Skip Menu |

This queue is for tickets about the POE-Component-Client-HTTP CPAN distribution.

Report information
The Basics
Id: 17599
Status: resolved
Priority: 0/
Queue: POE-Component-Client-HTTP
People
Owner: Nobody in particular
Requestors: YKAR [...] cpan.org
Cc:
AdminCc:
Bug Information
Severity: Important
Broken in: (no value)
Fixed in: (no value)

History Show all quoted text
  Sun Feb 12 14:49:58 2006 YKAR [...] cpan.org - Ticket created
Subject: PoCoCl::HTTP::Request dies for non http URIs
PoCoCl::HTTP::Requst dies when $http_request->uri is not http uri for example this URLs will make DoS file://test/file.txt javascript:alert('test') mailto:john@smith.com Attached patch will fix this problem. Also test case for this problem attached.
Subject: 09_bad_scheme.t
#! /usr/bin/perl use strict; use warnings; use Test::More tests => 2; use POE qw(Component::Client::HTTP); use HTTP::Request::Common qw(GET); POE::Component::Client::HTTP->spawn( Alias => 'ua' ); POE::Session->create ( inline_states => { _start => sub { $_[KERNEL]->post(ua => request => good_response => GET 'http://poe.perl.org/'); $_[KERNEL]->post(ua => request => bad_response => GET 'file://test/file.txt'); }, good_response => sub { $_[HEAP]->{good_response} = $_[ARG1]->[0]->code == 200; }, bad_response => sub { $_[HEAP]->{bad_response} = $_[ARG1]->[0]->code == 400; }, _stop => sub { ok($_[HEAP]->{good_response}, 'got correct response for good scheme'); ok($_[HEAP]->{bad_response}, 'got correct response for bad scheme'); } } ); POE::Kernel->run;
Subject: patch.diff
Index: lib/POE/Component/Client/HTTP.pm =================================================================== --- lib/POE/Component/Client/HTTP.pm (revision 237) +++ lib/POE/Component/Client/HTTP.pm (working copy) @@ -44,6 +44,11 @@ chunked => 'POE::Filter::HTTPChunk', ); +my %supported_schemes = ( + http => 1, + https => 1 +); + # }}} INIT #------------------------------------------------------------------------------ @@ -152,6 +157,21 @@ $proxy_override ) = @_[KERNEL, HEAP, SENDER, ARG0, ARG1, ARG2, ARG3, ARG4]; + unless ($supported_schemes{$http_request->uri->scheme}) { + my $rsp = HTTP::Response->new( + 400 => 'Bad Request', [], + "<html>\n" + . "<HEAD><TITLE>Error: Bad Request</TITLE></HEAD>\n" + . "<BODY>\n" + . "<H1>Error: Bad Request</H1>\n" + . "Unsupported URI scheme\n" + . "</BODY>\n" + . "</HTML>\n" + ); + $kernel->post($sender, $response_event, [$http_request, $tag], [$rsp]); + return; + } + if (defined $proxy_override) { POE::Component::Client::HTTP::RequestFactory->parse_proxy($proxy_override); }
  Thu Mar 23 09:59:12 2006 RCAPUTO [...] cpan.org - Correspondence added
Sorry for the delay. This is committed as revision 239, and I hope to release a new Client::HTTP after going through the other tickets. If you'd like, I can give you a commit bit for this project and the related ones (Client::Keepalive & Client::DNS).
  Thu Mar 23 09:59:12 2006 The RT System itself - Status changed from 'new' to 'open'
  Thu Mar 23 09:59:13 2006 RCAPUTO [...] cpan.org - Status changed from 'open' to 'resolved'
  Thu Mar 23 10:22:19 2006 YKAR [...] cpan.org - Correspondence added
From: Yuri Karaban
On Thu Mar 23 09:59:12 2006, RCAPUTO wrote: Thank you for such confidence. But I'm afraid to take such responsibility. Better I will submit patches to you, and my patches to will be reviewed before commit. Show quoted text
> Sorry for the delay. This is committed as revision 239, and I hope to > release a new Client::HTTP after going through the other tickets. > > If you'd like, I can give you a commit bit for this project and the > related ones (Client::Keepalive & Client::DNS).
  Thu Mar 23 10:22:20 2006 The RT System itself - Status changed from 'resolved' to 'open'
  Thu Mar 23 20:47:28 2006 RCAPUTO [...] cpan.org - Status changed from 'open' to 'resolved'