New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix RT 84403 - 'Security problem: missing "start" mode dumps ENV to output page' #15
Conversation
Update to Application.pm to address rt bug 84403: https://rt.cpan.org/Public/Bug/Display.html?id=84403 Create a new runmode (named no_runmodes) to display an error when no runmodes exist, as previously calling dump_html() may present a security issue. Alter call in run_modes to call no_runmodes rather than dump_html
Add a new test for no_runmodes, which replaces dump_html when no run modes are provided. Add a test using TestApp.pm to cater for the dump_html test.
Add a runmode to named dump_htm to call dump_html. This is to cover a test added to basic.t
Fix typo in runmode called during dump_html test
This test required an update as it was dependant on the Application.pm returning the output of dump_html() if no runmodes existed.
add Module::Build to requires to stop the message: "Module::Build was not found in configure_requires! Adding it now"
Alignment
Add a warning to the POD for dump_html()
|
I would like to STRONGLY endorse the application of this patch. |
|
@fionnb I've created a pull request to ensure dump_html returns a valid html page. |
|
On 19.02.2014 15:35, Martin McGrath wrote:
Thanks, but that does not address the implicit, serious security issue. See also: kind regards! |
|
Hi Guys -- On Wed, Feb 19, 2014 at 10:27 AM, fionnb notifications@github.com wrote:
This bug report is wrong. There was no change in 2008 which "caused" this CGI::Application has always called dump_html(), since it was first The purpose of calling dump_html() is to demonstrate that the application Jesse Jesse Erlbaum |
|
fionnb This second pull request was to address the "bonus" issue you raised, the first which you endorse, apparently because you experienced the problem, would seem to match your requirements. If this is not the case perhaps a short test case replicating your problem would help. Jesse, My patch does not remove dump_html, rather it's no longer called by default when no runmodes are specified. You can still call dump_html. As you say the developer should be aware of what they're doing by deliberately dumping $ENV to a page. In my patch the default runmode when none are provided reports this back to the user, rather than the output of dump_html(). This could be used "to demonstrate that the application module is working", without exposing anything unnecessarily. Thanks |
|
On 19.02.2014 16:36, jerlbaum wrote:
Hi Jesse! Oh yes, there is. I even linked the commmit id four your convenience, After the change, you ALWAYS have dump_html as a default run_mode unless Facts: Behaviour of an otherwise unmodified application changed due to
I'd dare to say that this default should never have been defined that The chances to be hit by this definitely have increased with the above Thank you for reading. I hope to have clarified any doubts now about why |
|
On Wed, Feb 19, 2014 at 3:23 PM, fionnb notifications@github.com wrote:
Can you tell me which version this changed with? Jesse Erlbaum |
Version 4.19 is mentioned in the issue history as when the change happened. |
|
Yes, thanks! Found it. On Feb 19, 2014, at 5:11 PM, Mark Stosberg notifications@github.com wrote: Can you tell me which version this changed with? Version 4.19 is mentioned in the issue history as when the change happened. Reply to this email directly or view it on |
|
FYI, I've released updates for Fedora and EPEL (the Fedora branch for RHEL and clones). |
Edit to commit, ensure output of no_runmodes outputs valud HTML, as per: markstos#16
Fix RT 84403 - 'Security problem: missing "start" mode dumps ENV to output page' markstos/CGI--Application#15 While here remove groff and fix runtime depends. www/p5-CGI-PSGI is optional, include it as people nowadays run PSGI and are moving away from MOD_PERL. From maintainer Ian McWilliam Written by: Christian Weisgerber <naddy@openbsd.org>
Fix RT 84403 - 'Security problem: missing "start" mode dumps ENV to output page' markstos/CGI--Application#15 While here remove groff and fix runtime depends. www/p5-CGI-PSGI is optional, include it as people nowadays run PSGI and are moving away from MOD_PERL. From maintainer Ian McWilliam Written by: Christian Weisgerber <naddy@openbsd.org>
Fix RT 84403 - 'Security problem: missing "start" mode dumps ENV to output page' Merging to address https://rt.cpan.org/Public/Bug/Display.html?id=84403
This pull request resolves the issue raised in https://rt.cpan.org/Public/Bug/Display.html?id=84403
Application.pm
A new runmode named
no_runmodesis now called rather thandump_htmlwhen no run modes are specified. This returns a message to the user reporting the problem, without exposing anything which may raise security concerns. The POD has been updated, asking the user to think about potential security issues when calling dump_html.basic.t/TestApp.pm
Add tests for the new runmode
load_tmpl_hook.t
Test required an update as it was dependant on Application.pm returning the output of
dump_htmlIn addition to the changes above, some very minor changes to the indentation.
If there are any issues please let me know.