develooper Front page | perl.perl5.changes | Postings from November 2010

[perl.git] branch blead, updated. v5.13.6-439-g84601d6

From:
Chris 'Bingos' Williams
Date:
November 8, 2010 16:24
Subject:
[perl.git] branch blead, updated. v5.13.6-439-g84601d6
Message ID:
E1PFc0U-0003Kg-1I@camel.ams6.corp.booking.com
In perl.git, the branch blead has been updated

<http://perl5.git.perl.org/perl.git/commitdiff/84601d63a7e34958da47dad1e61e27cb3bd467d1?hp=a0b94c2432b1d8c20653453a0f6970cb10f59aec>

- Log -----------------------------------------------------------------
commit 84601d63a7e34958da47dad1e61e27cb3bd467d1
Author: Chris 'BinGOs' Williams <chris@bingosnet.co.uk>
Date:   Tue Nov 9 00:20:53 2010 +0000

    Update CGI.pm to CPAN version 3.50
    
      [DELTA]
    
      Version 3.50
    
      [SECURITY]
      1. The MIME boundary in multipart_init is now random.
         Thanks to Byron Jones, Masahiro Yamada, Reed Loden, and  Mark Stosberg
      2. Further improvements to handling of newlines embedded in header values.
         An exception is thrown if header values contain invalid newlines.
         Thanks to Michal Zalewski, Max Kanat-Alexander, Yanick Champoux,
         Lincoln Stein, Fr�d�ric Buclin and Mark Stosberg
    
      [DOCUMENTATION]
      1. Correcting/clarifying documentation for param_fetch(). Thanks to
            Ren�e B�cker. (RT#59132)
    
      [INTERNALS]
      1. Fixing https test in http.t. (RT#54768)
      2. Tests were added for multipart_init(). Thanks to Mark Stosberg and CGI::Simple.
-----------------------------------------------------------------------

Summary of changes:
 Porting/Maintainers.pl     |    2 +-
 cpan/CGI/Changes           |   18 ++++++++++++++++++
 cpan/CGI/lib/CGI.pm        |   39 +++++++++++++++++++++++++++------------
 cpan/CGI/lib/CGI/Cookie.pm |   15 +++++++++------
 cpan/CGI/t/http.t          |    9 +++------
 pod/perldelta.pod          |   10 ++++++++++
 6 files changed, 68 insertions(+), 25 deletions(-)

diff --git a/Porting/Maintainers.pl b/Porting/Maintainers.pl
index 31e09c5..1e17e61 100755
--- a/Porting/Maintainers.pl
+++ b/Porting/Maintainers.pl
@@ -299,7 +299,7 @@ use File::Glob qw(:case);
     'CGI' =>
 	{
 	'MAINTAINER'	=> 'lstein',
-	'DISTRIBUTION'	=> 'LDS/CGI.pm-3.49.tar.gz',
+	'DISTRIBUTION'	=> 'LDS/CGI.pm-3.50.tar.gz',
 	'FILES'		=> q[cpan/CGI],
 	'EXCLUDED'	=> [ qr{^t/lib/Test},
 				qw( cgi-lib_porting.html
diff --git a/cpan/CGI/Changes b/cpan/CGI/Changes
index fb1644f..4b197ec 100644
--- a/cpan/CGI/Changes
+++ b/cpan/CGI/Changes
@@ -1,3 +1,21 @@
+Version 3.50
+  
+  [SECURITY]
+  1. The MIME boundary in multipart_init is now random. 
+     Thanks to Byron Jones, Masahiro Yamada, Reed Loden, and  Mark Stosberg
+  2. Further improvements to handling of newlines embedded in header values. 
+     An exception is thrown if header values contain invalid newlines. 
+     Thanks to Michal Zalewski, Max Kanat-Alexander, Yanick Champoux,
+     Lincoln Stein, Frédéric Buclin and Mark Stosberg
+
+  [DOCUMENTATION]
+  1. Correcting/clarifying documentation for param_fetch(). Thanks to 
+        Renée Bäcker. (RT#59132)
+
+  [INTERNALS]
+  1. Fixing https test in http.t. (RT#54768)
+  2. Tests were added for multipart_init(). Thanks to Mark Stosberg and CGI::Simple. 
+
 Version 3.49
 
