On Wed, Oct 15, 2014 at 01:54:50PM +0100, Michael Tautschnig wrote: > Version: 4.2.7-1 > > During a rebuild of all Debian packages in a clean sid chroot (using > cowbuilder > and pbuilder) the build failed with the following error. > # got warning: CGI::param called in list context from package > HTML::Mason::Utils line 48, this can lead to vulnerabilities. See the warning > in "Fetching the value or values of a single named parameter" at > /usr/share/perl5/CGI.pm line 425.
This looks like sid contains a new enough CGI.pm to have a warning about param in list context (later than 4.05), but HTML::Mason hasn't been updated to tell CGI.pm to be quiet. https://packages.debian.org/unstable/perl/libcgi-pm-perl HTML::Mason needs to patch in https://metacpan.org/pod/CGI#Fetching-the-value-or-values-of-a-single-named-parameter Looking at the code, it doesn't fall prey to the vulnerability that I can see. # @methods is some combination of param and url_param # depending on submission method my @values = map { $q->$_($key) } @methods; $args{$key} = @values == 1 ? $values[0] : \@values; local'ing in the CGI.pm "stop warning" variable seems fine. Not something we can really fix at the RT level, but certainly something that should end up being fixed in HTML::Mason. I'll open an rt.cpan.org bug later if I have a chance (I'm not sure if you also need a bug against the libhtml-mason-perl package in sid). -kevin
pgpzpyA7hIMi_.pgp
Description: PGP signature
