r65155 - in /trunk/libcgi-pm-perl: Changes META.yml debian/changelog lib/CGI.pm lib/CGI/Cookie.pm t/http.t
periapt-guest at users.alioth.debian.org
periapt-guest at users.alioth.debian.org
Sun Nov 21 10:40:41 UTC 2010
Author: periapt-guest
Date: Sun Nov 21 10:40:35 2010
New Revision: 65155
URL: http://svn.debian.org/wsvn/pkg-perl/?sc=1&rev=65155
Log:
* Updated format of watch file to handle upstream change
* New upstream release
Modified:
trunk/libcgi-pm-perl/Changes
trunk/libcgi-pm-perl/META.yml
trunk/libcgi-pm-perl/debian/changelog
trunk/libcgi-pm-perl/lib/CGI.pm
trunk/libcgi-pm-perl/lib/CGI/Cookie.pm
trunk/libcgi-pm-perl/t/http.t
Modified: trunk/libcgi-pm-perl/Changes
URL: http://svn.debian.org/wsvn/pkg-perl/trunk/libcgi-pm-perl/Changes?rev=65155&op=diff
==============================================================================
--- trunk/libcgi-pm-perl/Changes (original)
+++ trunk/libcgi-pm-perl/Changes Sun Nov 21 10:40:35 2010
@@ -1,3 +1,21 @@
+Version 3.50
+
+ [SECURITY]
+ 1. The MIME boundary in multipart_init is now random.
+ Thanks to Byron Jones, Masahiro Yamada, Reed Loden, and Mark Stosberg
+ 2. Further improvements to handling of newlines embedded in header values.
+ An exception is thrown if header values contain invalid newlines.
+ Thanks to Michal Zalewski, Max Kanat-Alexander, Yanick Champoux,
+ Lincoln Stein, Frédéric Buclin and Mark Stosberg
+
+ [DOCUMENTATION]
+ 1. Correcting/clarifying documentation for param_fetch(). Thanks to
+ Renée Bäcker. (RT#59132)
+
+ [INTERNALS]
+ 1. Fixing https test in http.t. (RT#54768)
+ 2. Tests were added for multipart_init(). Thanks to Mark Stosberg and CGI::Simple.
+
Version 3.49
[BUG FIXES]
Modified: trunk/libcgi-pm-perl/META.yml
URL: http://svn.debian.org/wsvn/pkg-perl/trunk/libcgi-pm-perl/META.yml?rev=65155&op=diff
==============================================================================
--- trunk/libcgi-pm-perl/META.yml (original)
+++ trunk/libcgi-pm-perl/META.yml Sun Nov 21 10:40:35 2010
@@ -1,15 +1,25 @@
--- #YAML:1.0
-name: CGI.pm
-version: 3.49
-abstract: ~
-license: ~
-author: ~
-generated_by: ExtUtils::MakeMaker version 6.42
-distribution_type: module
-requires:
- FCGI: 0.67
- File::Spec: 0.82
- Test::More: 0.8
+name: CGI.pm
+version: 3.50
+abstract: ~
+author: []
+license: unknown
+distribution_type: module
+configure_requires: {}
+build_requires: {}
+requires:
+ FCGI: 0.67
+ File::Spec: 0.82
+ perl: 5.006000
+ Test::More: 0.8
+resources:
+ repository: http://github.com/markstos/CGI.pm/tree/master
+no_index:
+ directory:
+ - t
+ - inc
+ - t
+generated_by: ExtUtils::MakeMaker version 6.55_02
meta-spec:
- url: http://module-build.sourceforge.net/META-spec-v1.3.html
- version: 1.3
+ url: http://module-build.sourceforge.net/META-spec-v1.4.html
+ version: 1.4
Modified: trunk/libcgi-pm-perl/debian/changelog
URL: http://svn.debian.org/wsvn/pkg-perl/trunk/libcgi-pm-perl/debian/changelog?rev=65155&op=diff
==============================================================================
--- trunk/libcgi-pm-perl/debian/changelog (original)
+++ trunk/libcgi-pm-perl/debian/changelog Sun Nov 21 10:40:35 2010
@@ -1,4 +1,4 @@
-libcgi-pm-perl (3.49-2) UNRELEASED; urgency=low
+libcgi-pm-perl (3.50-1) UNRELEASED; urgency=low
[ gregor herrmann ]
* debian/rules: switch order of arguments to dh.
@@ -10,9 +10,10 @@
* Added myself to Uploaders
* Upped standards version
* Removed quilt cruft
- * Updated format of warch file to handle upstream change
+ * Updated format of watch file to handle upstream change
+ * New upstream release
- -- gregor herrmann <gregoa at debian.org> Wed, 28 Jul 2010 14:32:15 -0400
+ -- Nicholas Bamber <nicholas at periapt.co.uk> Sun, 21 Nov 2010 10:42:23 +0000
libcgi-pm-perl (3.49-1) unstable; urgency=low
Modified: trunk/libcgi-pm-perl/lib/CGI.pm
URL: http://svn.debian.org/wsvn/pkg-perl/trunk/libcgi-pm-perl/lib/CGI.pm?rev=65155&op=diff
==============================================================================
--- trunk/libcgi-pm-perl/lib/CGI.pm (original)
+++ trunk/libcgi-pm-perl/lib/CGI.pm Sun Nov 21 10:40:35 2010
@@ -18,8 +18,9 @@
# The most recent version and complete docs are available at:
# http://stein.cshl.org/WWW/software/CGI/
+# The revision is no longer being updated since moving to git.
