Description: Fix CVE-2013-7329 In certain cases, CGI::Application would unexpectedly dump a complete set of web query data and server environment information as an error page. This could allow unintended disclosure of sensitive information. Origin: backport, https://github.com/markstos/CGI--Application/pull/15 Bug: https://github.com/markstos/CGI--Application/pull/15 Bug-Debian: http://bugs.debian.org/739505 Bug-RedHat: https://bugzilla.redhat.com/show_bug.cgi?id=1067180 Forwarded: not-needed Author: Emmanuel Seyman Author: Salvatore Bonaccorso Last-Update: 2014-04-03 --- a/lib/CGI/Application.pm +++ b/lib/CGI/Application.pm @@ -359,6 +359,27 @@ } +sub no_runmodes { + + my $self = shift; + my $query = $self->query(); + + # If no runmodes specified by app return error message + my $current_runmode = $self->get_current_runmode(); + my $query_params = $query->Dump; + + my $output = qq{ +

Error - No runmodes specified.

+

Runmode called: $current_runmode"

+

Query paramaters:

$query_params +

Your application has not specified any runmodes.

+

Please read the CGI::Application documentation.

+ }; + return $output; +} + + sub header_add { my $self = shift; return $self->_header_props_update(\@_,add=>1); @@ -513,7 +534,7 @@ my (@data) = (@_); # First use? Create new __RUN_MODES! - $self->{__RUN_MODES} = { 'start' => 'dump_html' } unless (exists($self->{__RUN_MODES})); + $self->{__RUN_MODES} = { 'start' => 'no_runmodes' } unless (exists($self->{__RUN_MODES})); my $rr_m = $self->{__RUN_MODES}; @@ -1653,7 +1674,8 @@ The dump_html() method is a debugging function which will return a chunk of text which contains all the environment and web form data of the request, formatted nicely for human readability via -a web browser. Useful for outputting to a browser. +a web browser. Useful for outputting to a browser. Please consider +the security implications of using this in production code. =head3 error_mode() --- a/t/basic.t +++ b/t/basic.t @@ -1,6 +1,6 @@ use strict; -use Test::More tests => 110; +use Test::More tests => 112; BEGIN{use_ok('CGI::Application');} @@ -28,7 +28,7 @@ } # Instantiate CGI::Application -# run() CGI::Application object. Expect header + output dump_html() +# run() CGI::Application object. Expect header + output no_runmodes() { my $app = CGI::Application->new(); isa_ok($app, 'CGI::Application'); @@ -39,11 +39,29 @@ response_like( $app, qr{^Content-Type: text/html}, - qr/Query Environment:/, + qr/Error - No runmodes specified./, 'base class response', ); } +# Instantiate CGI::Application +# run() CGI::Application sub-class. +# Expect header + output dump_html() +{ + + my $app = TestApp->new(); + $app->query(CGI->new({'test_rm' => 'dump_htm'})); + + response_like( + $app, + qr{^Content-Type: text/html}, + qr/Query Environment:/, + 'dump_html class response' + + ); + +} + # Instantiate CGI::Application sub-class. # run() CGI::Application sub-class. # Expect HTTP header + 'Hello World: basic_test'. --- a/t/lib/TestApp.pm +++ b/t/lib/TestApp.pm @@ -27,6 +27,7 @@ 'header_props_before_header_add' => \&header_props_before_header_add, 'header_add_after_header_props' => \&header_add_after_header_props, + 'dump_htm' => 'dump_html', 'dump_txt' => 'dump', 'eval_test' => 'eval_test', ); --- a/t/load_tmpl_hook.t +++ b/t/load_tmpl_hook.t @@ -8,7 +8,7 @@ my $app = CGI::Application->new(); my $out = $app->run; -like($out, qr/start/, "normal app output contains start"); +like($out, qr/Error - No runmodes specified/, "normal app output contains start"); unlike($out, qr/load_tmpl_hook/, "normal app output doesn't contain load_tmpl_hook"); {