[perl-CGI/f16] Escape new-lines in Set-Cookie and P3P response headers properly
Petr Pisar
ppisar at fedoraproject.org
Thu Nov 15 13:50:24 UTC 2012
commit a2287429cb1f795c34dea7ba2ab96df8586dc777
Author: Petr Písař <ppisar at redhat.com>
Date: Thu Nov 15 14:22:29 2012 +0100
Escape new-lines in Set-Cookie and P3P response headers properly
CGI-3.51-escape_new_lines_in_cookies.patch | 78 ++++++++++++++++++++++++++++
perl-CGI.spec | 8 +++-
2 files changed, 85 insertions(+), 1 deletions(-)
---
diff --git a/CGI-3.51-escape_new_lines_in_cookies.patch b/CGI-3.51-escape_new_lines_in_cookies.patch
new file mode 100644
index 0000000..31f7e52
--- /dev/null
+++ b/CGI-3.51-escape_new_lines_in_cookies.patch
@@ -0,0 +1,78 @@
+From bce370939e2a7cc02c0d66e6b1869815624cdf81 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar at redhat.com>
+Date: Thu, 15 Nov 2012 14:32:18 +0100
+Subject: [PATCH] Escape new-lines in Cookie and P3P headers
+
+This is relevant difference between CGI 3.62 and 3.63.
+See <https://bugzilla.redhat.com/show_bug.cgi?id=876974>.
+
+Back-ported for 3.51
+---
+ lib/CGI.pm | 24 ++++++++++++------------
+ t/headers.t | 6 ++++++
+ 2 files changed, 18 insertions(+), 12 deletions(-)
+
+diff --git a/lib/CGI.pm b/lib/CGI.pm
+index d320d7f..7436a51 100644
+--- a/lib/CGI.pm
++++ b/lib/CGI.pm
+@@ -1550,8 +1550,17 @@ sub header {
+ 'EXPIRES','NPH','CHARSET',
+ 'ATTACHMENT','P3P'], at p);
+
++ # Since $cookie and $p3p may be array references,
++ # we must stringify them before CR escaping is done.
++ my @cookie;
++ for (ref($cookie) eq 'ARRAY' ? @{$cookie} : $cookie) {
++ my $cs = UNIVERSAL::isa($_,'CGI::Cookie') ? $_->as_string : $_;
++ push(@cookie,$cs) if defined $cs and $cs ne '';
++ }
++ $p3p = join ' ',@$p3p if ref($p3p) eq 'ARRAY';
++
+ # CR escaping for values, per RFC 822
+- for my $header ($type,$status,$cookie,$target,$expires,$nph,$charset,$attachment,$p3p, at other) {
++ for my $header ($type,$status, at cookie,$target,$expires,$nph,$charset,$attachment,$p3p, at other) {
+ if (defined $header) {
+ # From RFC 822:
+ # Unfolding is accomplished by regarding CRLF immediately
+@@ -1595,18 +1604,9 @@ sub header {
+
+ push(@header,"Status: $status") if $status;
+ push(@header,"Window-Target: $target") if $target;
+- if ($p3p) {
+- $p3p = join ' ',@$p3p if ref($p3p) eq 'ARRAY';
+- push(@header,qq(P3P: policyref="/w3c/p3p.xml", CP="$p3p"));
+- }
++ push(@header,"P3P: policyref=\"/w3c/p3p.xml\", CP=\"$p3p\"") if $p3p;
+ # push all the cookies -- there may be several
+- if ($cookie) {
+- my(@cookie) = ref($cookie) && ref($cookie) eq 'ARRAY' ? @{$cookie} : $cookie;
+- for (@cookie) {
+- my $cs = UNIVERSAL::isa($_,'CGI::Cookie') ? $_->as_string : $_;
+- push(@header,"Set-Cookie: $cs") if $cs ne '';
+- }
+- }
++ push(@header,map {"Set-Cookie: $_"} @cookie);
+ # if the user indicates an expiration time, then we need
+ # both an Expires and a Date header (so that the browser is
+ # uses OUR clock)
+diff --git a/t/headers.t b/t/headers.t
+index 661b74b..4b4922c 100644
+--- a/t/headers.t
++++ b/t/headers.t
+@@ -22,6 +22,12 @@ like($@,qr/contains a newline/,'invalid header blows up');
+ like $cgi->header( -type => "text/html".$CGI::CRLF." evil: stuff " ),
+ qr#Content-Type: text/html evil: stuff#, 'known header, with leading and trailing whitespace on the continuation line';
+
++eval { $cgi->header( -p3p => ["foo".$CGI::CRLF."bar"] ) };
++like($@,qr/contains a newline/,'P3P header with CRLF embedded blows up');
++
++eval { $cgi->header( -cookie => ["foo".$CGI::CRLF."bar"] ) };
++like($@,qr/contains a newline/,'Set-Cookie header with CRLF embedded blows up');
++
+ eval { $cgi->header( -foobar => "text/html".$CGI::CRLF."evil: stuff" ) };
+ like($@,qr/contains a newline/,'unknown header with CRLF embedded blows up');
+
+--
+1.7.11.7
+
diff --git a/perl-CGI.spec b/perl-CGI.spec
index cb05045..3e5a320 100644
--- a/perl-CGI.spec
+++ b/perl-CGI.spec
@@ -1,10 +1,12 @@
Name: perl-CGI
Summary: Handle Common Gateway Interface requests and responses
Version: 3.51
-Release: 4%{?dist}
+Release: 5%{?dist}
License: GPL+ or Artistic
Group: Development/Libraries
Source0: http://search.cpan.org/CPAN/authors/id/M/MA/MARKSTOS/CGI.pm-%{version}.tar.gz
+# RHBZ #876974
+Patch0: CGI-3.51-escape_new_lines_in_cookies.patch
URL: http://search.cpan.org/dist/CGI
Requires: perl(:MODULE_COMPAT_%(eval "`%{__perl} -V:version`"; echo $version))
BuildArch: noarch
@@ -30,6 +32,7 @@ with built-in support for mod_perl and mod_perl2 as well as FastCGI.
%prep
%setup -q -n CGI.pm-%{version}
+%patch0 -p1
# RPM 4.8 style
%{?filter_setup:
@@ -72,6 +75,9 @@ rm -rf %{buildroot}
%{_mandir}/man3/*.3*
%changelog
+* Thu Nov 15 2012 Petr Pisar <ppisar at redhat.com> - 3.51-5
+- Escape new-lines in Set-Cookie and P3P response headers properly (bug #876974)
+
* Fri Jul 22 2011 Petr Pisar <ppisar at redhat.com> - 3.51-4
- RPM 4.9 dependency filtering added
More information about the perl-devel
mailing list