perl/perl-cgi-injection.diff

40 lines
1.7 KiB
Diff

--- ./cpan/CGI/lib/CGI.pm.orig 2010-05-07 13:34:10.000000000 +0000
+++ ./cpan/CGI/lib/CGI.pm 2011-01-12 11:35:33.000000000 +0000
@@ -1457,7 +1457,13 @@ END_OF_FUNC
sub multipart_init {
my($self,@p) = self_or_default(@_);
my($boundary,@other) = rearrange_header([BOUNDARY],@p);
- $boundary = $boundary || '------- =_aaaaaaaaaa0';
+ if (!$boundary) {
+ $boundary = '------- =_';
+ my @chrs = ('0'..'9', 'A'..'Z', 'a'..'z');
+ for (1..17) {
+ $boundary .= $chrs[rand(scalar @chrs)];
+ }
+ }
$self->{'separator'} = "$CRLF--$boundary$CRLF";
$self->{'final_separator'} = "$CRLF--$boundary--$CRLF";
$type = SERVER_PUSH($boundary);
@@ -1545,10 +1551,17 @@ sub header {
# CR escaping for values, per RFC 822
for my $header ($type,$status,$cookie,$target,$expires,$nph,$charset,$attachment,$p3p,@other) {
if (defined $header) {
- $header =~ s/
- (?<=\n) # For any character proceeded by a newline
- (?=\S) # ... that is not whitespace
- / /xg; # ... inject a leading space in the new line
+ # From RFC 822:
+ # Unfolding is accomplished by regarding CRLF immediately
+ # followed by a LWSP-char as equivalent to the LWSP-char.
+ $header =~ s/$CRLF(\s)/$1/g;
+
+ # All other uses of newlines are invalid input.
+ if ($header =~ m/$CRLF|\015|\012/) {
+ # shorten very long values in the diagnostic
+ $header = substr($header,0,72).'...' if (length $header > 72);
+ die "Invalid header value contains a newline not followed by whitespace: $header";
+ }
}
}