Package: libcgi-expand-perl
Version: 2.05-3
User: debian-p...@lists.debian.org
Usertags: autopkgtest
This package fails its autopkgtest checks on ci.debian.net because
of these warnings during the test suite:
ok 30 - empty key
CGI::param called in list context from /usr/share/perl5/CGI/Expand.pm line
66, this can lead to vulnerabilities. See the warning in "Fetching the value or
values of a single named parameter" at /usr/share/perl5/CGI.pm line 404.
[...]
ok 31 - expand_cgi
My reading of the code is that it explicitly handles multiple values
returned by param(), so it's not be vulnerable to the parameter injection
attacks. I'd love a second pair of eyes though. The attached patch
disables the warning.
(See
<http://blog.gerv.net/2014/10/new-class-of-vulnerability-in-perl-web-applications/>
for some background on the vulnerability.)
--
Niko Tyni nt...@debian.org
>From 310aea92aaa91fbcba353591bfd68b13b8b183a4 Mon Sep 17 00:00:00 2001
From: Niko Tyni <nt...@debian.org>
Date: Sat, 4 Jul 2015 23:29:40 +0300
Subject: [PATCH] Disable warning about CGI::param called in list context
The code explicitly handles param() returning multiple values,
disarming the parameter injection vulnerability.
---
Expand.pm | 2 ++
1 file changed, 2 insertions(+)
diff --git a/Expand.pm b/Expand.pm
index eb85850..e6be854 100644
--- a/Expand.pm
+++ b/Expand.pm
@@ -62,6 +62,8 @@ sub expand_cgi {
# permit multiple values CGI style
for ($cgi->param) {
+ # multiple values are explicitly handled
+ local $CGI::LIST_CONTEXT_WARN = 0;
next if (/\.[xy]$/); # img_submit=val & img_submit.x=20 -> clash
my @vals = $cgi->param($_);
$args{$_} = @vals > 1 ? \@vals : $vals[0];
--
2.1.4
