Skip Menu |
 

Preferred bug tracker

Please visit the preferred bug tracker to report your issue.

This queue is for tickets about the CGI CPAN distribution.

Report information
The Basics
Id: 64261
Status: resolved
Priority: 0/
Queue: CGI

People
Owner: MARKSTOS [...] cpan.org
Requestors: ntyni [...] iki.fi
Cc:
AdminCc:

Bug Information
Severity: Normal
Broken in: (no value)
Fixed in: (no value)

Attachments
0001-Improve-the-random-multipart-boundary-test.patch



Subject: multipart_init.t logic flaw
Download (untitled) / with headers
text/plain 431b
Hi, investigating at the multipart boundary issue (CVE-2010-2761), I noticed that test 5 in multipart_init.t that's supposed to test for a random boundary, succeeds even without the fix. This is because $sv is created with an explicit fixed boundary, so the randomness doesn't make any difference. I'm attaching a proposed fix. This is still present in the github repository. Thanks for your work, -- Niko Tyni ntyni@debian.org
Subject: 0001-Improve-the-random-multipart-boundary-test.patch
From cadb707191b3a3efb39a94f36e03e9734c7277dc Mon Sep 17 00:00:00 2001 From: Niko Tyni <ntyni@debian.org> Date: Mon, 27 Dec 2010 15:40:35 +0200 Subject: [PATCH] Improve the random multipart boundary test The test now actually fails without the random boundary fix (CVE-2010-2761). --- t/multipart_init.t | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) diff --git a/t/multipart_init.t b/t/multipart_init.t index 4da809a..f0a05e0 100644 --- a/t/multipart_init.t +++ b/t/multipart_init.t @@ -15,5 +15,6 @@ $sv = $q->multipart_init( -boundary => 'this_is_another_boundary' ); like($sv, qr/boundary="this_is_another_boundary"/, "multipart_init( -boundary => 'this_is_another_boundary')"); +$sv = $q->multipart_init; my $sv2 = $q->multipart_init; isnt($sv,$sv2,"due to random boundaries, multiple calls produce different results"); -- 1.7.2.3
Subject: Re: [rt.cpan.org #64261] AutoReply: multipart_init.t logic flaw
Date: Mon, 27 Dec 2010 17:14:35 +0200
To: "Bugs in CGI.pm via RT" <bug-CGI.pm [...] rt.cpan.org>
From: Niko Tyni <ntyni [...] iki.fi>
Download (untitled) / with headers
text/plain 671b
On Mon, Dec 27, 2010 at 08:44:24AM -0500, Bugs in CGI.pm via RT wrote: Show quoted text
> investigating at the multipart boundary issue (CVE-2010-2761), I noticed > that test 5 in multipart_init.t that's supposed to test for a random > boundary, succeeds even without the fix. This is because $sv is created > with an explicit fixed boundary, so the randomness doesn't make any > difference. > > I'm attaching a proposed fix. This is still present in the github > repository.
Oops, I see multipart_init.t is _only_ present in the github repository. I suppose this report was rather premature in that case. Apologies for any inconvenience. Thanks again, -- Niko Tyni ntyni@debian.org
Thanks, I appreciate the input. Mark
Your patch has now been incorporated and released, with credit to you. Thanks again. Mark


This service is sponsored and maintained by Best Practical Solutions and runs on Perl.org infrastructure.

Please report any issues with rt.cpan.org to rt-cpan-admin@bestpractical.com.