Update CGI to CPAN version 3.63

  [DELTA]

  Version 3.63 Nov 12, 2012

    [SECURITY]
    - CR escaping for Set-Cookie and P3P headers was improved. There was potential
      for newline injection in these headers.
      (Thanks to anazawa, https://github.com/markstos/CGI.pm/pull/23)

diff --git a/Porting/Maintainers.pl b/Porting/Maintainers.pl
index e335b5b..4e41dff 100755 (executable)
--- a/Porting/Maintainers.pl
+++ b/Porting/Maintainers.pl
@@ -343,7 +343,7 @@ use File::Glob qw(:case);
 
     'CGI' => {
         'MAINTAINER'   => 'lstein',
-        'DISTRIBUTION' => 'MARKSTOS/CGI.pm-3.62.tar.gz',
+        'DISTRIBUTION' => 'MARKSTOS/CGI.pm-3.63.tar.gz',
         'FILES'        => q[cpan/CGI],
         'EXCLUDED'     => [
             qw( cgi_docs.html

diff --git a/cpan/CGI/Changes b/cpan/CGI/Changes
index 52f1d02..731f4f2 100644 (file)
--- a/cpan/CGI/Changes
+++ b/cpan/CGI/Changes
@@ -1,3 +1,9 @@
+Version 3.63 Nov 12, 2012
+
+    [SECURITY]
+    - CR escaping for Set-Cookie and P3P headers was improved. There was potential
+      for newline injection in these headers. 
+      (Thanks to anazawa, https://github.com/markstos/CGI.pm/pull/23)
 
 Version 3.62, Nov 9th, 2012
 

diff --git a/cpan/CGI/lib/CGI.pm b/cpan/CGI/lib/CGI.pm
index d8d91f4..df63490 100644 (file)
--- a/cpan/CGI/lib/CGI.pm
+++ b/cpan/CGI/lib/CGI.pm
@@ -20,7 +20,7 @@ use Carp 'croak';
 
 # The revision is no longer being updated since moving to git. 
 $CGI::revision = '$Id: CGI.pm,v 1.266 2009/07/30 16:32:34 lstein Exp $';
-$CGI::VERSION='3.62';
+$CGI::VERSION='3.63';
 
 # HARD-CODED LOCATION FOR FILE UPLOAD TEMPORARY FILES.
 # UNCOMMENT THIS ONLY IF YOU KNOW WHAT YOU'RE DOING.
@@ -1497,8 +1497,17 @@ sub header {
                             'EXPIRES','NPH','CHARSET',
                             'ATTACHMENT','P3P'],@p);
 
+    # Since $cookie and $p3p may be array references,
+    # we must stringify them before CR escaping is done.
+    my @cookie;
+    for (ref($cookie) eq 'ARRAY' ? @{$cookie} : $cookie) {
+        my $cs = UNIVERSAL::isa($_,'CGI::Cookie') ? $_->as_string : $_;
+        push(@cookie,$cs) if defined $cs and $cs ne '';
+    }
+    $p3p = join ' ',@$p3p if ref($p3p) eq 'ARRAY';
+
     # CR escaping for values, per RFC 822
-    for my $header ($type,$status,$cookie,$target,$expires,$nph,$charset,$attachment,$p3p,@other) {
+    for my $header ($type,$status,@cookie,$target,$expires,$nph,$charset,$attachment,$p3p,@other) {
         if (defined $header) {
             # From RFC 822:
             # Unfolding  is  accomplished  by regarding   CRLF   immediately
@@ -1542,18 +1551,9 @@ sub header {
 
     push(@header,"Status: $status") if $status;
     push(@header,"Window-Target: $target") if $target;
-    if ($p3p) {
-       $p3p = join ' ',@$p3p if ref($p3p) eq 'ARRAY';
-       push(@header,qq(P3P: policyref="/w3c/p3p.xml", CP="$p3p"));
-    }
+    push(@header,"P3P: policyref=\"/w3c/p3p.xml\", CP=\"$p3p\"") if $p3p;
     # push all the cookies -- there may be several
-    if ($cookie) {
-       my(@cookie) = ref($cookie) && ref($cookie) eq 'ARRAY' ? @{$cookie} : $cookie;
-       for (@cookie) {
-            my $cs = UNIVERSAL::isa($_,'CGI::Cookie') ? $_->as_string : $_;
-           push(@header,"Set-Cookie: $cs") if $cs ne '';
-       }
-    }
+    push(@header,map {"Set-Cookie: $_"} @cookie);
     # if the user indicates an expiration time, then we need
     # both an Expires and a Date header (so that the browser is
     # uses OUR clock)

diff --git a/cpan/CGI/t/headers.t b/cpan/CGI/t/headers.t
index 661b74b..4b4922c 100644 (file)
--- a/cpan/CGI/t/headers.t
+++ b/cpan/CGI/t/headers.t
@@ -22,6 +22,12 @@ like($@,qr/contains a newline/,'invalid header blows up');
 like $cgi->header( -type => "text/html".$CGI::CRLF." evil: stuff " ),
     qr#Content-Type: text/html evil: stuff#, 'known header, with leading and trailing whitespace on the continuation line';
 
+eval { $cgi->header( -p3p => ["foo".$CGI::CRLF."bar"] ) };
+like($@,qr/contains a newline/,'P3P header with CRLF embedded blows up');
+
+eval { $cgi->header( -cookie => ["foo".$CGI::CRLF."bar"] ) };
+like($@,qr/contains a newline/,'Set-Cookie header with CRLF embedded blows up');
+
 eval { $cgi->header( -foobar => "text/html".$CGI::CRLF."evil: stuff" ) };
 like($@,qr/contains a newline/,'unknown header with CRLF embedded blows up');