Skip Menu |

This queue is for tickets about the CGI-Simple CPAN distribution.

Report information
The Basics
Id: 64160
Status: resolved
Priority: 0/
Queue: CGI-Simple
People
Owner: Nobody in particular
Requestors: dam [...] cpan.org
Cc:
AdminCc:
Bug Information
Severity: Critical
Broken in: 1.112
Fixed in: (no value)

History Show all quoted text
  Wed Dec 22 15:44:00 2010 dam [...] cpan.org - Ticket created
Subject: CVE-2010-4410 -- CRLF injection and response splitting via header()
Hi, CGI::Simple is vulnerable to http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4410 ---- CRLF injection vulnerability in the header function in (1) CGI.pm before 3.50 and (2) Simple.pm in CGI::Simple 1.112 and earlier allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via vectors related to non-whitespace characters preceded by newline characters, a different vulnerability than CVE-2010-2761 and CVE-2010-3172. ---- The patch attached addresses the issue and adds a test about it. Thanks for considering, dam Debian Perl Group
Subject: cve-2010-4410.patch
Description: Fix CVS-2010-4410 Always check for CRLF in supplied header values and require that CRLF is followed by a whitespace, in which case the CRLF is stripped. Die if CRLF is followed by non-whitespace character. Bug-Debian: http://bugs.debian.org/606379 Author: Damyan Ivanov <dmn@debian.org> #Bug: <url in upstream bugtracker> #Forwarded: <no|not-needed|url proving that it has been forwarded> --- a/lib/CGI/Simple.pm +++ b/lib/CGI/Simple.pm @@ -995,7 +995,12 @@ sub header { # Don't use \s because of perl bug 21951 next - unless my ( $header, $value ) = /([^ \r\n\t=]+)=\"?(.+?)\"?$/; + unless my ( $header, $value ) = /([^ \r\n\t=]+)=\"?(.+?)\"?$/s; + + my $CRLF = $self->crlf; + $value =~ s/$CRLF(\s)/$1/sg; + $value =~ /$CRLF/ and die "Invalid header value -- CRLF not followed by whitespace"; + ( $_ = $header ) =~ s/^(\w)(.*)/"\u$1\L$2" . ': '.$self->unescapeHTML($value)/e; } --- /dev/null +++ b/t/120.header-crlf.t @@ -0,0 +1,20 @@ +use strict; +use Test::More tests => 2; +use Test::Exception; +use CGI::Simple; + +my $cgi = CGI::Simple->new; + +my $CRLF = $cgi->crlf; + +is( $cgi->header( '-Test' => "test$CRLF part" ), + "Test: test part" + . $CRLF + . 'Content-Type: text/html; charset=ISO-8859-1' + . $CRLF + . $CRLF +); + +throws_ok { $cgi->header( '-Test' => "test$CRLF$CRLF part" ) } +qr/Invalid header value -- CRLF not followed by whitespace at /, + 'invalid CRLF caught'; --- a/Makefile.PL +++ b/Makefile.PL @@ -11,6 +11,7 @@ WriteMakefile( PL_FILES => {}, PREREQ_PM => { 'Test::More' => 0, + 'Test::Exception' => 0, 'IO::Scalar' => 0 }, dist => { COMPRESS => 'gzip -9f', SUFFIX => 'gz', },
  Mon Jan 13 15:32:23 2014 abraxxa [...] cpan.org - Correspondence added
When will this security issue be fixed?
  Mon Jan 13 15:32:24 2014 The RT System itself - Status changed from 'new' to 'open'
  Mon Jan 13 15:35:34 2014 abraxxa [...] cpan.org - Correspondence added
According to the 1.113 Changes it's already fixed, please close this bug, I don't have the rights to do so, thanks!
  Sat Feb 08 00:54:30 2014 ether [...] cpan.org - Correspondence added
On 2014-01-13 12:35:34, ABRAXXA wrote: Show quoted text
> According to the 1.113 Changes it's already fixed, please close this > bug, I don't have the rights to do so, thanks!
This ticket should be closed.
  Sun Oct 19 12:43:14 2014 SZABGAB [...] cpan.org - Correspondence added
I see only part of the patch applied, but I added the test script and it passes.
  Sun Oct 19 12:43:14 2014 SZABGAB [...] cpan.org - Status changed from 'open' to 'resolved'