[perl-CGI/f18] Escape new-lines in Set-Cookie and P3P response headers properly

Petr Pisar <ppisar@xxxxxxxxxxxxxxxxx> · Thu, 15 Nov 2012 13:36:27 +0000 (UTC)

commit 7e85a37682bd1d4b98ece3682f6edcbfbe796efa
Author: Petr Písař <ppisar@xxxxxxxxxx>
Date:   Thu Nov 15 14:22:29 2012 +0100

    Escape new-lines in Set-Cookie and P3P response headers properly

 CGI-3.51-escape_new_lines_in_cookies.patch |   78 ++++++++++++++++++++++++++++
 perl-CGI.spec                              |    8 +++-
 2 files changed, 85 insertions(+), 1 deletions(-)
---

diff --git a/CGI-3.51-escape_new_lines_in_cookies.patch b/CGI-3.51-escape_new_lines_in_cookies.patch
new file mode 100644
index 0000000..31f7e52
--- /dev/null
+++ b/CGI-3.51-escape_new_lines_in_cookies.patch
@@ -0,0 +1,78 @@
+From bce370939e2a7cc02c0d66e6b1869815624cdf81 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@xxxxxxxxxx>
+Date: Thu, 15 Nov 2012 14:32:18 +0100
+Subject: [PATCH] Escape new-lines in Cookie and P3P headers
+
+This is relevant difference between CGI 3.62 and 3.63.
+See <https://bugzilla.redhat.com/show_bug.cgi?id=876974>.
+
+Back-ported for 3.51
+---
+ lib/CGI.pm  | 24 ++++++++++++------------
+ t/headers.t |  6 ++++++
+ 2 files changed, 18 insertions(+), 12 deletions(-)
+
+diff --git a/lib/CGI.pm b/lib/CGI.pm
+index d320d7f..7436a51 100644
+--- a/lib/CGI.pm
++++ b/lib/CGI.pm
+@@ -1550,8 +1550,17 @@ sub header {
+                             'EXPIRES','NPH','CHARSET',
+                             'ATTACHMENT','P3P'],@p);
+ 
++    # Since $cookie and $p3p may be array references,
++    # we must stringify them before CR escaping is done.
++    my @cookie;
++    for (ref($cookie) eq 'ARRAY' ? @{$cookie} : $cookie) {
++        my $cs = UNIVERSAL::isa($_,'CGI::Cookie') ? $_->as_string : $_;
++        push(@cookie,$cs) if defined $cs and $cs ne '';
++    }
++    $p3p = join ' ',@$p3p if ref($p3p) eq 'ARRAY';
++
+     # CR escaping for values, per RFC 822
+-    for my $header ($type,$status,$cookie,$target,$expires,$nph,$charset,$attachment,$p3p,@other) {
++    for my $header ($type,$status,@cookie,$target,$expires,$nph,$charset,$attachment,$p3p,@other) {
+         if (defined $header) {
+             # From RFC 822:
+             # Unfolding  is  accomplished  by regarding   CRLF   immediately
+@@ -1595,18 +1604,9 @@ sub header {
+ 
+     push(@header,"Status: $status") if $status;
+     push(@header,"Window-Target: $target") if $target;
+-    if ($p3p) {
+-       $p3p = join ' ',@$p3p if ref($p3p) eq 'ARRAY';
+-       push(@header,qq(P3P: policyref="/w3c/p3p.xml", CP="$p3p"));
+-    }
++    push(@header,"P3P: policyref=\"/w3c/p3p.xml\", CP=\"$p3p\"") if $p3p;
+     # push all the cookies -- there may be several
+-    if ($cookie) {
+-	my(@cookie) = ref($cookie) && ref($cookie) eq 'ARRAY' ? @{$cookie} : $cookie;
+-	for (@cookie) {
+-            my $cs = UNIVERSAL::isa($_,'CGI::Cookie') ? $_->as_string : $_;
+-	    push(@header,"Set-Cookie: $cs") if $cs ne '';
+-	}
+-    }
++    push(@header,map {"Set-Cookie: $_"} @cookie);
+     # if the user indicates an expiration time, then we need
+     # both an Expires and a Date header (so that the browser is
+     # uses OUR clock)
+diff --git a/t/headers.t b/t/headers.t
+index 661b74b..4b4922c 100644
+--- a/t/headers.t
++++ b/t/headers.t
+@@ -22,6 +22,12 @@ like($@,qr/contains a newline/,'invalid header blows up');
+ like $cgi->header( -type => "text/html".$CGI::CRLF." evil: stuff " ),
+     qr#Content-Type: text/html evil: stuff#, 'known header, with leading and trailing whitespace on the continuation line';
+ 
++eval { $cgi->header( -p3p => ["foo".$CGI::CRLF."bar"] ) };
++like($@,qr/contains a newline/,'P3P header with CRLF embedded blows up');
++
++eval { $cgi->header( -cookie => ["foo".$CGI::CRLF."bar"] ) };
++like($@,qr/contains a newline/,'Set-Cookie header with CRLF embedded blows up');
++
+ eval { $cgi->header( -foobar => "text/html".$CGI::CRLF."evil: stuff" ) };
+ like($@,qr/contains a newline/,'unknown header with CRLF embedded blows up');
+ 
+-- 
+1.7.11.7
+
diff --git a/perl-CGI.spec b/perl-CGI.spec
index 9f4b3d7..5783b10 100644
--- a/perl-CGI.spec
+++ b/perl-CGI.spec
@@ -1,10 +1,12 @@
 Name:           perl-CGI
 Summary:        Handle Common Gateway Interface requests and responses
 Version:        3.51
-Release:        8%{?dist}
+Release:        9%{?dist}
 License:        GPL+ or Artistic
 Group:          Development/Libraries
 Source0:        http://search.cpan.org/CPAN/authors/id/M/MA/MARKSTOS/CGI.pm-%{version}.tar.gz
+# RHBZ #876974
+Patch0:         CGI-3.51-escape_new_lines_in_cookies.patch
 URL:            http://search.cpan.org/dist/CGI
 BuildArch:      noarch
 BuildRequires:  perl(ExtUtils::MakeMaker)
@@ -41,6 +43,7 @@ with built-in support for mod_perl and mod_perl2 as well as FastCGI.
 
 %prep
 %setup -q -n CGI.pm-%{version}
+%patch0 -p1
 
 # RPM 4.9 style
 %global __provides_exclude %{?__provides_exclude:__provides_exclude|}^perl\\(Fh\\)$
@@ -70,6 +73,9 @@ make test
 %{_mandir}/man3/*.3*
 
 %changelog
+* Thu Nov 15 2012 Petr Pisar <ppisar@xxxxxxxxxx> - 3.51-9
+- Escape new-lines in Set-Cookie and P3P response headers properly (bug #876974)
+
 * Fri Jul 20 2012 Fedora Release Engineering <rel-eng@xxxxxxxxxxxxxxxxxxxxxxx> - 3.51-8
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild
 
--
Fedora Extras Perl SIG
http://www.fedoraproject.org/wiki/Extras/SIGs/Perl
perl-devel mailing list
perl-devel@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/perl-devel






