Skip to content


Subversion checkout URL

You can clone with
Download ZIP


Cookie name CRLF injection #859

vlet opened this Issue · 12 comments

7 participants


Today was announced new 3.63 were was fixed issue (marked as
security issue in Changes) with CRLF injection in cookies:

As I can see Dancer::Cookie also do not validate cookie name for
CRLF and other invalid symbols in headers. This may be a security issue if
cookie name taken from untrusted source.

$ perl -MDancer -e 'get "/" => sub { cookie "test\n\rX-Evil-Header: " => "evil" };dance' &

$ echo "GET / HTTP/1.0\r\n\r\n" | netcat 3000

HTTP/1.0 200 OK
Server: Perl Dancer 1.311
Content-Length: 4
Content-Type: text/html
Set-Cookie: test
X-Evil-Header: =evil; path=/; HttpOnly
X-Powered-By: Perl Dancer 1.311




Dancer::Cookie also do not validate values of options of cookie() "path", "expires" and "domain" for invalid characters.
Moreover if value of cookie is utf8 string cookie() will crash ( uri_escape() die if symbol code > 255)

header(), headers() and push_header() functions have same problem with invalid characters in name and value.
Header value validated for CRLF in Dancer::Response. headers_to_array() adds space after first CRLF (multiline header body allowed with TAB or SPACE in the beginig of each line). But if there are two or more CRLF in a header body than you have a problem...

As side effect was noticed, that utf8 string in header value can crash web-server HTTP::Server::PSGI


Actually the first new line gets escaped. But you cannot see it on terminal because the two spaces are followed by \r from input value.


Hmm, yes, this stuff needs fixing.

I see most of it as reasonably low-impact, as it's fairly unlikely that the value comes from user input for most of them; header values and cookie values are more of a concern, though.

If I get a moment today I'll try to implement fixes for these problems (unless someone else gets there first :) )

@bigpresh bigpresh closed this
@bigpresh bigpresh reopened this

(Whoops, closed this one by accident, thought I was looking at a different issue. That'll teach me to pay attention and slow down until my caffeination level has increased.)


This flaw has been assigned CVE-2012-5572 identifier (


This blocks the next release.



Are there news on this issue?

Thanks for your work!


did you abandon this issue?


No, it is still in the queue. We'll get to it eventually, I swear. :-)

@yanick yanick closed this in d21a098

Just released version 1.3114 is missing test t/12_response/11_CVE-2012-5572.t added in commit:

commit d21a0983fa95ffea2b50ad5af84cc93f4ce5f4d2
Author: Colin Keith <>
Date:   Sat May 25 00:46:53 2013 -0400

    test and resolution for CVE-2012-5572, \r\n sequence being allowed in a cookie name fixes PerlDancer/Dancer#859
@yanick yanick referenced this issue from a commit
@yanick yanick didn't add new test to MANIFEST
Fixes #859

Ooops, forgot to update the MANIFEST. Did that now, test is going to pop up in next release.


Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Something went wrong with that request. Please try again.