[perl-CGI-Application/el6] Patch CGI::Application to prevent information disclosure (CVE-2013-7329)
Emmanuel Seyman
eseyman at fedoraproject.org
Sun Feb 23 10:50:51 UTC 2014
commit 8c438a3c4f36e95e10f398a95c18fce7d24c8802
Author: Emmanuel Seyman <emmanuel at seyman.fr>
Date: Sun Feb 23 11:51:38 2014 +0100
Patch CGI::Application to prevent information disclosure (CVE-2013-7329)
CGI-Application-4.50-avoid-env-dump.patch | 135 +++++++++++++++++++++++++++++
perl-CGI-Application.spec | 7 ++-
2 files changed, 141 insertions(+), 1 deletions(-)
---
diff --git a/CGI-Application-4.50-avoid-env-dump.patch b/CGI-Application-4.50-avoid-env-dump.patch
new file mode 100644
index 0000000..52bcf06
--- /dev/null
+++ b/CGI-Application-4.50-avoid-env-dump.patch
@@ -0,0 +1,135 @@
+diff -up ./Build.PL.orig ./Build.PL
+--- ./Build.PL.orig 2014-02-23 10:22:32.554762664 +0100
++++ ./Build.PL 2014-02-23 10:23:46.633288834 +0100
+@@ -4,6 +4,7 @@ my $build = Module::Build->new
+ module_name => 'CGI::Application',
+ license => 'perl',
+ requires => {
++ 'Module::Build' => 0,
+ 'CGI' => 0,
+ 'HTML::Template' => 0,
+ 'Test::More' => 0.47,
+diff -up ./lib/CGI/Application.pm.orig ./lib/CGI/Application.pm
+--- ./lib/CGI/Application.pm.orig 2014-02-23 10:24:06.506161873 +0100
++++ ./lib/CGI/Application.pm 2014-02-23 10:27:18.993935190 +0100
+@@ -359,6 +359,27 @@ sub dump_html {
+ }
+
+
++sub no_runmodes {
++
++ my $self = shift;
++ my $query = $self->query();
++
++ # If no runmodes specified by app return error message
++ my $current_runmode = $self->get_current_runmode();
++ my $query_params = $query->Dump;
++
++ my $output = qq{
++ <h2>Error - No runmodes specified.</h2>
++ <p>Runmode called: $current_runmode"</p>
++ <p>Query paramaters:</p> $query_params
++ <p>Your application has not specified any runmodes.</p>
++ <p>Please read the <a href="http://search.cpan.org/~markstos/CGI-Appli
++ cation/">CGI::Application</a> documentation.</p>
++ };
++ return $output;
++}
++
++
+ sub header_add {
+ my $self = shift;
+ return $self->_header_props_update(\@_,add=>1);
+@@ -513,7 +534,7 @@ sub run_modes {
+ my (@data) = (@_);
+
+ # First use? Create new __RUN_MODES!
+- $self->{__RUN_MODES} = { 'start' => 'dump_html' } unless (exists($self->{__RUN_MODES}));
++ $self->{__RUN_MODES} = { 'start' => 'no_runmodes' } unless (exists($self->{__RUN_MODES}));
+
+ my $rr_m = $self->{__RUN_MODES};
+
+@@ -1653,7 +1674,8 @@ Useful for outputting to STDERR.
+ The dump_html() method is a debugging function which will return
+ a chunk of text which contains all the environment and web form
+ data of the request, formatted nicely for human readability via
+-a web browser. Useful for outputting to a browser.
++a web browser. Useful for outputting to a browser. Please consider
++the security implications of using this in production code.
