1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
|
Description: Fix CVE-2013-7329
In certain cases, CGI::Application would unexpectedly dump a complete
set of web query data and server environment information as an error
page. This could allow unintended disclosure of sensitive information.
Origin: backport, https://github.com/markstos/CGI--Application/pull/15
Bug: https://github.com/markstos/CGI--Application/pull/15
Bug-Debian: http://bugs.debian.org/739505
Bug-RedHat: https://bugzilla.redhat.com/show_bug.cgi?id=1067180
Forwarded: not-needed
Author: Emmanuel Seyman <emmanuel@seyman.fr>
Author: Salvatore Bonaccorso <carnil@debian.org>
Last-Update: 2014-04-03
--- a/lib/CGI/Application.pm
+++ b/lib/CGI/Application.pm
@@ -359,6 +359,27 @@
}
+sub no_runmodes {
+
+ my $self = shift;
+ my $query = $self->query();
+
+ # If no runmodes specified by app return error message
+ my $current_runmode = $self->get_current_runmode();
+ my $query_params = $query->Dump;
+
+ my $output = qq{
+ <h2>Error - No runmodes specified.</h2>
+ <p>Runmode called: $current_runmode"</p>
+ <p>Query paramaters:</p> $query_params
+ <p>Your application has not specified any runmodes.</p>
+ <p>Please read the <a href="http://search.cpan.org/~markstos/CGI-Appli
+ cation/">CGI::Application</a> documentation.</p>
+ };
+ return $output;
+}
+
+
sub header_add {
my $self = shift;
return $self->_header_props_update(\@_,add=>1);
@@ -513,7 +534,7 @@
my (@data) = (@_);
# First use? Create new __RUN_MODES!
- $self->{__RUN_MODES} = { 'start' => 'dump_html' } unless (exists($self->{__RUN_MODES}));
+ $self->{__RUN_MODES} = { 'start' => 'no_runmodes' } unless (exists($self->{__RUN_MODES}));
my $rr_m = $self->{__RUN_MODES};
@@ -1653,7 +1674,8 @@
The dump_html() method is a debugging function which will return
a chunk of text which contains all the environment and web form
data of the request, formatted nicely for human readability via
-a web browser. Useful for outputting to a browser.
+a web browser. Useful for outputting to a browser. Please consider
+the security implications of using this in production code.
=head3 error_mode()
--- a/t/basic.t
+++ b/t/basic.t
@@ -1,6 +1,6 @@
use strict;
-use Test::More tests => 110;
+use Test::More tests => 112;
BEGIN{use_ok('CGI::Application');}
@@ -28,7 +28,7 @@
}
# Instantiate CGI::Application
-# run() CGI::Application object. Expect header + output dump_html()
+# run() CGI::Application object. Expect header + output no_runmodes()
{
my $app = CGI::Application->new();
isa_ok($app, 'CGI::Application');
@@ -39,11 +39,29 @@
response_like(
$app,
qr{^Content-Type: text/html},
- qr/Query Environment:/,
+ qr/Error - No runmodes specified./,
'base class response',
);
}
+# Instantiate CGI::Application
+# run() CGI::Application sub-class.
+# Expect header + output dump_html()
+{
+
+ my $app = TestApp->new();
+ $app->query(CGI->new({'test_rm' => 'dump_htm'}));
+
+ response_like(
+ $app,
+ qr{^Content-Type: text/html},
+ qr/Query Environment:/,
+ 'dump_html class response'
+
+ );
+
+}
+
# Instantiate CGI::Application sub-class.
# run() CGI::Application sub-class.
# Expect HTTP header + 'Hello World: basic_test'.
--- a/t/lib/TestApp.pm
+++ b/t/lib/TestApp.pm
@@ -27,6 +27,7 @@
'header_props_before_header_add' => \&header_props_before_header_add,
'header_add_after_header_props' => \&header_add_after_header_props,
+ 'dump_htm' => 'dump_html',
'dump_txt' => 'dump',
'eval_test' => 'eval_test',
);
--- a/t/load_tmpl_hook.t
+++ b/t/load_tmpl_hook.t
@@ -8,7 +8,7 @@
my $app = CGI::Application->new();
my $out = $app->run;
-like($out, qr/start/, "normal app output contains start");
+like($out, qr/Error - No runmodes specified/, "normal app output contains start");
unlike($out, qr/load_tmpl_hook/, "normal app output doesn't contain load_tmpl_hook");
{
|
