commit 9127929ccdcda7bff83188825004c328759360a3 Author: Emmanuel Seyman <emmanuel@xxxxxxxxx> Date: Sun Feb 23 11:41:19 2014 +0100 Patch CGI::Application to prevent information disclosure (CVE-2013-7329) CGI-Application-4.50-avoid-env-dump.patch | 135 +++++++++++++++++++++++++++++ perl-CGI-Application.spec | 7 ++- 2 files changed, 141 insertions(+), 1 deletions(-) --- diff --git a/CGI-Application-4.50-avoid-env-dump.patch b/CGI-Application-4.50-avoid-env-dump.patch new file mode 100644 index 0000000..52bcf06 --- /dev/null +++ b/CGI-Application-4.50-avoid-env-dump.patch @@ -0,0 +1,135 @@ +diff -up ./Build.PL.orig ./Build.PL +--- ./Build.PL.orig 2014-02-23 10:22:32.554762664 +0100 ++++ ./Build.PL 2014-02-23 10:23:46.633288834 +0100 +@@ -4,6 +4,7 @@ my $build = Module::Build->new + module_name => 'CGI::Application', + license => 'perl', + requires => { ++ 'Module::Build' => 0, + 'CGI' => 0, + 'HTML::Template' => 0, + 'Test::More' => 0.47, +diff -up ./lib/CGI/Application.pm.orig ./lib/CGI/Application.pm +--- ./lib/CGI/Application.pm.orig 2014-02-23 10:24:06.506161873 +0100 ++++ ./lib/CGI/Application.pm 2014-02-23 10:27:18.993935190 +0100 +@@ -359,6 +359,27 @@ sub dump_html { + } + + ++sub no_runmodes { ++ ++ my $self = shift; ++ my $query = $self->query(); ++ ++ # If no runmodes specified by app return error message ++ my $current_runmode = $self->get_current_runmode(); ++ my $query_params = $query->Dump; ++ ++ my $output = qq{ ++ <h2>Error - No runmodes specified.</h2> ++ <p>Runmode called: $current_runmode"</p> ++ <p>Query paramaters:</p> $query_params ++ <p>Your application has not specified any runmodes.</p> ++ <p>Please read the <a href="http://search.cpan.org/~markstos/CGI-Appli ++ cation/">CGI::Application</a> documentation.</p> ++ }; ++ return $output; ++} ++ ++ + sub header_add { + my $self = shift; + return $self->_header_props_update(\@_,add=>1); +@@ -513,7 +534,7 @@ sub run_modes { + my (@data) = (@_); + + # First use? Create new __RUN_MODES! +- $self->{__RUN_MODES} = { 'start' => 'dump_html' } unless (exists($self->{__RUN_MODES})); ++ $self->{__RUN_MODES} = { 'start' => 'no_runmodes' } unless (exists($self->{__RUN_MODES})); + + my $rr_m = $self->{__RUN_MODES}; + +@@ -1653,7 +1674,8 @@ Useful for outputting to STDERR. + The dump_html() method is a debugging function which will return + a chunk of text which contains all the environment and web form + data of the request, formatted nicely for human readability via +-a web browser. Useful for outputting to a browser. ++a web browser. Useful for outputting to a browser. Please consider ++the security implications of using this in production code. + + =head3 error_mode() + +diff -up ./t/basic.t.orig ./t/basic.t +--- ./t/basic.t.orig 2014-02-23 10:27:32.938846521 +0100 ++++ ./t/basic.t 2014-02-23 10:31:43.324258407 +0100 +@@ -1,6 +1,6 @@ + + use strict; +-use Test::More tests => 110; ++use Test::More tests => 112; + + BEGIN{use_ok('CGI::Application');} + +@@ -28,7 +28,7 @@ sub response_like { + } + + # Instantiate CGI::Application +-# run() CGI::Application object. Expect header + output dump_html() ++# run() CGI::Application object. Expect