Bug#1016761: libhttp-daemon-perl: FTBFS with newer HTTP::Tiny versions

gregor herrmann gregoa at debian.org
Sat Aug 6 22:54:43 BST 2022 

On Sat, 06 Aug 2022 21:24:08 +0300, Niko Tyni wrote:

> It looks like the recent security fix in libhttp-daemon-perl_6.14-1.1
> (or at least the associated test case) has issues with newer versions
> of the HTTP::Tiny module.
[…]
> From my build log:
>    Subroutine HTTP::Tiny::Handle::write_content_body redefined at t/content_length.t line 277.

Just a quick note:

That's from debian/patches/CVE-2022-31081-testcase.patch:

#v+
+sub patch_http_tiny {
+    
+    # we need to patch write_content_body
+    # this is part of HTTP::Tiny internal module HTTP::Tiny::Handle
+    #
+    # the below code is from the original HTTP::Tiny module, where just two lines
+    # have been commented out
+    
+    no strict 'refs';
+    
+    *HTTP::Tiny::Handle::write_content_body = sub {
+        @_ == 2 || die(q/Usage: $handle->write_content_body(request)/ . "\n");
+        my ($self, $request) = @_;
+        
+        my ($len, $content_length) = (0, $request->{headers}{'content-length'});
+        while () {
+            my $data = $request->{cb}->();
+            
+            defined $data && length $data
+                or last;
+            
+            if ( $] ge '5.008' ) {
+                utf8::downgrade($data, 1)
+                    or die(qq/Wide character in write_content()\n/);
+            }
+            
+            $len += $self->write($data);
+        }
+        
+#       this should not be checked during our tests, we want to forge bad requests
+#       
+#       $len == $content_length
+#           or die(qq/Content-Length mismatch (got: $len expected: $content_length)\n/);
+        
+        return $len;
+    };
+}
#v-


Cheers,
gregor

-- 
 .''`.  https://info.comodo.priv.at -- Debian Developer https://www.debian.org
 : :' : OpenPGP fingerprint D1E1 316E 93A7 60A8 104D  85FA BB3A 6801 8649 AA06
 `. `'  Member VIBE!AT & SPI Inc. -- Supporter Free Software Foundation Europe
   `-   
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 963 bytes
Desc: Digital Signature
URL: <http://alioth-lists.debian.net/pipermail/pkg-perl-maintainers/attachments/20220806/4cb8804f/attachment.sig>

More information about the pkg-perl-maintainers mailing list