Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP

Loading…

Fix RT 84403 - 'Security problem: missing "start" mode dumps ENV to output page' #15

Merged
merged 10 commits into from

5 participants

@MartinMcGrath
Collaborator

This pull request resolves the issue raised in https://rt.cpan.org/Public/Bug/Display.html?id=84403

Application.pm

A new runmode named no_runmodes is now called rather than dump_html when no run modes are specified. This returns a message to the user reporting the problem, without exposing anything which may raise security concerns. The POD has been updated, asking the user to think about potential security issues when calling dump_html.

basic.t/TestApp.pm

Add tests for the new runmode

load_tmpl_hook.t

Test required an update as it was dependant on Application.pm returning the output of dump_html

In addition to the changes above, some very minor changes to the indentation.

If there are any issues please let me know.

MartinMcGrath added some commits
@MartinMcGrath MartinMcGrath Update Application.pm
Update to Application.pm to address rt bug 84403:

https://rt.cpan.org/Public/Bug/Display.html?id=84403

Create a new runmode (named no_runmodes) to display an error when no runmodes exist, as previously calling dump_html() may present a security issue.

Alter call in run_modes to call no_runmodes rather than dump_html
dcadc36
@MartinMcGrath MartinMcGrath Update basic.t -
Add a new test for no_runmodes, which replaces dump_html when no run modes are provided.

Add a test using TestApp.pm to cater for the dump_html test.
08b75f1
@MartinMcGrath MartinMcGrath Update TestApp.pm - add runmode dump_htm
Add a runmode to named dump_htm to call dump_html. This is to cover a test added to basic.t
fe7e9bf
@MartinMcGrath MartinMcGrath Update basic.t
Fix typo in runmode called during dump_html test
b6058d9
@MartinMcGrath MartinMcGrath Update loat_tmpl_hook.t
This test required an update as it was dependant on the Application.pm returning the output of dump_html() if no runmodes existed.
727bb70
@MartinMcGrath MartinMcGrath Update Build.PL
add Module::Build to requires to stop the message: "Module::Build was not found in configure_requires! Adding it now"
b913740
@MartinMcGrath MartinMcGrath Update Build.PL
Alignment
c359b6b
@MartinMcGrath MartinMcGrath Update basic.t b746df9
@MartinMcGrath MartinMcGrath Update Application.pm - Update POD, add warning
Add a warning to the POD for dump_html()
7849b4c
@fionnb

I would like to STRONGLY endorse the application of this patch.
I just was about to open an report for exactly this issue when I found it already addressed by Martin. The problem has been introduced with commit 61d3276 already but probably did not cause major hassle until it arrived in recent debian repos lately. The security implications of an unexpected and potentially uncontrollable var dump to the world are very serious. We also have lost quite some time trying to find out where this unexpected dump came from in the first place and how it was caused. As an added "bonus", the output of dump_html is not even a valid html page.

@MartinMcGrath
Collaborator

@fionnb I've created a pull request to ensure dump_html returns a valid html page.

@fionnb
@jerlbaum
Collaborator
@MartinMcGrath
Collaborator

fionnb

This second pull request was to address the "bonus" issue you raised, the first which you endorse, apparently because you experienced the problem, would seem to match your requirements. If this is not the case perhaps a short test case replicating your problem would help.

Jesse,

My patch does not remove dump_html, rather it's no longer called by default when no runmodes are specified. You can still call dump_html. As you say the developer should be aware of what they're doing by deliberately dumping $ENV to a page.

In my patch the default runmode when none are provided reports this back to the user, rather than the output of dump_html(). This could be used "to demonstrate that the application module is working", without exposing anything unnecessarily.

Thanks

@fionnb
@jerlbaum
Collaborator
@markstos
Owner

Can you tell me which version this changed with?

Version 4.19 is mentioned in the issue history as when the change happened.

@jerlbaum
Collaborator
@eseyman

FYI, I've released updates for Fedora and EPEL (the Fedora branch for RHEL and clones).

@MartinMcGrath MartinMcGrath Update Applcation.pm - Add runmode, subsequent fix
Edit to commit, ensure output of no_runmodes outputs valud HTML, as per:

markstos#16
93081cf
@bket bket referenced this pull request from a commit in bitrig/bitrig-ports
Imported From OpenBSD Update www/p5-CGI-Application for CVE-2013-7329
Fix RT 84403 - 'Security problem: missing "start" mode dumps ENV to output
page'
markstos/CGI--Application#15

While here remove groff and fix runtime depends.
www/p5-CGI-PSGI is optional, include it as people nowadays run PSGI and are
moving away from MOD_PERL.

