| Subject: | Segmentation fault on incorrect or empty cookie strings |
Calling parse with an incorrect cookie or empty string causes
CGI::Cookie:XS to segfault:
$ perl -MCGI::Cookie::XS -e 'CGI::Cookie::XS->parse("")'
Segmentation fault
$ perl -MCGI::Cookie::XS -e 'CGI::Cookie::XS->parse("a")'
Segmentation fault
$ perl -MCGI::Cookie::XS -e 'CGI::Cookie::XS->parse("this-is-not-a-cookie")'
Segmentation fault
Seems like a pretty serious security vulnerability to me, considering
anyone can send a malicious Cookie HTTP header...
perl v5.10.0 built for i686-linux-thread-multi
CGI::Cookie::XS v1.13