| Subject: | CVE-2011-2766 |
CGI::Fast is using an FCGI API that was deprecated and removed from
documentation more than ten years ago. Usage of this deprecated API with
FCGI >= 0.70 or FCGI <= 0.73 introduces a security issue.
<https://rt.cpan.org/Public/Bug/Display.html?id=68380>
<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-2766>
A pull request has been sent on Github <https://github.com/markstos/CGI.pm/pull/6>.
| Subject: | cgi-fast.patch |
diff --git a/lib/CGI/Fast.pm b/lib/CGI/Fast.pm
index e31dac3..ae5a51c 100644
--- a/lib/CGI/Fast.pm
+++ b/lib/CGI/Fast.pm
@@ -43,27 +43,23 @@ sub save_request {
# in this package variable.
use vars qw($Ext_Request);
BEGIN {
- # If ENV{FCGI_SOCKET_PATH} is given, explicitly open the socket,
- # and keep the request handle around from which to call Accept().
- if ($ENV{FCGI_SOCKET_PATH}) {
- my $path = $ENV{FCGI_SOCKET_PATH};
- my $backlog = $ENV{FCGI_LISTEN_QUEUE} || 100;
- my $socket = FCGI::OpenSocket( $path, $backlog );
- $Ext_Request = FCGI::Request( \*STDIN, \*STDOUT, \*STDERR,
- \%ENV, $socket, 1 );
- }
+ # If ENV{FCGI_SOCKET_PATH} is given, explicitly open the socket.
+ if ($ENV{FCGI_SOCKET_PATH}) {
+ my $path = $ENV{FCGI_SOCKET_PATH};
+ my $backlog = $ENV{FCGI_LISTEN_QUEUE} || 100;
+ my $socket = FCGI::OpenSocket( $path, $backlog );
+ $Ext_Request = FCGI::Request( \*STDIN, \*STDOUT, \*STDERR,
+ \%ENV, $socket, 1 );
+ }
+ else {
+ $Ext_Request = FCGI::Request();
+ }
}
-# New is slightly different in that it calls FCGI's
-# accept() method.
sub new {
my ($self, $initializer, @param) = @_;
unless (defined $initializer) {
- if ($Ext_Request) {
- return undef unless $Ext_Request->Accept() >= 0;
- } else {
- return undef unless FCGI::accept() >= 0;
- }
+ return undef unless $Ext_Request->Accept() >= 0;
}
CGI->_reset_globals;
$self->_setup_symbols(@CGI::SAVED_SYMBOLS) if @CGI::SAVED_SYMBOLS;