From maintainer Ian McWilliam

Written by: Christian Weisgerber <naddy@openbsd.org>
e85454d
@bket bket referenced this pull request from a commit in bitrig/bitrig-ports
Imported From OpenBSD Update www/p5-CGI-Application for CVE-2013-7329
Fix RT 84403 - 'Security problem: missing "start" mode dumps ENV to output
page'
markstos/CGI--Application#15

While here remove groff and fix runtime depends.
www/p5-CGI-PSGI is optional, include it as people nowadays run PSGI and are
moving away from MOD_PERL.

From maintainer Ian McWilliam

Written by: Christian Weisgerber <naddy@openbsd.org>
8193a40
@MartinMcGrath
Collaborator

With CPAN day coming up in 10 days time I was wondering if it we could merge this (and #16) and have a new CPAN release, since the current release is from 2011.

Alternatively if there's anything I can do to help please let me know.

Thanks

@MartinMcGrath MartinMcGrath merged commit 56046f3 into markstos:master
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Commits on Jan 16, 2014
  1. @MartinMcGrath

    Update Application.pm

    MartinMcGrath authored
    Update to Application.pm to address rt bug 84403:
    
    https://rt.cpan.org/Public/Bug/Display.html?id=84403
    
    Create a new runmode (named no_runmodes) to display an error when no runmodes exist, as previously calling dump_html() may present a security issue.
    
    Alter call in run_modes to call no_runmodes rather than dump_html
  2. @MartinMcGrath

    Update basic.t -

    MartinMcGrath authored
    Add a new test for no_runmodes, which replaces dump_html when no run modes are provided.
    
    Add a test using TestApp.pm to cater for the dump_html test.
  3. @MartinMcGrath

    Update TestApp.pm - add runmode dump_htm

    MartinMcGrath authored
    Add a runmode to named dump_htm to call dump_html. This is to cover a test added to basic.t
  4. @MartinMcGrath

    Update basic.t

    MartinMcGrath authored
    Fix typo in runmode called during dump_html test
  5. @MartinMcGrath

    Update loat_tmpl_hook.t

    MartinMcGrath authored
    This test required an update as it was dependant on the Application.pm returning the output of dump_html() if no runmodes existed.
  6. @MartinMcGrath

    Update Build.PL

    MartinMcGrath authored
    add Module::Build to requires to stop the message: "Module::Build was not found in configure_requires! Adding it now"
Commits on Jan 17, 2014
  1. @MartinMcGrath

    Update Build.PL

    MartinMcGrath authored
    Alignment
  2. @MartinMcGrath

    Update basic.t

    MartinMcGrath authored
Commits on Jan 20, 2014
  1. @MartinMcGrath

    Update Application.pm - Update POD, add warning

    MartinMcGrath authored
    Add a warning to the POD for dump_html()
Commits on Apr 27, 2014
  1. @MartinMcGrath

    Update Applcation.pm - Add runmode, subsequent fix

    MartinMcGrath authored
    Edit to commit, ensure output of no_runmodes outputs valud HTML, as per:
    
