Skip Menu |
 

This queue is for tickets about the POE-Component-Client-HTTP CPAN distribution.

Report information
The Basics
Id: 30400
Status: resolved
Priority: 0/
Queue: POE-Component-Client-HTTP

People
Owner: Nobody in particular
Requestors: hanenkamp [...] cpan.org
Cc:
AdminCc:

Bug Information
Severity: Critical
Broken in: 0.82
Fixed in: (no value)



Subject: Security issue with the way cookies are handled
Download (untitled) / with headers
text/plain 1010b
There's a critical security problem with POE::Component::Client::HTTP. In the Request module, it clones the current request to perform redirects. If the redirect goes from one server to another, the cookies from the first server are passed to the second, which is a violation of the cookies spec. If the request is going to be cloned this way, then at least the "Cookie" header (and possibly others) needs to be sanitized. This is my recommendation. This snippet with the added remove_header() call I'm suggesting is from around line 449 of POE::Component::Client::HTTP::Request in check_redirect(). else { # All fine, yield new request and mark this disabled. my $newrequest = $self->[REQ_REQUEST]->clone(); + $newrequest->remove_header('Cookie'); DEBUG and warn "RED: new request $newrequest"; $newrequest->uri($new_uri); _set_host_header ($newrequest); $self->[REQ_STATE] = RS_REDIRECTED; DEBUG and warn "RED: new request $newrequest"; return $newrequest; }
Download (untitled) / with headers
text/plain 149b
Thank you again. I've applied your security change as revision 316 and commented it with a TODO to consider whether other headers should be removed.


This service is sponsored and maintained by Best Practical Solutions and runs on Perl.org infrastructure.

Please report any issues with rt.cpan.org to rt-cpan-admin@bestpractical.com.