r67195 - /trunk/libcgi-simple-perl/debian/patches/cve-2010-4410.patch
bremner at users.alioth.debian.org
bremner at users.alioth.debian.org
Sat Jan 8 23:58:16 UTC 2011
Author: bremner
Date: Sat Jan 8 23:58:09 2011
New Revision: 67195
URL: http://svn.debian.org/wsvn/pkg-perl/?sc=1&rev=67195
Log:
remove part of cve-2010-4410.patch modifying CGI::Simple.pm; keep test.
The functional part of the patch seems to be superceded by changes in
upstream 1.113.
Modified:
trunk/libcgi-simple-perl/debian/patches/cve-2010-4410.patch
Modified: trunk/libcgi-simple-perl/debian/patches/cve-2010-4410.patch
URL: http://svn.debian.org/wsvn/pkg-perl/trunk/libcgi-simple-perl/debian/patches/cve-2010-4410.patch?rev=67195&op=diff
==============================================================================
--- trunk/libcgi-simple-perl/debian/patches/cve-2010-4410.patch (original)
+++ trunk/libcgi-simple-perl/debian/patches/cve-2010-4410.patch Sat Jan 8 23:58:09 2011
@@ -1,4 +1,4 @@
-Description: Fix CVS-2010-4410
+Description: test for Fix CVS-2010-4410
Always check for CRLF in supplied header values and require that CRLF
is followed by a whitespace, in which case the CRLF is stripped.
Die if CRLF is followed by non-whitespace character.
@@ -6,22 +6,6 @@
Author: Damyan Ivanov <dmn at debian.org>
Forwarded: https://rt.cpan.org/Ticket/Display.html?id=64160
---- a/lib/CGI/Simple.pm
-+++ b/lib/CGI/Simple.pm
-@@ -995,7 +995,12 @@ sub header {
-
- # Don't use \s because of perl bug 21951
- next
-- unless my ( $header, $value ) = /([^ \r\n\t=]+)=\"?(.+?)\"?$/;
-+ unless my ( $header, $value ) = /([^ \r\n\t=]+)=\"?(.+?)\"?$/s;
-+
-+ my $CRLF = $self->crlf;
-+ $value =~ s/$CRLF(\s)/$1/sg;
-+ $value =~ /$CRLF|\012|\015/ and die "Invalid header value -- CRLF not followed by whitespace";
-+
- ( $_ = $header )
- =~ s/^(\w)(.*)/"\u$1\L$2" . ': '.$self->unescapeHTML($value)/e;
- }
--- /dev/null
+++ b/t/120.header-crlf.t
@@ -0,0 +1,20 @@
More information about the Pkg-perl-cvs-commits
mailing list