[perl-CGI-Application/f20] Patch CGI::Application to prevent information disclosure (CVE-2013-7329)

Emmanuel Seyman eseyman at fedoraproject.org
Sun Feb 23 10:30:53 UTC 2014 

commit 4a3e00054e81d5007665ae7a93ea5022dbc2720b
Author: Emmanuel Seyman <emmanuel at seyman.fr>
Date:   Sun Feb 23 11:31:37 2014 +0100

    Patch CGI::Application to prevent information disclosure (CVE-2013-7329)

 CGI-Application-4.50-avoid-env-dump.patch |  135 +++++++++++++++++++++++++++++
 perl-CGI-Application.spec                 |    7 ++-
 2 files changed, 141 insertions(+), 1 deletions(-)
---
diff --git a/CGI-Application-4.50-avoid-env-dump.patch b/CGI-Application-4.50-avoid-env-dump.patch
new file mode 100644
index 0000000..52bcf06
--- /dev/null
+++ b/CGI-Application-4.50-avoid-env-dump.patch
@@ -0,0 +1,135 @@
+diff -up ./Build.PL.orig ./Build.PL
+--- ./Build.PL.orig	2014-02-23 10:22:32.554762664 +0100
++++ ./Build.PL	2014-02-23 10:23:46.633288834 +0100
+@@ -4,6 +4,7 @@ my $build = Module::Build->new
+    module_name => 'CGI::Application',
+    license => 'perl',
+    requires => {
++       'Module::Build'  => 0, 
+        'CGI'            => 0, 
+        'HTML::Template' => 0,
+        'Test::More'     => 0.47,
+diff -up ./lib/CGI/Application.pm.orig ./lib/CGI/Application.pm
+--- ./lib/CGI/Application.pm.orig	2014-02-23 10:24:06.506161873 +0100
++++ ./lib/CGI/Application.pm	2014-02-23 10:27:18.993935190 +0100
+@@ -359,6 +359,27 @@ sub dump_html {
+ }
+ 
+ 
++sub no_runmodes {
++
++       my $self   = shift;
++       my $query  = $self->query();
++       
++       # If no runmodes specified by app return error message 
++       my $current_runmode = $self->get_current_runmode();
++       my $query_params = $query->Dump;
++       
++       my $output = qq{
++               <h2>Error - No runmodes specified.</h2>
++               <p>Runmode called: $current_runmode"</p>
++               <p>Query paramaters:</p> $query_params
++               <p>Your application has not specified any runmodes.</p>
++               <p>Please read the <a href="http://search.cpan.org/~markstos/CGI-Appli
++               cation/">CGI::Application</a> documentation.</p>
++       };
++       return $output;
++}
++
++
+ sub header_add {
+ 	my $self = shift;
+ 	return $self->_header_props_update(\@_,add=>1);
+@@ -513,7 +534,7 @@ sub run_modes {
+ 	my (@data) = (@_);
+ 
+ 	# First use?  Create new __RUN_MODES!
+-    $self->{__RUN_MODES} = { 'start' => 'dump_html' } unless (exists($self->{__RUN_MODES}));
++    $self->{__RUN_MODES} = { 'start' => 'no_runmodes' } unless (exists($self->{__RUN_MODES}));
+ 
+ 	my $rr_m = $self->{__RUN_MODES};
+ 
+@@ -1653,7 +1674,8 @@ Useful for outputting to STDERR.
+ The dump_html() method is a debugging function which will return
+ a chunk of text which contains all the environment and web form
+ data of the request, formatted nicely for human readability via
+-a web browser.  Useful for outputting to a browser.
++a web browser.  Useful for outputting to a browser. Please consider
++the security implications of using this in production code.
+ 
+ =head3 error_mode()
+ 
+diff -up ./t/basic.t.orig ./t/basic.t
+--- ./t/basic.t.orig	2014-02-23 10:27:32.938846521 +0100
++++ ./t/basic.t	2014-02-23 10:31:43.324258407 +0100
+@@ -1,6 +1,6 @@
+ 
+ use strict;
+-use Test::More tests => 110;
++use Test::More tests => 112;
+ 
+ BEGIN{use_ok('CGI::Application');}
+ 
+@@ -28,7 +28,7 @@ sub response_like {