   [BUG FIXES]
diff --git a/cpan/CGI/lib/CGI.pm b/cpan/CGI/lib/CGI.pm
index 355b8d1..c0f6752 100644
--- a/cpan/CGI/lib/CGI.pm
+++ b/cpan/CGI/lib/CGI.pm
@@ -18,8 +18,9 @@ use Carp 'croak';
 # The most recent version and complete docs are available at:
 #   http://stein.cshl.org/WWW/software/CGI/
 
+# The revision is no longer being updated since moving to git. 
 $CGI::revision = '$Id: CGI.pm,v 1.266 2009/07/30 16:32:34 lstein Exp $';
-$CGI::VERSION='3.49';
+$CGI::VERSION='3.50';
 
 # HARD-CODED LOCATION FOR FILE UPLOAD TEMPORARY FILES.
 # UNCOMMENT THIS ONLY IF YOU KNOW WHAT YOU'RE DOING.
@@ -1457,7 +1458,14 @@ END_OF_FUNC
 sub multipart_init {
     my($self,@p) = self_or_default(@_);
     my($boundary,@other) = rearrange_header([BOUNDARY],@p);
-    $boundary = $boundary || '------- =_aaaaaaaaaa0';
+    if (!$boundary) {
+        $boundary = '------- =_';
+        my @chrs = ('0'..'9', 'A'..'Z', 'a'..'z');
+        for (1..17) {
+            $boundary .= $chrs[rand(scalar @chrs)];
+        }
+    }
+
     $self->{'separator'} = "$CRLF--$boundary$CRLF";
     $self->{'final_separator'} = "$CRLF--$boundary--$CRLF";
     $type = SERVER_PUSH($boundary);
@@ -1545,12 +1553,19 @@ sub header {
     # CR escaping for values, per RFC 822
     for my $header ($type,$status,$cookie,$target,$expires,$nph,$charset,$attachment,$p3p,@other) {
         if (defined $header) {
-            $header =~ s/
-                (?<=\n)    # For any character proceeded by a newline
-                (?=\S)     # ... that is not whitespace
-            / /xg;         # ... inject a leading space in the new line
-        }
-    }
+            # From RFC 822:
+            # Unfolding  is  accomplished  by regarding   CRLF   immediately
+            # followed  by  a  LWSP-char  as equivalent to the LWSP-char.
+            $header =~ s/$CRLF(\s)/$1/g;
+
+            # All other uses of newlines are invalid input. 
+            if ($header =~ m/$CRLF/) {
+                # shorten very long values in the diagnostic
+                $header = substr($header,0,72).'...' if (length $header > 72);
+                die "Invalid header value contains a newline not followed by whitespace: $header";
+            }
+        } 
+   }
 
     $nph     ||= $NPH;
 
@@ -1615,7 +1630,6 @@ sub header {
 }
 END_OF_FUNC
 
-
 #### Method: cache
 # Control whether header() will produce the no-cache
 # Pragma directive.
@@ -4707,9 +4721,10 @@ specialized tasks.)
    unshift @{$q->param_fetch(-name=>'address')},'George Munster';
 
 If you need access to the parameter list in a way that isn't covered
-by the methods above, you can obtain a direct reference to it by
-calling the B<param_fetch()> method with the name of the .  This
-will return an array reference to the named parameters, which you then
+by the methods given in the previous sections, you can obtain a direct 
+reference to it by
+calling the B<param_fetch()> method with the name of the parameter.  This
+will return an array reference to the named parameter, which you then
 can manipulate in any way you like.
 
