Skip Menu |

This queue is for tickets about the Apache-AuthCookie CPAN distribution.

Report information
The Basics
Id: 105405
Status: resolved
Priority: 0/
Queue: Apache-AuthCookie

People
Owner: Nobody in particular
Requestors: jamesnelson [...] acuitymanagement.com
Cc:
AdminCc:

Bug Information
Severity: (no value)
Broken in: (no value)
Fixed in: (no value)



Subject: CGI version 4.20 issues 'CGI::param called in list context' warnings
Date: Mon, 22 Jun 2015 16:38:26 +0000
To: "bug-Apache-AuthCookie [...] rt.cpan.org" <bug-Apache-AuthCookie [...] rt.cpan.org>
From: James Nelson <jamesnelson [...] acuitymanagement.com>
OS: CentOS 6.6 x86-64 Perl version: 5.10.1 Apache2::AuthCookie version: 3.22 On upgrading our production servers to CentOS 6, we started getting the following log messages: CGI::param called in list context from /usr/local/share/perl5/Apache2/AuthCookie.pm line 127, this can lead to vulnerabilities. See the warning in "Fetching the value or values of a single named parameter" at /usr/share/perl5/CGI.pm line 404 Per this article: http://www.perlmonks.org/?node_id=1105051, setting $CGI::LIST_CONTEXT_WARN = 0 will suppress the warnings, but it will need to be fixed going forward.
Its worth nothing that in this case, the code calling param() *EXPECTS* a list in response, so this code is not vulnerable. I should probably find something other than CGI.pm to handle the params. The only reason I went with CGI.pm in the first place was to avoid adding a dependency on yet another module. But since CGI.pm is gone now in 5.22 that argument does not apply in the future.
On 2015-06-22 16:44:10, MSCHOUT wrote: Show quoted text
> Its worth nothing that in this case, the code calling param() > *EXPECTS* a list in response, so this code is not vulnerable.
In this case you can use the new function multi_param() if it's available. To be compatible with older CGI.pm you could do something like this (untested): if (!defined &CGI::multi_param) { *CGI::multi_param = \&CGI::param; }
I have committed a fix for this to git for the next release. I am working on finalizing support for apache 2.4 which I also want to put in this release so I have not yet uploaded it to CPAN FYI.
Marking this as resolved since AuthCookie no longer uses CGI.pm -- Regards, Michael Schout