+ }
+ 
+ # Instantiate CGI::Application
+-# run() CGI::Application object.	Expect header + output dump_html()
++# run() CGI::Application object.	Expect header + output no_runmodes()
+ {
+ 	my $app = CGI::Application->new();
+ 	isa_ok($app, 'CGI::Application');
+@@ -39,11 +39,29 @@ sub response_like {
+ 	response_like(
+ 		$app,
+ 		qr{^Content-Type: text/html},
+-		qr/Query Environment:/,
++		qr/Error - No runmodes specified./,
+ 		'base class response',
+ 	);
+ }
+ 
++# Instantiate CGI::Application
++# run() CGI::Application sub-class. 
++# Expect header + output dump_html()
++{
++       
++       my $app = TestApp->new();
++       $app->query(CGI->new({'test_rm' => 'dump_htm'}));
++
++       response_like(
++               $app,
++               qr{^Content-Type: text/html},
++               qr/Query Environment:/,
++               'dump_html class response'
++
++       );
++       
++}
++
+ # Instantiate CGI::Application sub-class.
+ # run() CGI::Application sub-class. 
+ # Expect HTTP header + 'Hello World: basic_test'.
+diff -up ./t/lib/TestApp.pm.orig ./t/lib/TestApp.pm
+--- ./t/lib/TestApp.pm.orig	2014-02-23 10:31:55.437181753 +0100
++++ ./t/lib/TestApp.pm	2014-02-23 10:34:29.725206590 +0100
+@@ -27,6 +27,7 @@ sub setup {
+  		'header_props_before_header_add'		=> \&header_props_before_header_add,
+  		'header_add_after_header_props'		=> \&header_add_after_header_props,
+ 
++    'dump_htm'    => 'dump_html',
+     'dump_txt'    => 'dump',
+ 		'eval_test'		=> 'eval_test',
+ 	);
+diff -up ./t/load_tmpl_hook.t.orig ./t/load_tmpl_hook.t
+--- ./t/load_tmpl_hook.t.orig	2014-02-23 10:35:34.509797752 +0100
++++ ./t/load_tmpl_hook.t	2014-02-23 10:36:24.831480420 +0100
+@@ -8,7 +8,7 @@ $ENV{CGI_APP_RETURN_ONLY} = 1;
+ my $app = CGI::Application->new();
+ my $out = $app->run;
+ 
+-like($out, qr/start/, "normal app output contains start");
++like($out, qr/Error - No runmodes specified/, "normal app output contains start");
+ unlike($out, qr/load_tmpl_hook/, "normal app output doesn't contain load_tmpl_hook");
+ 
+  {
diff --git a/perl-CGI-Application.spec b/perl-CGI-Application.spec
index 5bc84fc..c1a0d73 100644
--- a/perl-CGI-Application.spec
+++ b/perl-CGI-Application.spec
@@ -1,11 +1,12 @@
 Name:           perl-CGI-Application
 Version:        4.50
-Release:        8%{?dist}
+Release:        9%{?dist}
 Summary:        Framework for building reusable web-applications
 License:        GPL+ or Artistic
 Group:          Development/Libraries
 URL:            http://search.cpan.org/dist/CGI-Application/
 Source0:        http://search.cpan.org/CPAN/authors/id/M/MA/MARKSTOS/CGI-Application-%{version}.tar.gz
+Patch0:         CGI-Application-4.50-avoid-env-dump.patch
 BuildArch:      noarch
 BuildRequires:  perl(CGI)
 BuildRequires:  perl(Class::ISA)
@@ -26,6 +27,7 @@ implemented as a Sub-Class of CGI::Application.
 
 %prep
 %setup -q -n CGI-Application-%{version}
+%patch0 -p1
 
 %build
 %{__perl} Build.PL installdirs=vendor
@@ -48,6 +50,9 @@ find $RPM_BUILD_ROOT -depth -type d -exec rmdir {} 2>/dev/null \;
 %{_mandir}/man3/*
 
 %changelog
+* Sun Feb 23 2014 Emmanuel Seyman <emmanuel at seyman.fr> - 4.50-9
+- Patch CGI::Application to prevent information disclosure (CVE-2013-7329)
+
 * Sat Aug 03 2013 Fedora Release Engineering <rel-eng at lists.fedoraproject.org> - 4.50-8
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild

More information about the scm-commits mailing list