[request-tracker-maintainers] Bug#765477: Bug#765477: request-tracker4: FTBFS - unexpected warnings
Kevin Falcone
falcone at bestpractical.com
Wed Oct 15 19:07:38 UTC 2014
On Wed, Oct 15, 2014 at 01:54:50PM +0100, Michael Tautschnig wrote:
> Version: 4.2.7-1
>
> During a rebuild of all Debian packages in a clean sid chroot (using cowbuilder
> and pbuilder) the build failed with the following error.
> # got warning: CGI::param called in list context from package HTML::Mason::Utils line 48, this can lead to vulnerabilities. See the warning in "Fetching the value or values of a single named parameter" at /usr/share/perl5/CGI.pm line 425.
This looks like sid contains a new enough CGI.pm to have a warning
about param in list context (later than 4.05), but HTML::Mason hasn't
been updated to tell CGI.pm to be quiet.
https://packages.debian.org/unstable/perl/libcgi-pm-perl
HTML::Mason needs to patch in
https://metacpan.org/pod/CGI#Fetching-the-value-or-values-of-a-single-named-parameter
Looking at the code, it doesn't fall prey to the vulnerability that I
can see.
# @methods is some combination of param and url_param
# depending on submission method
my @values = map { $q->$_($key) } @methods;
$args{$key} = @values == 1 ? $values[0] : \@values;
local'ing in the CGI.pm "stop warning" variable seems fine.
Not something we can really fix at the RT level, but certainly
something that should end up being fixed in HTML::Mason.
I'll open an rt.cpan.org bug later if I have a chance (I'm not sure if
you also need a bug against the libhtml-mason-perl package in sid).
-kevin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 221 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-request-tracker-maintainers/attachments/20141015/55b6ce59/attachment.sig>
More information about the pkg-request-tracker-maintainers
mailing list