+
+ =head3 error_mode()
+
+diff -up ./t/basic.t.orig ./t/basic.t
+--- ./t/basic.t.orig 2014-02-23 10:27:32.938846521 +0100
++++ ./t/basic.t 2014-02-23 10:31:43.324258407 +0100
+@@ -1,6 +1,6 @@
+
+ use strict;
+-use Test::More tests => 110;
++use Test::More tests => 112;
+
+ BEGIN{use_ok('CGI::Application');}
+
+@@ -28,7 +28,7 @@ sub response_like {
+ }
+
+ # Instantiate CGI::Application
+-# run() CGI::Application object. Expect header + output dump_html()
++# run() CGI::Application object. Expect header + output no_runmodes()
+ {
+ my $app = CGI::Application->new();
+ isa_ok($app, 'CGI::Application');
+@@ -39,11 +39,29 @@ sub response_like {
+ response_like(
+ $app,
+ qr{^Content-Type: text/html},
+- qr/Query Environment:/,
++ qr/Error - No runmodes specified./,
+ 'base class response',
+ );
+ }
+
++# Instantiate CGI::Application
++# run() CGI::Application sub-class.
++# Expect header + output dump_html()
++{
++
++ my $app = TestApp->new();
++ $app->query(CGI->new({'test_rm' => 'dump_htm'}));
++
++ response_like(
++ $app,
++ qr{^Content-Type: text/html},
++ qr/Query Environment:/,
++ 'dump_html class response'
++
++ );
++
++}
++
+ # Instantiate CGI::Application sub-class.
+ # run() CGI::Application sub-class.
+ # Expect HTTP header + 'Hello World: basic_test'.
+diff -up ./t/lib/TestApp.pm.orig ./t/lib/TestApp.pm
+--- ./t/lib/TestApp.pm.orig 2014-02-23 10:31:55.437181753 +0100
++++ ./t/lib/TestApp.pm 2014-02-23 10:34:29.725206590 +0100
+@@ -27,6 +27,7 @@ sub setup {
+ 'header_props_before_header_add' => \&header_props_before_header_add,
+ 'header_add_after_header_props' => \&header_add_after_header_props,
+
++ 'dump_htm' => 'dump_html',
+ 'dump_txt' => 'dump',
+ 'eval_test' => 'eval_test',
+ );
+diff -up ./t/load_tmpl_hook.t.orig ./t/load_tmpl_hook.t
+--- ./t/load_tmpl_hook.t.orig 2014-02-23 10:35:34.509797752 +0100
++++ ./t/load_tmpl_hook.t 2014-02-23 10:36:24.831480420 +0100
+@@ -8,7 +8,7 @@ $ENV{CGI_APP_RETURN_ONLY} = 1;
+ my $app = CGI::Application->new();
+ my $out = $app->run;
+
+-like($out, qr/start/, "normal app output contains start");
++like($out, qr/Error - No runmodes specified/, "normal app output contains start");
+ unlike($out, qr/load_tmpl_hook/, "normal app output doesn't contain load_tmpl_hook");
+
+ {
diff --git a/perl-CGI-Application.spec b/perl-CGI-Application.spec
index fe33fc4..981fe2c 100644
--- a/perl-CGI-Application.spec
+++ b/perl-CGI-Application.spec
@@ -1,11 +1,12 @@
Name: perl-CGI-Application
Version: 4.50
-Release: 3%{?dist}
+Release: 4%{?dist}
Summary: Framework for building reusable web-applications
License: GPL+ or Artistic
Group: Development/Libraries
URL: http://search.cpan.org/dist/CGI-Application/
Source0: http://search.cpan.org/CPAN/authors/id/M/MA/MARKSTOS/CGI-Application-%{version}.tar.gz
+Patch0: CGI-Application-4.50-avoid-env-dump.patch
BuildArch: noarch
BuildRequires: perl(CGI)
BuildRequires: perl(Class::ISA)
@@ -26,6 +27,7 @@ implemented as a Sub-Class of CGI::Application.
%prep
%setup -q -n CGI-Application-%{version}
+%patch0 -p1
%build
%{__perl} Build.PL installdirs=vendor
@@ -48,6 +50,9 @@ find $RPM_BUILD_ROOT -depth -type d -exec rmdir {} 2>/dev/null \;
%{_mandir}/man3/*
%changelog
+* Sun Feb 23 2014 Emmanuel Seyman <emmanuel at seyman.fr> - 4.50-3
+- Patch CGI::Application to prevent information disclosure (CVE-2013-7329)
+
* Fri Jan 13 2012 Fedora Release Engineering <rel-eng at lists.fedoraproject.org> - 4.50-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild
More information about the perl-devel
mailing list