + +The documentation for param_fetch() has been corrected and clarified. + +=item * + C<CPAN> has been upgraded from 1.94_61 to 1.94_62 =item * |