$CGI::revision = '$Id: CGI.pm,v 1.266 2009/07/30 16:32:34 lstein Exp $';
-$CGI::VERSION='3.49';
+$CGI::VERSION='3.50';
# HARD-CODED LOCATION FOR FILE UPLOAD TEMPORARY FILES.
# UNCOMMENT THIS ONLY IF YOU KNOW WHAT YOU'RE DOING.
@@ -1457,7 +1458,14 @@
sub multipart_init {
my($self, at p) = self_or_default(@_);
my($boundary, at other) = rearrange_header([BOUNDARY], at p);
- $boundary = $boundary || '------- =_aaaaaaaaaa0';
+ if (!$boundary) {
+ $boundary = '------- =_';
+ my @chrs = ('0'..'9', 'A'..'Z', 'a'..'z');
+ for (1..17) {
+ $boundary .= $chrs[rand(scalar @chrs)];
+ }
+ }
+
$self->{'separator'} = "$CRLF--$boundary$CRLF";
$self->{'final_separator'} = "$CRLF--$boundary--$CRLF";
$type = SERVER_PUSH($boundary);
@@ -1545,12 +1553,19 @@
# CR escaping for values, per RFC 822
for my $header ($type,$status,$cookie,$target,$expires,$nph,$charset,$attachment,$p3p, at other) {
if (defined $header) {
- $header =~ s/
- (?<=\n) # For any character proceeded by a newline
- (?=\S) # ... that is not whitespace
- / /xg; # ... inject a leading space in the new line
- }
- }
+ # From RFC 822:
+ # Unfolding is accomplished by regarding CRLF immediately
+ # followed by a LWSP-char as equivalent to the LWSP-char.
+ $header =~ s/$CRLF(\s)/$1/g;
+
+ # All other uses of newlines are invalid input.
+ if ($header =~ m/$CRLF/) {
+ # shorten very long values in the diagnostic
+ $header = substr($header,0,72).'...' if (length $header > 72);
+ die "Invalid header value contains a newline not followed by whitespace: $header";
+ }
+ }
+ }
$nph ||= $NPH;
@@ -1614,7 +1629,6 @@
return $header;
}
END_OF_FUNC
-
#### Method: cache
# Control whether header() will produce the no-cache
@@ -4707,9 +4721,10 @@
unshift @{$q->param_fetch(-name=>'address')},'George Munster';
If you need access to the parameter list in a way that isn't covered
-by the methods above, you can obtain a direct reference to it by
-calling the B<param_fetch()> method with the name of the . This
-will return an array reference to the named parameters, which you then
+by the methods given in the previous sections, you can obtain a direct
+reference to it by
+calling the B<param_fetch()> method with the name of the parameter. This
+will return an array reference to the named parameter, which you then
can manipulate in any way you like.
You can also use a named argument style using the B<-name> argument.
Modified: trunk/libcgi-pm-perl/lib/CGI/Cookie.pm
URL: http://svn.debian.org/wsvn/pkg-perl/trunk/libcgi-pm-perl/lib/CGI/Cookie.pm?rev=65155&op=diff
==============================================================================
--- trunk/libcgi-pm-perl/lib/CGI/Cookie.pm (original)
+++ trunk/libcgi-pm-perl/lib/CGI/Cookie.pm Sun Nov 21 10:40:35 2010
@@ -305,7 +305,9 @@
For full information on cookies see
- http://www.ics.uci.edu/pub/ietf/http/rfc2109.txt
+ http://tools.ietf.org/html/rfc2109
+ http://tools.ietf.org/html/rfc2965
+ http://tools.ietf.org/html/draft-ietf-httpstate-cookie
=head1 USING CGI::Cookie
@@ -355,18 +357,19 @@
If the "secure" attribute is set, the cookie will only be sent to your
script if the CGI request is occurring on a secure channel, such as SSL.
-=item B<4. httponly flag>
+=item B<5. httponly flag>
If the "httponly" attribute is set, the cookie will only be accessible
through HTTP Requests. This cookie will be inaccessible via JavaScript
(to prevent XSS attacks).
-But, currently this feature only used and recognised by
-MS Internet Explorer 6 Service Pack 1 and later.
-
-See this URL for more information:
-
-L<http://msdn.microsoft.com/en-us/library/ms533046%28VS.85%29.aspx>
+This feature is only supported by recent browsers like Internet Explorer
+6 Service Pack 1, Firefox 3.0 and Opera 9.5 (and later of course).
+
+See these URLs for more information:
+
+ http://msdn.microsoft.com/en-us/library/ms533046.aspx
+ http://www.owasp.org/index.php/HTTPOnly#Browsers_Supporting_HTTPOnly
=back
Modified: trunk/libcgi-pm-perl/t/http.t
URL: http://svn.debian.org/wsvn/pkg-perl/trunk/libcgi-pm-perl/t/http.t?rev=65155&op=diff
==============================================================================
--- trunk/libcgi-pm-perl/t/http.t (original)
+++ trunk/libcgi-pm-perl/t/http.t Sun Nov 21 10:40:35 2010
@@ -34,8 +34,8 @@
# https()
# The same as http(), but operates on the HTTPS environment variables present when the SSL protocol is in
# effect. Can be used to determine whether SSL is turned on.
- local $ENV{'HTTPS'} = 'ON';
- local $ENV{'HTTPS_KEYSIZE'} = 512;
+ local %ENV;
+ @ENV{qw/ HTTPS HTTPS_KEYSIZE /} = ('ON', 512);
is $cgi->https(), 'ON', 'scalar context to check SSL is on';
ok eq_set( [$cgi->https()], [qw(HTTPS HTTPS_KEYSIZE)]), 'list context returns https keys';
}
More information about the Pkg-perl-cvs-commits
mailing list