 You can also use a named argument style using the B<-name> argument.
diff --git a/cpan/CGI/lib/CGI/Cookie.pm b/cpan/CGI/lib/CGI/Cookie.pm
index 7bc090d..3567c7f 100644
--- a/cpan/CGI/lib/CGI/Cookie.pm
+++ b/cpan/CGI/lib/CGI/Cookie.pm
@@ -305,7 +305,9 @@ it internally), you can use this module independently.
 
 For full information on cookies see 
 
-	http://www.ics.uci.edu/pub/ietf/http/rfc2109.txt
+	http://tools.ietf.org/html/rfc2109
+	http://tools.ietf.org/html/rfc2965
+	http://tools.ietf.org/html/draft-ietf-httpstate-cookie
 
 =head1 USING CGI::Cookie
 
@@ -355,18 +357,19 @@ that all scripts at your site will receive the cookie.
 If the "secure" attribute is set, the cookie will only be sent to your
 script if the CGI request is occurring on a secure channel, such as SSL.
 
-=item B<4. httponly flag>
+=item B<5. httponly flag>
 
 If the "httponly" attribute is set, the cookie will only be accessible
 through HTTP Requests. This cookie will be inaccessible via JavaScript
 (to prevent XSS attacks).
 
-But, currently this feature only used and recognised by 
-MS Internet Explorer 6 Service Pack 1 and later.
+This feature is only supported by recent browsers like Internet Explorer
+6 Service Pack 1, Firefox 3.0 and Opera 9.5 (and later of course).
 
-See this URL for more information:
+See these URLs for more information:
 
-L<http://msdn.microsoft.com/en-us/library/ms533046%28VS.85%29.aspx>
+	http://msdn.microsoft.com/en-us/library/ms533046.aspx
+	http://www.owasp.org/index.php/HTTPOnly#Browsers_Supporting_HTTPOnly
 
 =back
 
diff --git a/cpan/CGI/t/http.t b/cpan/CGI/t/http.t
index 2ed3863..324da26 100644
--- a/cpan/CGI/t/http.t
+++ b/cpan/CGI/t/http.t
@@ -34,11 +34,8 @@ my $cgi = CGI->new();
     # https()
     # The same as http(), but operates on the HTTPS environment variables present when the SSL protocol is in
     # effect.  Can be used to determine whether SSL is turned on.
-    my @expect = grep /^HTTPS/, keys %ENV;
-    push @expect, 'HTTPS'         if not exists $ENV{HTTPS};
-    push @expect, 'HTTPS_KEYSIZE' if not exists $ENV{HTTPS_KEYSIZE};
-    local $ENV{'HTTPS'} = 'ON';
-    local $ENV{'HTTPS_KEYSIZE'} = 512;
+    local %ENV;
+    @ENV{qw/ HTTPS HTTPS_KEYSIZE /} = ('ON', 512);
     is $cgi->https(), 'ON', 'scalar context to check SSL is on';
-    ok eq_set( [$cgi->https()], \@expect), 'list context returns https keys';
+    ok eq_set( [$cgi->https()], [qw(HTTPS HTTPS_KEYSIZE)]), 'list context returns https keys';
 }
diff --git a/pod/perldelta.pod b/pod/perldelta.pod
index 89d99fe..7b8bd09 100644
--- a/pod/perldelta.pod
+++ b/pod/perldelta.pod
@@ -270,6 +270,16 @@ L<[perl #33752]|http://rt.perl.org/rt3/Public/Bug/Display.html?id=33752>.
 
 =item *
 
+C<CGI> has been upgraded from 3.49 to 3.50
+
+This provides the following security fixes: the MIME boundary in 
+multipart_init is now random and improvements to the handling of 
+newlines embedded in header values.
+
+The documentation for param_fetch() has been corrected and clarified.
+
+=item *
+
 C<CPAN> has been upgraded from 1.94_61 to 1.94_62
 
 =item *

--
Perl5 Master Repository



nntp.perl.org: Perl Programming lists via nntp and http.
Comments to Ask Bjørn Hansen at ask@perl.org | Group listing | About