Skip Menu |
 

This queue is for tickets about the CGI-Application CPAN distribution.

Report information
The Basics
Id: 84403
Status: resolved
Priority: 0/
Queue: CGI-Application

People
Owner: mcgrath.martin [...] gmail.com
Requestors: tomas.zemres [...] gmail.com
Cc:
AdminCc:

Bug Information
Severity: Normal
Broken in: 4.50
Fixed in:
  • 4.50_50
  • 4.50_51



Subject: Security problem: missing "start" mode dumps ENV to output page
MIME-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
X-Mailer: MIME-tools 5.427 (Entity 5.427)
Content-Disposition: inline
Content-Transfer-Encoding: binary
X-RT-Original-Encoding: utf-8
X-RT-Encrypt: 0
X-RT-Sign: 0
Content-Length: 368
Download (untitled) / with headers
text/plain 368b
If I forgot assign runmode "start", it internally calls "dump_html" instead. It print $ENV into HTTP response. In devel-environment it may be usefull, but in production mode it may be security-problem. Better would be display some like "HTTP 500 Internal Server Error" about missing run-mode/start-mode instead of dump server $ENV to website users on production-env.
MIME-Version: 1.0
X-Mailer: MIME-tools 5.427 (Entity 5.427)
Content-Disposition: inline
Content-Type: text/plain; charset="UTF-8"
Message-ID: <rt-3.8.HEAD-25263-1364975344-36.84403-0-0 [...] rt.cpan.org>
Content-Transfer-Encoding: binary
From: tnt [...] netsafe.cz
X-RT-Original-Encoding: utf-8
Content-Length: 62
Maybe better default start-mode may render: 404 Page Not Found
MIME-Version: 1.0
X-Mailer: MIME-tools 5.427 (Entity 5.427)
Content-Disposition: inline
Content-Type: text/plain; charset="UTF-8"
Message-ID: <rt-3.8.HEAD-14966-1364992644-1073.84403-0-0 [...] rt.cpan.org>
Content-Transfer-Encoding: binary
X-RT-Original-Encoding: utf-8
Content-Length: 22
Thanks for the report.
MIME-Version: 1.0
In-Reply-To: <rt-3.8.HEAD-14966-1364992644-1073.84403-0-0 [...] rt.cpan.org>
X-Mailer: MIME-tools 5.504 (Entity 5.504)
Content-Disposition: inline
X-RT-Interface: API
References: <rt-3.8.HEAD-14966-1364992644-1073.84403-0-0 [...] rt.cpan.org>
Content-Type: text/plain; charset="utf-8"
Message-ID: <rt-4.0.18-31060-1391094700-162.0-0-0 [...] rt.cpan.org>
Message-ID: <rt-4.0.18-31060-1391094700-1736.84403-0-0 [...] rt.cpan.org>
Content-Transfer-Encoding: binary
X-RT-Original-Encoding: utf-8
From: mcgrath.martin [...] gmail.com
Content-Length: 160
Download (untitled) / with headers
text/plain 160b
On Wed Apr 03 13:37:24 2013, MARKSTOS wrote: Show quoted text
> Thanks for the report.
Pull request to address this issue: https://github.com/markstos/CGI--Application/pull/15
MIME-Version: 1.0
X-Mailer: MIME-tools 5.504 (Entity 5.504)
Content-Disposition: inline
X-RT-Interface: Web
Content-Type: text/plain; charset="utf-8"
Message-ID: <rt-4.0.18-28548-1519837743-247.84403-0-0 [...] rt.cpan.org>
Content-Transfer-Encoding: binary
X-RT-Original-Encoding: utf-8
X-RT-Encrypt: 0
X-RT-Sign: 0
Content-Length: 103
Download (untitled) / with headers
text/plain 103b
Fixed in dev releases, 4.50_50, 4.50_51 and the 4.60 release: https://metacpan.org/pod/CGI::Application


This service is sponsored and maintained by Best Practical Solutions and runs on Perl.org infrastructure.

Please report any issues with rt.cpan.org to rt-cpan-admin@bestpractical.com.