Skip Menu |

Preferred bug tracker

Please visit the preferred bug tracker to report your issue.

This queue is for tickets about the CGI CPAN distribution.

Report information
The Basics
Id: 64261
Status: resolved
Priority: 0/
Queue: CGI
People
Owner: MARKSTOS [...] cpan.org
Requestors: ntyni [...] iki.fi
Cc:
AdminCc:
Bug Information
Severity: Normal
Broken in: (no value)
Fixed in: (no value)

History Show all quoted text
  Mon Dec 27 08:44:24 2010 ntyni [...] iki.fi - Ticket created
Subject: multipart_init.t logic flaw
Hi, investigating at the multipart boundary issue (CVE-2010-2761), I noticed that test 5 in multipart_init.t that's supposed to test for a random boundary, succeeds even without the fix. This is because $sv is created with an explicit fixed boundary, so the randomness doesn't make any difference. I'm attaching a proposed fix. This is still present in the github repository. Thanks for your work, -- Niko Tyni ntyni@debian.org
Subject: 0001-Improve-the-random-multipart-boundary-test.patch
From cadb707191b3a3efb39a94f36e03e9734c7277dc Mon Sep 17 00:00:00 2001 From: Niko Tyni <ntyni@debian.org> Date: Mon, 27 Dec 2010 15:40:35 +0200 Subject: [PATCH] Improve the random multipart boundary test The test now actually fails without the random boundary fix (CVE-2010-2761). --- t/multipart_init.t | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) diff --git a/t/multipart_init.t b/t/multipart_init.t index 4da809a..f0a05e0 100644 --- a/t/multipart_init.t +++ b/t/multipart_init.t @@ -15,5 +15,6 @@ $sv = $q->multipart_init( -boundary => 'this_is_another_boundary' ); like($sv, qr/boundary="this_is_another_boundary"/, "multipart_init( -boundary => 'this_is_another_boundary')"); +$sv = $q->multipart_init; my $sv2 = $q->multipart_init; isnt($sv,$sv2,"due to random boundaries, multiple calls produce different results"); -- 1.7.2.3
  Mon Dec 27 10:14:51 2010 ntyni [...] iki.fi - Correspondence added
Subject: Re: [rt.cpan.org #64261] AutoReply: multipart_init.t logic flaw
Date: Mon, 27 Dec 2010 17:14:35 +0200
To: "Bugs in CGI.pm via RT" <bug-CGI.pm [...] rt.cpan.org>
From: Niko Tyni <ntyni [...] iki.fi>
On Mon, Dec 27, 2010 at 08:44:24AM -0500, Bugs in CGI.pm via RT wrote: Show quoted text
> investigating at the multipart boundary issue (CVE-2010-2761), I noticed > that test 5 in multipart_init.t that's supposed to test for a random > boundary, succeeds even without the fix. This is because $sv is created > with an explicit fixed boundary, so the randomness doesn't make any > difference. > > I'm attaching a proposed fix. This is still present in the github > repository.
Oops, I see multipart_init.t is _only_ present in the github repository. I suppose this report was rather premature in that case. Apologies for any inconvenience. Thanks again, -- Niko Tyni ntyni@debian.org
  Tue Dec 28 09:50:42 2010 MARKSTOS [...] cpan.org - Taken
  Tue Dec 28 09:50:45 2010 MARKSTOS [...] cpan.org - Status changed from 'new' to 'open'
  Tue Dec 28 09:51:27 2010 MARKSTOS [...] cpan.org - Correspondence added
Thanks, I appreciate the input. Mark
  Mon Jan 24 23:29:04 2011 MARKSTOS [...] cpan.org - Correspondence added
Your patch has now been incorporated and released, with credit to you. Thanks again. Mark
  Mon Jan 24 23:29:05 2011 MARKSTOS [...] cpan.org - Status changed from 'open' to 'resolved'
  Fri May 23 14:29:36 2014 The RT System itself - Queue changed from CGI.pm to CGI