File: 0001-Untaint-raw-data-coming-from-session-storage-backend.patch

package info (click to toggle)
libcgi-session-perl 4.48-1%2Bdeb8u1
  • links: PTS, VCS
  • area: main
  • in suites: jessie
  • size: 616 kB
  • ctags: 209
  • sloc: perl: 1,920; makefile: 5
file content (77 lines) | stat: -rw-r--r-- 2,212 bytes parent folder | download | duplicates (3) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
 
From ab199c765329638301105fd1884af14992bb1615 Mon Sep 17 00:00:00 2001
From: Niko Tyni <ntyni@debian.org>
Date: Tue, 12 Jan 2016 23:40:53 +0200
Subject: [PATCH] Untaint raw data coming from session storage backends

The various storage backends need to be considered trusted,
so data coming out of them should be untainted.

The _CLAIMED_ID comes from an HTTP cookie and is probably tainted,
but presumably it's OK if it matched some data in the storage.

Bug: https://rt.cpan.org/Public/Bug/Display.html?id=80346
Bug-Debian: https://bugs.debian.org/810799
---
 lib/CGI/Session.pm |  4 ++++
 t/taint_storage.t  | 34 ++++++++++++++++++++++++++++++++++
 2 files changed, 38 insertions(+)
 create mode 100644 t/taint_storage.t

diff --git a/lib/CGI/Session.pm b/lib/CGI/Session.pm
index 2788b04..6460d4d 100644
--- a/lib/CGI/Session.pm
+++ b/lib/CGI/Session.pm
@@ -724,6 +724,10 @@ sub load {
     # Requested session couldn't be retrieved
     return $self unless $raw_data;
 
+    # untaint; we trust the session backend,
+    # and presumably _CLAIMED_ID too at this point
+    $raw_data =~ /^(.*)$/s and $raw_data = $1;
+
     my $serializer = $self->_serializer();
     $self->{_DATA} = $serializer->thaw($raw_data);
     unless ( defined $self->{_DATA} ) {
diff --git a/t/taint_storage.t b/t/taint_storage.t
new file mode 100644
index 0000000..95f5f1a
--- /dev/null
+++ b/t/taint_storage.t
@@ -0,0 +1,34 @@
+#!/usr/bin/perl -T
+
+# https://rt.cpan.org/Public/Bug/Display.html?id=80346
+
+use strict;
+use warnings;
+use CGI::Session;
+use Scalar::Util qw(tainted);
+use Test::More tests => 6;
+
+my $sid;
+
+my $session = CGI::Session->new( "driver:file;serializer:storable", undef, {Directory=>'t'});
+ok($session, "new() with file+storable");
+
+$session->param('a', 1 );
+
+$sid = $session->id;
+ok(!tainted $sid, "sid not tainted after new");
+
+$session->flush;
+$session = CGI::Session->load( "driver:file;serializer:storable", $sid, {Directory=>'t'});
+
+ok($session, "load() with file+storable");
+$sid = $session->id;
+ok(!tainted $sid, "sid not tainted after load");
+
+is($session->param('a'), 1, "parameter stored");
+
+$session->flush;
+
+ok(1, "survived flush");
+
+$session->delete;
-- 
2.6.4