> An API change indroduced in 2008 alrealy (commit 61d327646f01fe) may > cause unexpected and unwanted data dumps of a complete set of web query > data and environment to the public. Developers of web apps written > before the change are probably unaware of the problem since the general > behaviour does change only in the case of a software error.
For those who haven't looked at it in detail, the bug here is that CGI::Application will dump the script environment to the web client if the Perl application that uses it doesn't define a start runmode. However, not defining a start runmode is an erroneous use of the library and a bug in the calling application, and all the examples in the documentation do set a start runmode. I agree that the behavior when a runmode is not defined is surprising and a bug, but I think treating it as a full-blown security vulnerability in CGI::Application (as opposed to the calling application) may be overkill. That said, it looks like Fedora did treat it as a security update. The patch in the Github pull request does look correct (although it's an irritating patch from a security perspective since it includes apparently arbitrary code reformatting). -- Russ Allbery (r...@debian.org) <http://www.eyrie.org/~eagle/> -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
