perl-HTTP-Daemon/CVE-2022-31081-2.patch

From 8dc5269d59e2d5d9eb1647d82c449ccd880f7fd0 Mon Sep 17 00:00:00 2001
From: Theo van Hoesel <tvanhoesel@perceptyx.com>
Date: Tue, 21 Jun 2022 20:00:47 +0000
Subject: [PATCH] Include reason in response body content

---
 lib/HTTP/Daemon.pm | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/lib/HTTP/Daemon.pm b/lib/HTTP/Daemon.pm
index a5112b3..2d022ae 100644
--- a/lib/HTTP/Daemon.pm
+++ b/lib/HTTP/Daemon.pm
@@ -299,16 +299,18 @@ READ_HEADER:
         # check that they are all numbers (RFC: Content-Length = 1*DIGIT)
         my @nums = grep { /^[0-9]+$/} @vals;
         unless (@vals == @nums) {
-            $self->send_error(400);
-            $self->reason("Content-Length value must be a unsigned integer");
+            my $reason = "Content-Length value must be an unsigned integer";
+            $self->send_error(400, $reason);
+            $self->reason($reason);
             return;
         }
         # check they are all the same
         my $len = shift @nums;
         foreach (@nums) {
             next if $_ == $len;
-            $self->send_error(400);
-            $self->reason("Content-Length values are not the same");
+            my $reason = "Content-Length values are not the same";
+            $self->send_error(400, $reason);
+            $self->reason($reason);
             return;
         }
         # ensure we have now a fixed header, with only 1 value
Accepting request 988945 from home:ohollmann:branches:devel:languages:perl - Fix request smuggling in HTTP::Daemon (CVE-2022-31081, bsc#1201157) * CVE-2022-31081.patch * CVE-2022-31081-2.patch OBS-URL: https://build.opensuse.org/request/show/988945 OBS-URL: https://build.opensuse.org/package/show/devel:languages:perl/perl-HTTP-Daemon?expand=0&rev=19 2022-07-18 17:36:00 +02:00			`From 8dc5269d59e2d5d9eb1647d82c449ccd880f7fd0 Mon Sep 17 00:00:00 2001`
			`From: Theo van Hoesel <tvanhoesel@perceptyx.com>`
			`Date: Tue, 21 Jun 2022 20:00:47 +0000`
			`Subject: [PATCH] Include reason in response body content`

			`---`
			`lib/HTTP/Daemon.pm \| 10 ++++++----`
			`1 file changed, 6 insertions(+), 4 deletions(-)`

			`diff --git a/lib/HTTP/Daemon.pm b/lib/HTTP/Daemon.pm`
			`index a5112b3..2d022ae 100644`
			`--- a/lib/HTTP/Daemon.pm`
			`+++ b/lib/HTTP/Daemon.pm`
			`@@ -299,16 +299,18 @@ READ_HEADER:`
			`# check that they are all numbers (RFC: Content-Length = 1*DIGIT)`
			`my @nums = grep { /^[0-9]+$/} @vals;`
			`unless (@vals == @nums) {`
			`- $self->send_error(400);`
			`- $self->reason("Content-Length value must be a unsigned integer");`
			`+ my $reason = "Content-Length value must be an unsigned integer";`
			`+ $self->send_error(400, $reason);`
			`+ $self->reason($reason);`
			`return;`
			`}`
			`# check they are all the same`
			`my $len = shift @nums;`
			`foreach (@nums) {`
			`next if $_ == $len;`
			`- $self->send_error(400);`
			`- $self->reason("Content-Length values are not the same");`
			`+ my $reason = "Content-Length values are not the same";`
			`+ $self->send_error(400, $reason);`
			`+ $self->reason($reason);`
			`return;`
			`}`
			`# ensure we have now a fixed header, with only 1 value`