header + output no_runmodes() + { + my $app = CGI::Application->new(); + isa_ok($app, 'CGI::Application'); +@@ -39,11 +39,29 @@ sub response_like { + response_like( + $app, + qr{^Content-Type: text/html}, +- qr/Query Environment:/, ++ qr/Error - No runmodes specified./, + 'base class response', + ); + } + ++# Instantiate CGI::Application ++# run() CGI::Application sub-class. ++# Expect header + output dump_html() ++{ ++ ++ my $app = TestApp->new(); ++ $app->query(CGI->new({'test_rm' => 'dump_htm'})); ++ ++ response_like( ++ $app, ++ qr{^Content-Type: text/html}, ++ qr/Query Environment:/, ++ 'dump_html class response' ++ ++ ); ++ ++} ++ + # Instantiate CGI::Application sub-class. + # run() CGI::Application sub-class. + # Expect HTTP header + 'Hello World: basic_test'. +diff -up ./t/lib/TestApp.pm.orig ./t/lib/TestApp.pm +--- ./t/lib/TestApp.pm.orig 2014-02-23 10:31:55.437181753 +0100 ++++ ./t/lib/TestApp.pm 2014-02-23 10:34:29.725206590 +0100 +@@ -27,6 +27,7 @@ sub setup { + 'header_props_before_header_add' => \&header_props_before_header_add, + 'header_add_after_header_props' => \&header_add_after_header_props, + ++ 'dump_htm' => 'dump_html', + 'dump_txt' => 'dump', + 'eval_test' => 'eval_test', + ); +diff -up ./t/load_tmpl_hook.t.orig ./t/load_tmpl_hook.t +--- ./t/load_tmpl_hook.t.orig 2014-02-23 10:35:34.509797752 +0100 ++++ ./t/load_tmpl_hook.t 2014-02-23 10:36:24.831480420 +0100 +@@ -8,7 +8,7 @@ $ENV{CGI_APP_RETURN_ONLY} = 1; + my $app = CGI::Application->new(); + my $out = $app->run; + +-like($out, qr/start/, "normal app output contains start"); ++like($out, qr/Error - No runmodes specified/, "normal app output contains start"); + unlike($out, qr/load_tmpl_hook/, "normal app output doesn't contain load_tmpl_hook"); + + { diff --git a/perl-CGI-Application.spec b/perl-CGI-Application.spec index e96bbc2..c2c5c25 100644 --- a/perl-CGI-Application.spec +++ b/perl-CGI-Application.spec @@ -1,11 +1,12 @@ Name: perl-CGI-Application Version: 4.50 -Release: 6%{?dist} +Release: 7%{?dist} Summary: Framework for building reusable web-applications License: GPL+ or Artistic Group: Development/Libraries URL: http://search.cpan.org/dist/CGI-Application/ Source0: http://search.cpan.org/CPAN/authors/id/M/MA/MARKSTOS/CGI-Application-%{version}.tar.gz +Patch0: CGI-Application-4.50-avoid-env-dump.patch BuildArch: noarch BuildRequires: perl(CGI) BuildRequires: perl(Class::ISA) @@ -26,6 +27,7 @@ implemented as a Sub-Class of CGI::Application. %prep %setup -q -n CGI-Application-%{version} +%patch0 -p1 %build %{__perl} Build.PL installdirs=vendor @@ -48,6 +50,9 @@ find $RPM_BUILD_ROOT -depth -type d -exec rmdir {} 2>/dev/null \; %{_mandir}/man3/* %changelog +* Sun Feb 23 2014 Emmanuel Seyman <emmanuel@xxxxxxxxx> - 4.50-9 +- Patch CGI::Application to prevent information disclosure (CVE-2013-7329) + * Thu Feb 14 2013 Fedora Release Engineering <rel-eng@xxxxxxxxxxxxxxxxxxxxxxx> - 4.50-6 - Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild -- Fedora Extras Perl SIG http://www.fedoraproject.org/wiki/Extras/SIGs/Perl perl-devel mailing list perl-devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/perl-devel