-
Notifications
You must be signed in to change notification settings - Fork 211
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Cookie name CRLF injection #859
Comments
Continue Dancer::Cookie also do not validate values of options of cookie() "path", "expires" and "domain" for invalid characters. header(), headers() and push_header() functions have same problem with invalid characters in name and value. As side effect was noticed, that utf8 string in header value can crash web-server HTTP::Server::PSGI |
Actually the first new line gets escaped. But you cannot see it on terminal because the two spaces are followed by \r from input value. |
Hmm, yes, this stuff needs fixing. I see most of it as reasonably low-impact, as it's fairly unlikely that the value comes from user input for most of them; header values and cookie values are more of a concern, though. If I get a moment today I'll try to implement fixes for these problems (unless someone else gets there first :) ) |
(Whoops, closed this one by accident, thought I was looking at a different issue. That'll teach me to pay attention and slow down until my caffeination level has increased.) |
This flaw has been assigned CVE-2012-5572 identifier (http://www.openwall.com/lists/oss-security/2012/11/26/10). |
This blocks the next release. |
Agreed! Needs a fix ASAP. |
Hi Are there news on this issue? Thanks for your work! |
did you abandon this issue? |
No, it is still in the queue. We'll get to it eventually, I swear. :-) |
Just released version 1.3114 is missing test t/12_response/11_CVE-2012-5572.t added in commit:
|
Ooops, forgot to update the MANIFEST. Did that now, test is going to pop up in next release. Thanks! |
Today was announced new CGI.pm 3.63 were was fixed issue (marked as
security issue in Changes) with CRLF injection in cookies:
https://github.com/markstos/CGI.pm/pull/23
As I can see Dancer::Cookie also do not validate cookie name for
CRLF and other invalid symbols in headers. This may be a security issue if
cookie name taken from untrusted source.
$ perl -MDancer -e 'get "/" => sub { cookie "test\n\rX-Evil-Header: " => "evil" };dance' &
$ echo "GET / HTTP/1.0\r\n\r\n" | netcat 127.0.0.1 3000
HTTP/1.0 200 OK
Server: Perl Dancer 1.311
Content-Length: 4
Content-Type: text/html
Set-Cookie: test
X-Evil-Header: =evil; path=/; HttpOnly
X-Powered-By: Perl Dancer 1.311
evil
The text was updated successfully, but these errors were encountered: