Control: tag -1 + patch On Mon, 13 Oct 2014 10:47:13 -0400, Bugs in CGI-Application-Plugin-Authentication via RT wrote:
> ------------------------------------------------------------------------- > We have the following bug reported to the Debian package of > CGI-Application-Plugin-Authentication > (https://bugs.debian.org/765051): > > It doesn't seem to be a bug in the packaging, so you may want to take > a look. Thanks! I'm attaching a preliminary patch. With it, the test output looks the same as in jessie (i.e. with an older CGI.pm). Comments? Cheers, gregor -- .''`. Homepage: http://info.comodo.priv.at/ - OpenPGP key 0xBB3A68018649AA06 : :' : Debian GNU/Linux user, admin, and developer - http://www.debian.org/ `. `' Member of VIBE!AT & SPI, fellow of the Free Software Foundation Europe `- NP: John Lennon: Imagine
Description: Adjust for CGI.pm >= 4.05 CGI.pm now warns if parameters are imported in list context, as this is a potential security hole. Explicitly require scalar context. Origin: vendor Bug: https://rt.cpan.org/Ticket/Display.html?id=99460 Forwarded: https://rt.cpan.org/Ticket/Display.html?id=99460 Bug-Debian: https://bugs.debian.org/765051 Author: gregor herrmann <gre...@debian.org> Last-Update: 2014-10-13 --- a/lib/CGI/Application/Plugin/Authentication.pm +++ b/lib/CGI/Application/Plugin/Authentication.pm @@ -1205,7 +1205,7 @@ my $field_names = $config->{CREDENTIALS} || [qw(authen_username authen_password)]; my $query = $self->_cgiapp->query; - my @credentials = map { $query->param($_) } @$field_names; + my @credentials = map { scalar $query->param($_) } @$field_names; if ($credentials[0]) { # The user is trying to login # make sure if they are already logged in, that we log them out first
signature.asc
Description: Digital Signature
