From: | gregoa [...] cpan.org |
Subject: | libcgi-formbuilder-perl: please call CGI->param_fetch instead of CGI->param in array context |
We have the following bug reported to the Debian package of
CGI-FormBuilder (https://bugs.debian.org/766087):
It doesn't seem to be a bug in the packaging, so you may want to take
a look. Thanks!
------8<-----------8<-----------8<-----------8<-----------8<-----
Package: libcgi-formbuilder-perl
Version: 3.08-2
Severity: normal
Tags: patch
X-Debbugs-Cc: Amitai Schlair <schmonz-web-ikiwiki@schmonz.com>
CGI->param has the misfeature that it is context-sensitive, and in
particular can expand to more than one scalar in function calls.
This led to a security vulnerability in Bugzilla, and recent versions
of CGI.pm will warn when it is used in this way.
% REQUEST_METHOD=GET QUERY_STRING='a=1&a=2&b=3' \
perl -Mstrict -Mwarnings -MCGI \
-e 'my $q = new CGI; my $as = join ",", $q->param("a"); print "$as\n"'
CGI::param called in list context from package main line 1, this can lead to vulnerabilities. See the warning in "Fetching the value or values of a single named parameter" at /usr/share/perl5/CGI.pm line 436.
1,2
I have checked the CGI::FormBuilder code and I could not find any instances
of this being an actual vulnerability.
The attached patches 0004 to 0007 switch from list-context param('x')
to explicitly list-valued @{param_fetch('x')} to avoid these warnings.
Two of them are from Amitai Schlair via pkgsrc, two are additional
patches from me. They appear to be compatible with all CGI.pm versions
back to at least 2000.
The attached patch "Add-patches-from-pkgsrc-and-an-extra-similar-patch-t.patch"
alters the Debian packaging (based on the version in pkg-perl git) to add
those patches.
Please consider applying these and/or forwarding them upstream.
Thanks,
S
------8<-----------8<-----------8<-----------8<-----------8<-----
Thanks for considering,
gregor herrmann,
Debian Perl Group