Bug#766087: libcgi-formbuilder-perl: please call CGI->param_fetch instead of CGI->param in array context

Simon McVittie smcv at debian.org
Mon Oct 20 18:57:09 UTC 2014 

Package: libcgi-formbuilder-perl
Version: 3.08-2
Severity: normal
Tags: patch
X-Debbugs-Cc: Amitai Schlair <schmonz-web-ikiwiki at schmonz.com>

CGI->param has the misfeature that it is context-sensitive, and in
particular can expand to more than one scalar in function calls.
This led to a security vulnerability in Bugzilla, and recent versions
of CGI.pm will warn when it is used in this way.

% REQUEST_METHOD=GET QUERY_STRING='a=1&a=2&b=3' \
  perl -Mstrict -Mwarnings -MCGI \
  -e 'my $q = new CGI; my $as = join ",", $q->param("a"); print "$as\n"'
CGI::param called in list context from package main line 1, this can lead to vulnerabilities. See the warning in "Fetching the value or values of a single named parameter" at /usr/share/perl5/CGI.pm line 436.
1,2

I have checked the CGI::FormBuilder code and I could not find any instances
of this being an actual vulnerability.

The attached patches 0004 to 0007 switch from list-context param('x')
to explicitly list-valued @{param_fetch('x')} to avoid these warnings.
Two of them are from Amitai Schlair via pkgsrc, two are additional
patches from me. They appear to be compatible with all CGI.pm versions
back to at least 2000.

The attached patch "Add-patches-from-pkgsrc-and-an-extra-similar-patch-t.patch"
alters the Debian packaging (based on the version in pkg-perl git) to add
those patches.

Please consider applying these and/or forwarding them upstream.

Thanks,
    S

-- System Information:
Debian Release: jessie/sid
  APT prefers proposed-updates
  APT policy: (500, 'proposed-updates'), (500, 'unstable'), (500, 'testing'), (500, 'stable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.16-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_GB.utf8, LC_CTYPE=en_GB.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages libcgi-formbuilder-perl depends on:
ii  perl  5.20.1-2

Versions of packages libcgi-formbuilder-perl recommends:
ii  libhtml-parser-perl  3.71-1+b2

Versions of packages libcgi-formbuilder-perl suggests:
ii  libcgi-session-perl    4.48-1
pn  libcgi-ssi-perl        <none>
ii  libhtml-template-perl  2.95-1
pn  libtemplate-perl       <none>
ii  libtext-template-perl  1.46-1

-- no debconf information
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Add-patches-from-pkgsrc-and-an-extra-similar-patch-t.patch
Type: text/x-diff
Size: 6943 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-perl-maintainers/attachments/20141020/174d523e/attachment-0005.patch>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0004-Avoid-unneeded-warning-from-CGI.pm-4.05-or-newer.patch
Type: text/x-diff
Size: 897 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-perl-maintainers/attachments/20141020/174d523e/attachment-0006.patch>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0005-Avoid-unneeded-warning-from-CGI.pm-4.05-or-newer.patch
Type: text/x-diff
Size: 1034 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-perl-maintainers/attachments/20141020/174d523e/attachment-0007.patch>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0006-Fix-another-use-of-param-that-will-cause-a-warning-i.patch
Type: text/x-diff
Size: 742 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-perl-maintainers/attachments/20141020/174d523e/attachment-0008.patch>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0007-Comment-that-cgi_param-is-context-sensitive-just-lik.patch
Type: text/x-diff
Size: 634 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-perl-maintainers/attachments/20141020/174d523e/attachment-0009.patch>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 793 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-perl-maintainers/attachments/20141020/174d523e/attachment-0001.sig>

More information about the pkg-perl-maintainers mailing list