https://bugzilla.redhat.com/show_bug.cgi?id=876974
diff -Naurp CGI.pm-3.53/lib/CGI.pm CGI.pm-3.53.oden/lib/CGI.pm
--- CGI.pm-3.53/lib/CGI.pm 2011-04-25 22:53:12.000000000 +0000
+++ CGI.pm-3.53.oden/lib/CGI.pm 2012-12-16 15:27:43.000000000 +0000
@@ -1550,8 +1550,17 @@ sub header {
'EXPIRES','NPH','CHARSET',
'ATTACHMENT','P3P'],@p);
+ # Since $cookie and $p3p may be array references,
+ # we must stringify them before CR escaping is done.
+ my @cookie;
+ for (ref($cookie) eq 'ARRAY' ? @{$cookie} : $cookie) {
+ my $cs = UNIVERSAL::isa($_,'CGI::Cookie') ? $_->as_string : $_;
+ push(@cookie,$cs) if defined $cs and $cs ne '';
+ }
+ $p3p = join ' ',@$p3p if ref($p3p) eq 'ARRAY';
+
# CR escaping for values, per RFC 822
- for my $header ($type,$status,$cookie,$target,$expires,$nph,$charset,$attachment,$p3p,@other) {
+ for my $header ($type,$status,@cookie,$target,$expires,$nph,$charset,$attachment,$p3p,@other) {
if (defined $header) {
# From RFC 822:
# Unfolding is accomplished by regarding CRLF immediately
@@ -1595,18 +1604,9 @@ sub header {
push(@header,"Status: $status") if $status;
push(@header,"Window-Target: $target") if $target;
- if ($p3p) {
- $p3p = join ' ',@$p3p if ref($p3p) eq 'ARRAY';
- push(@header,qq(P3P: policyref="/w3c/p3p.xml", CP="$p3p"));
- }
+ push(@header,"P3P: policyref=\"/w3c/p3p.xml\", CP=\"$p3p\"") if $p3p;
# push all the cookies -- there may be several
- if ($cookie) {
- my(@cookie) = ref($cookie) && ref($cookie) eq 'ARRAY' ? @{$cookie} : $cookie;
- for (@cookie) {
- my $cs = UNIVERSAL::isa($_,'CGI::Cookie') ? $_->as_string : $_;
- push(@header,"Set-Cookie: $cs") if $cs ne '';
- }
- }
+ push(@header,map {"Set-Cookie: $_"} @cookie);
# if the user indicates an expiration time, then we need
# both an Expires and a Date header (so that the browser is
# uses OUR clock)
diff -Naurp CGI.pm-3.53/t/headers.t CGI.pm-3.53.oden/t/headers.t
--- CGI.pm-3.53/t/headers.t 2011-01-24 03:20:03.000000000 +0000
+++ CGI.pm-3.53.oden/t/headers.t 2012-12-16 15:27:43.000000000 +0000
@@ -22,6 +22,12 @@ like($@,qr/contains a newline/,'invalid
like $cgi->header( -type => "text/html".$CGI::CRLF." evil: stuff " ),
qr#Content-Type: text/html evil: stuff#, 'known header, with leading and trailing whitespace on the continuation line';
+eval { $cgi->header( -p3p => ["foo".$CGI::CRLF."bar"] ) };
+like($@,qr/contains a newline/,'P3P header with CRLF embedded blows up');
+
+eval { $cgi->header( -cookie => ["foo".$CGI::CRLF."bar"] ) };
+like($@,qr/contains a newline/,'Set-Cookie header with CRLF embedded blows up');
+
eval { $cgi->header( -foobar => "text/html".$CGI::CRLF."evil: stuff" ) };
like($@,qr/contains a newline/,'unknown header with CRLF embedded blows up');
distrib
>
Mandriva
>
2011.0
>
i586
>
media
>
main-updates-src
>
by-pkgid
>
ff868bffb97499199cff0e3c09787eeb
>
files
>
1
