commit a2287429cb1f795c34dea7ba2ab96df8586dc777 Author: Petr Písař <ppisar@xxxxxxxxxx> Date: Thu Nov 15 14:22:29 2012 +0100 Escape new-lines in Set-Cookie and P3P response headers properly CGI-3.51-escape_new_lines_in_cookies.patch | 78 ++++++++++++++++++++++++++++ perl-CGI.spec | 8 +++- 2 files changed, 85 insertions(+), 1 deletions(-) --- diff --git a/CGI-3.51-escape_new_lines_in_cookies.patch b/CGI-3.51-escape_new_lines_in_cookies.patch new file mode 100644 index 0000000..31f7e52 --- /dev/null +++ b/CGI-3.51-escape_new_lines_in_cookies.patch @@ -0,0 +1,78 @@ +From bce370939e2a7cc02c0d66e6b1869815624cdf81 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@xxxxxxxxxx> +Date: Thu, 15 Nov 2012 14:32:18 +0100 +Subject: [PATCH] Escape new-lines in Cookie and P3P headers + +This is relevant difference between CGI 3.62 and 3.63. +See <https://bugzilla.redhat.com/show_bug.cgi?id=876974>. + +Back-ported for 3.51 +--- + lib/CGI.pm | 24 ++++++++++++------------ + t/headers.t | 6 ++++++ + 2 files changed, 18 insertions(+), 12 deletions(-) + +diff --git a/lib/CGI.pm b/lib/CGI.pm +index d320d7f..7436a51 100644 +--- a/lib/CGI.pm ++++ b/lib/CGI.pm +@@ -1550,8 +1550,17 @@ sub header { + 'EXPIRES','NPH','CHARSET', + 'ATTACHMENT','P3P'],@p); + ++ # Since $cookie and $p3p may be array references, ++ # we must stringify them before CR escaping is done. ++ my @cookie; ++ for (ref($cookie) eq 'ARRAY' ? @{$cookie} : $cookie) { ++ my $cs = UNIVERSAL::isa($_,'CGI::Cookie') ? $_->as_string : $_; ++ push(@cookie,$cs) if defined $cs and $cs ne ''; ++ } ++ $p3p = join ' ',@$p3p if ref($p3p) eq 'ARRAY'; ++ + # CR escaping for values, per RFC 822 +- for my $header ($type,$status,$cookie,$target,$expires,$nph,$charset,$attachment,$p3p,@other) { ++ for my $header ($type,$status,@cookie,$target,$expires,$nph,$charset,$attachment,$p3p,@other) { + if (defined $header) { + # From RFC 822: + # Unfolding is accomplished by regarding CRLF immediately +@@ -1595,18 +1604,9 @@ sub header { + + push(@header,"Status: $status") if $status; + push(@header,"Window-Target: $target") if $target; +- if ($p3p) { +- $p3p = join ' ',@$p3p if ref($p3p) eq 'ARRAY'; +- push(@header,qq(P3P: policyref="/w3c/p3p.xml", CP="$p3p")); +- } ++ push(@header,"P3P: policyref=\"/w3c/p3p.xml\", CP=\"$p3p\"") if $p3p; + # push all the cookies -- there may be several +- if ($cookie) { +- my(@cookie) = ref($cookie) && ref($cookie) eq 'ARRAY' ? @{$cookie} : $cookie; +- for (@cookie) { +- my $cs = UNIVERSAL::isa($_,'CGI::Cookie') ? $_->as_string : $_; +- push(@header,"Set-Cookie: $cs") if $cs ne ''; +- } +- } ++ push(@header,map {"Set-Cookie: $_"} @cookie); + # if the user indicates an expiration time, then we need + # both an Expires and a Date header (so that the browser is + # uses OUR clock) +diff --git a/t/headers.t b/t/headers.t +index 661b74b..4b4922c 100644 +--- a/t/headers.t ++++ b/t/headers.t +@@ -22,6 +22,12 @@ like($@,qr/contains a newline/,'invalid header blows up'); + like $cgi->header( -type => "text/html".$CGI::CRLF." evil: stuff " ), + qr#Content-Type: text/html evil: stuff#, 'known header, with leading and trailing whitespace on the continuation line'; + ++eval { $cgi->header( -p3p => ["foo".$CGI::CRLF."bar"] ) }; ++like($@,qr/contains a newline/,'P3P header with CRLF embedded blows up'); ++ ++eval { $cgi->header( -cookie => ["foo".$CGI::CRLF."bar"] ) }; ++like($@,qr/contains a newline/,'Set-Cookie header with CRLF embedded blows up'); ++ + eval { $cgi->header( -foobar => "text/html".$CGI::CRLF."evil: stuff" ) }; + like($@,qr/contains a newline/,'unknown header with CRLF embedded blows up'); + +-- +1.7.11.7 + diff --git a/perl-CGI.spec b/perl-CGI.spec index cb05045..3e5a320 100644 --- a/perl-CGI.spec +++ b/perl-CGI.spec @@ -1,10 +1,12 @@ Name: perl-CGI Summary: Handle Common Gateway Interface requests and responses Version: 3.51 -Release: 4%{?dist} +Release: 5%{?dist} License: GPL+ or Artistic Group: Development/Libraries Source0: http://search.cpan.org/CPAN/authors/id/M/MA/MARKSTOS/CGI.pm-%{version}.tar.gz +# RHBZ #876974 +Patch0: CGI-3.51-escape_new_lines_in_cookies.patch URL: http://search.cpan.org/dist/CGI Requires: perl(:MODULE_COMPAT_%(eval "`%{__perl} -V:version`"; echo $version)) BuildArch: noarch @@ -30,6 +32,7 @@ with built-in support for mod_perl and mod_perl2 as well as FastCGI. %prep %setup -q -n CGI.pm-%{version} +%patch0 -p1 # RPM 4.8 style %{?filter_setup: @@ -72,6 +75,9 @@ rm -rf %{buildroot} %{_mandir}/man3/*.3* %changelog +* Thu Nov 15 2012 Petr Pisar <ppisar@xxxxxxxxxx> - 3.51-5 +- Escape new-lines in Set-Cookie and P3P response headers properly (bug #876974) + * Fri Jul 22 2011 Petr Pisar <ppisar@xxxxxxxxxx> - 3.51-4 - RPM 4.9 dependency filtering added -- Fedora Extras Perl SIG http://www.fedoraproject.org/wiki/Extras/SIGs/Perl perl-devel mailing list perl-devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/perl-devel