Subject: | CVE-2010-4410 -- CRLF injection and response splitting via header() |
Hi,
CGI::Simple is vulnerable to
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4410
----
CRLF injection vulnerability in the header function in (1) CGI.pm before
3.50 and (2) Simple.pm in CGI::Simple 1.112 and earlier allows remote
attackers to inject arbitrary HTTP headers and conduct HTTP response
splitting attacks via vectors related to non-whitespace characters
preceded by newline characters, a different vulnerability than
CVE-2010-2761 and CVE-2010-3172.
----
The patch attached addresses the issue and adds a test about it.
Thanks for considering,
dam
Debian Perl Group
Subject: | cve-2010-4410.patch |
Description: Fix CVS-2010-4410
Always check for CRLF in supplied header values and require that CRLF
is followed by a whitespace, in which case the CRLF is stripped.
Die if CRLF is followed by non-whitespace character.
Bug-Debian: http://bugs.debian.org/606379
Author: Damyan Ivanov <dmn@debian.org>
#Bug: <url in upstream bugtracker>
#Forwarded: <no|not-needed|url proving that it has been forwarded>
--- a/lib/CGI/Simple.pm
+++ b/lib/CGI/Simple.pm
@@ -995,7 +995,12 @@ sub header {
# Don't use \s because of perl bug 21951
next
- unless my ( $header, $value ) = /([^ \r\n\t=]+)=\"?(.+?)\"?$/;
+ unless my ( $header, $value ) = /([^ \r\n\t=]+)=\"?(.+?)\"?$/s;
+
+ my $CRLF = $self->crlf;
+ $value =~ s/$CRLF(\s)/$1/sg;
+ $value =~ /$CRLF/ and die "Invalid header value -- CRLF not followed by whitespace";
+
( $_ = $header )
=~ s/^(\w)(.*)/"\u$1\L$2" . ': '.$self->unescapeHTML($value)/e;
}
--- /dev/null
+++ b/t/120.header-crlf.t
@@ -0,0 +1,20 @@
+use strict;
+use Test::More tests => 2;
+use Test::Exception;
+use CGI::Simple;
+
+my $cgi = CGI::Simple->new;
+
+my $CRLF = $cgi->crlf;
+
+is( $cgi->header( '-Test' => "test$CRLF part" ),
+ "Test: test part"
+ . $CRLF
+ . 'Content-Type: text/html; charset=ISO-8859-1'
+ . $CRLF
+ . $CRLF
+);
+
+throws_ok { $cgi->header( '-Test' => "test$CRLF$CRLF part" ) }
+qr/Invalid header value -- CRLF not followed by whitespace at /,
+ 'invalid CRLF caught';
--- a/Makefile.PL
+++ b/Makefile.PL
@@ -11,6 +11,7 @@ WriteMakefile(
PL_FILES => {},
PREREQ_PM => {
'Test::More' => 0,
+ 'Test::Exception' => 0,
'IO::Scalar' => 0
},
dist => { COMPRESS => 'gzip -9f', SUFFIX => 'gz', },