    markstos#16
This page is out of date. Refresh to see the latest.
View
13 Build.PL
@@ -4,12 +4,13 @@ my $build = Module::Build->new
module_name => 'CGI::Application',
license => 'perl',
requires => {
- 'CGI' => 0,
- 'HTML::Template' => 0,
- 'Test::More' => 0.47,
- 'Test::Requires' => 0,
- 'Carp' => 0,
- 'Class::ISA' => 0,
+ 'Module::Build' => 0,
+ 'CGI' => 0,
+ 'HTML::Template' => 0,
+ 'Test::More' => 0.47,
+ 'Test::Requires' => 0,
+ 'Carp' => 0,
+ 'Class::ISA' => 0,
},
recommends => {
CGI::PSGI => 0.09, # If you want to use run_as_psgi()
View
29 lib/CGI/Application.pm
@@ -379,6 +379,30 @@ sub dump_html {
}
+sub no_runmodes {
+
+ my $self = shift;
+ my $query = $self->query();
+ my $output = $query->start_html;
+
+ # If no runmodes specified by app return error message
+ my $current_runmode = $self->get_current_runmode();
+ my $query_params = $query->Dump;
+
+ $output .= qq{
+ <h2>Error - No runmodes specified.</h2>
+ <p>Runmode called: $current_runmode"</p>
+ <p>Query paramaters:</p> $query_params
+ <p>Your application has not specified any runmodes.</p>
+ <p>Please read the <a href="http://search.cpan.org/~markstos/CGI-Appli
+ cation/">CGI::Application</a> documentation.</p>
+ };
+
+ $output .= $query->end_html();
+ return $output;
+}
+
+
sub header_add {
my $self = shift;
return $self->_header_props_update(\@_,add=>1);
@@ -533,7 +557,7 @@ sub run_modes {
my (@data) = (@_);
# First use? Create new __RUN_MODES!
- $self->{__RUN_MODES} = { 'start' => 'dump_html' } unless (exists($self->{__RUN_MODES}));
+ $self->{__RUN_MODES} = { 'start' => 'no_runmodes' } unless (exists($self->{__RUN_MODES}));
my $rr_m = $self->{__RUN_MODES};
@@ -1699,7 +1723,8 @@ Useful for outputting to STDERR.
The dump_html() method is a debugging function which will return
a chunk of text which contains all the environment and web form
data of the request, formatted nicely for human readability via
-a web browser. Useful for outputting to a browser.
+a web browser. Useful for outputting to a browser. Please consider
+the security implications of using this in production code.
=head3 error_mode()
View
28 t/basic.t
@@ -1,6 +1,5 @@
-
use strict;
-use Test::More tests => 110;
+use Test::More tests => 112;
BEGIN{use_ok('CGI::Application');}
@@ -24,11 +23,12 @@ sub response_like {
my $output = $app->run;
my ($header, $body) = split /\r\n\r\n/m, $output;
like($header, $header_re, "$comment (header match)");
- like($body, $body_re, "$comment (body match)");
+ like($body, $body_re, "$comment (body match)");
}
# Instantiate CGI::Application
-# run() CGI::Application object. Expect header + output dump_html()
+# run() CGI::Application object.
+# Expect header + output no_runmodes()
{
my $app = CGI::Application->new();
isa_ok($app, 'CGI::Application');
@@ -39,11 +39,29 @@ sub response_like {
response_like(
$app,
qr{^Content-Type: text/html},
- qr/Query Environment:/,
+ qr/Error - No runmodes specified./,
'base class response',
);
}
+# Instantiate CGI::Application
+# run() CGI::Application sub-class.
+# Expect header + output dump_html()
+{
+
+ my $app = TestApp->new();
+ $app->query(CGI->new({'test_rm' => 'dump_htm'}));
+
+ response_like(
+ $app,
+ qr{^Content-Type: text/html},
+ qr/Query Environment:/,
+ 'dump_html class response'
+
+ );
+
+}
+
# Instantiate CGI::Application sub-class.
# run() CGI::Application sub-class.
# Expect HTTP header + 'Hello World: basic_test'.
View
28 t/lib/TestApp.pm
@@ -1,4 +1,3 @@
-
package TestApp;
use strict;
@@ -16,19 +15,20 @@ sub setup {
$self->mode_param('test_rm');
$self->run_modes(
- 'basic_test' => \&basic_test,
- 'redirect_test' => \&redirect_test,
- 'cookie_test' => \&cookie_test,
- 'tmpl_test' => \&tmpl_test,
- 'tmpl_badparam_test' => \&tmpl_badparam_test,
- 'props_before_redirect_test' => \&props_before_redirect_test,
- 'header_props_twice_nomerge' => \&header_props_twice_nomerge,
- 'header_add_arrayref_test' => \&header_add_arrayref_test,
- 'header_props_before_header_add' => \&header_props_before_header_add,
- 'header_add_after_header_props' => \&header_add_after_header_props,
-
- 'dump_txt' => 'dump',
- 'eval_test' => 'eval_test',
+ 'basic_test' => \&basic_test,
+ 'redirect_test' => \&redirect_test,
+ 'cookie_test' => \&cookie_test,
+ 'tmpl_test' => \&tmpl_test,
+ 'tmpl_badparam_test' => \&tmpl_badparam_test,
+ 'props_before_redirect_test' => \&props_before_redirect_test,
+ 'header_props_twice_nomerge' => \&header_props_twice_nomerge,
+ 'header_add_arrayref_test' => \&header_add_arrayref_test,
+ 'header_props_before_header_add' => \&header_props_before_header_add,
+ 'header_add_after_header_props' => \&header_add_after_header_props,
+
+ 'dump_htm' => 'dump_html',
+ 'dump_txt' => 'dump',
+ 'eval_test' => 'eval_test',
);
$self->param('last_orm', 'setup');
View
2  t/load_tmpl_hook.t
@@ -8,7 +8,7 @@ $ENV{CGI_APP_RETURN_ONLY} = 1;
my $app = CGI::Application->new();
my $out = $app->run;
-like($out, qr/start/, "normal app output contains start");
+like($out, qr/Error - No runmodes specified/, "normal app output contains start");
unlike($out, qr/load_tmpl_hook/, "normal app output doesn't contain load_tmpl_hook");
{
Something went wrong with that request. Please try again.