Bug#791439: libcgi-expand-perl: CGI::param called in list context
Niko Tyni
ntyni at debian.org
Sat Jul 4 20:38:18 UTC 2015
Package: libcgi-expand-perl
Version: 2.05-3
User: debian-perl at lists.debian.org
Usertags: autopkgtest
This package fails its autopkgtest checks on ci.debian.net because
of these warnings during the test suite:
ok 30 - empty key
CGI::param called in list context from /usr/share/perl5/CGI/Expand.pm line 66, this can lead to vulnerabilities. See the warning in "Fetching the value or values of a single named parameter" at /usr/share/perl5/CGI.pm line 404.
[...]
ok 31 - expand_cgi
My reading of the code is that it explicitly handles multiple values
returned by param(), so it's not be vulnerable to the parameter injection
attacks. I'd love a second pair of eyes though. The attached patch
disables the warning.
(See <http://blog.gerv.net/2014/10/new-class-of-vulnerability-in-perl-web-applications/>
for some background on the vulnerability.)
--
Niko Tyni ntyni at debian.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-Disable-warning-about-CGI-param-called-in-list-conte.patch
Type: text/x-diff
Size: 853 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-perl-maintainers/attachments/20150704/47e2c97d/attachment-0001.patch>
More information about the pkg-perl-maintainers
mailing list