Skip Menu |
 

This queue is for tickets about the CGI-FormBuilder CPAN distribution.

Report information
The Basics
Id: 99781
Status: new
Priority: 0/
Queue: CGI-FormBuilder

People
Owner: Nobody in particular
Requestors: gregoa [...] cpan.org
Cc:
AdminCc:

Bug Information
Severity: (no value)
Broken in: (no value)
Fixed in: (no value)



From: gregoa [...] cpan.org
Subject: libcgi-formbuilder-perl: please call CGI->param_fetch instead of CGI->param in array context
Download (untitled) / with headers
text/plain 1.7k
We have the following bug reported to the Debian package of CGI-FormBuilder (https://bugs.debian.org/766087): It doesn't seem to be a bug in the packaging, so you may want to take a look. Thanks! ------8<-----------8<-----------8<-----------8<-----------8<----- Package: libcgi-formbuilder-perl Version: 3.08-2 Severity: normal Tags: patch X-Debbugs-Cc: Amitai Schlair <schmonz-web-ikiwiki@schmonz.com> CGI->param has the misfeature that it is context-sensitive, and in particular can expand to more than one scalar in function calls. This led to a security vulnerability in Bugzilla, and recent versions of CGI.pm will warn when it is used in this way. % REQUEST_METHOD=GET QUERY_STRING='a=1&a=2&b=3' \ perl -Mstrict -Mwarnings -MCGI \ -e 'my $q = new CGI; my $as = join ",", $q->param("a"); print "$as\n"' CGI::param called in list context from package main line 1, this can lead to vulnerabilities. See the warning in "Fetching the value or values of a single named parameter" at /usr/share/perl5/CGI.pm line 436. 1,2 I have checked the CGI::FormBuilder code and I could not find any instances of this being an actual vulnerability. The attached patches 0004 to 0007 switch from list-context param('x') to explicitly list-valued @{param_fetch('x')} to avoid these warnings. Two of them are from Amitai Schlair via pkgsrc, two are additional patches from me. They appear to be compatible with all CGI.pm versions back to at least 2000. The attached patch "Add-patches-from-pkgsrc-and-an-extra-similar-patch-t.patch" alters the Debian packaging (based on the version in pkg-perl git) to add those patches. Please consider applying these and/or forwarding them upstream. Thanks, S ------8<-----------8<-----------8<-----------8<-----------8<----- Thanks for considering, gregor herrmann, Debian Perl Group


This service is sponsored and maintained by Best Practical Solutions and runs on Perl.org infrastructure.

Please report any issues with rt.cpan.org to rt-cpan-admin@bestpractical.com.