https://bugzilla.redhat.com/show_bug.cgi?id=880329 --- Comment #5 from Petr Pisar <ppisar@xxxxxxxxxx> --- Upstream states the fix is available in commit: commit 46ef9124f3149f697455061499ac7cee40930349 Author: Colin Keith <colinmkeith@xxxxxxxxx> Date: Sat May 25 22:56:31 2013 -0400 resolution for CVE-2012-5572, \r\n sequence being allowed in a cookie name fixes PerlDancer/Dancer#859 diff --git a/lib/Dancer/Cookie.pm b/lib/Dancer/Cookie.pm index efcb1a3..e736ab8 100644 --- a/lib/Dancer/Cookie.pm +++ b/lib/Dancer/Cookie.pm @@ -29,7 +29,10 @@ sub to_header { my $value = join('&', map {uri_escape($_)} $self->value); my $no_httponly = defined( $self->http_only ) && $self->http_only == 0; - my @headers = $self->name . '=' . $value; + my $name = $self->name; + $name =~ s/[=,; \t\r\n\013\014]//mg; + + my @headers = $name . '=' . $value; push @headers, "path=" . $self->path if $self->path; push @headers, "expires=" . $self->expires if $self->expires; push @headers, "domain=" . $self->domain if $self->domain; Upstream added tests for this issue with commit: commit d21a0983fa95ffea2b50ad5af84cc93f4ce5f4d2 Author: Colin Keith <colinmkeith@xxxxxxxxx> Date: Sat May 25 00:46:53 2013 -0400 test and resolution for CVE-2012-5572, \r\n sequence being allowed in a cookie name fixes PerlDancer/Dancer#859 -- You are receiving this mail because: You are on the CC list for the bug. Unsubscribe from this bug https://bugzilla.redhat.com/token.cgi?t=MxMxTVXLVw&a=cc_unsubscribe -- Fedora Extras Perl SIG http://www.fedoraproject.org/wiki/Extras/SIGs/Perl perl-devel mailing list perl-devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/perl-devel
