Bug#810799: libcgi-session-perl: Perl DSA-3441-1 exposes taint bug in CGI::Session::Driver::file
Niko Tyni
ntyni at debian.org
Fri Jan 15 15:15:53 UTC 2016
On Tue, Jan 12, 2016 at 01:38:51PM +0000, Dominic Hargreaves wrote:
> I'm puzzled about why this wasn't spotted as an issue for wheezy, which
> doesn't have the perl taint bug, and does suffer from this problem: we
> should fix that there too, probably in the next point release.
It doesn't happen with the default parameters: some storage backends
already untaint the data (at least 'sqlite') and/or don't use the
session id in a taint-failing way ('db_file'). Also, some serializers
(including 'default') untaint data when unserializing it from the storage.
Presumably nobody just tried a failing combination like file+storable
in taint mode, or bothered to report it.
As this isn't a regression in wheezy but just a 'normal' bug, I'm not
inclined to prepare a wheezy update myself. Others are still free to do
so, of course.
--
Niko Tyni ntyni at debian.org
More information about the pkg-perl-maintainers
mailing list