|
1 Escape new-lines in Cookie and P3P headers |
|
2 |
|
3 This is relevant difference between CGI 3.62 and 3.63. |
|
4 See <https://bugzilla.redhat.com/show_bug.cgi?id=876974>. |
|
5 |
|
6 diff --git a/cpan/CGI/lib/CGI.pm b/cpan/CGI/lib/CGI.pm |
|
7 index d8d91f4..5bc9b17 100644 |
|
8 --- a/cpan/CGI/lib/CGI.pm |
|
9 +++ b/cpan/CGI/lib/CGI.pm |
|
10 @@ -1497,8 +1497,17 @@ sub header { |
|
11 'EXPIRES','NPH','CHARSET', |
|
12 'ATTACHMENT','P3P'],@p); |
|
13 |
|
14 + # Since $cookie and $p3p may be array references, |
|
15 + # we must stringify them before CR escaping is done. |
|
16 + my @cookie; |
|
17 + for (ref($cookie) eq 'ARRAY' ? @{$cookie} : $cookie) { |
|
18 + my $cs = UNIVERSAL::isa($_,'CGI::Cookie') ? $_->as_string : $_; |
|
19 + push(@cookie,$cs) if defined $cs and $cs ne ''; |
|
20 + } |
|
21 + $p3p = join ' ',@$p3p if ref($p3p) eq 'ARRAY'; |
|
22 + |
|
23 # CR escaping for values, per RFC 822 |
|
24 - for my $header ($type,$status,$cookie,$target,$expires,$nph,$charset,$attachment,$p3p,@other) { |
|
25 + for my $header ($type,$status,@cookie,$target,$expires,$nph,$charset,$attachment,$p3p,@other) { |
|
26 if (defined $header) { |
|
27 # From RFC 822: |
|
28 # Unfolding is accomplished by regarding CRLF immediately |
|
29 @@ -1542,18 +1551,9 @@ sub header { |
|
30 |
|
31 push(@header,"Status: $status") if $status; |
|
32 push(@header,"Window-Target: $target") if $target; |
|
33 - if ($p3p) { |
|
34 - $p3p = join ' ',@$p3p if ref($p3p) eq 'ARRAY'; |
|
35 - push(@header,qq(P3P: policyref="/w3c/p3p.xml", CP="$p3p")); |
|
36 - } |
|
37 + push(@header,"P3P: policyref=\"/w3c/p3p.xml\", CP=\"$p3p\"") if $p3p; |
|
38 # push all the cookies -- there may be several |
|
39 - if ($cookie) { |
|
40 - my(@cookie) = ref($cookie) && ref($cookie) eq 'ARRAY' ? @{$cookie} : $cookie; |
|
41 - for (@cookie) { |
|
42 - my $cs = UNIVERSAL::isa($_,'CGI::Cookie') ? $_->as_string : $_; |
|
43 - push(@header,"Set-Cookie: $cs") if $cs ne ''; |
|
44 - } |
|
45 - } |
|
46 + push(@header,map {"Set-Cookie: $_"} @cookie); |
|
47 # if the user indicates an expiration time, then we need |
|
48 # both an Expires and a Date header (so that the browser is |
|
49 # uses OUR clock) |
|
50 diff --git a/t/headers.t b/t/headers.t |
|
51 index 661b74b..4b4922c 100644 |
|
52 --- a/cpan/CGI/t/headers.t |
|
53 +++ b/cpan/CGI/t/headers.t |
|
54 @@ -22,6 +22,12 @@ like($@,qr/contains a newline/,'invalid header blows up'); |
|
55 like $cgi->header( -type => "text/html".$CGI::CRLF." evil: stuff " ), |
|
56 qr#Content-Type: text/html evil: stuff#, 'known header, with leading and trailing whitespace on the continuation line'; |
|
57 |
|
58 +eval { $cgi->header( -p3p => ["foo".$CGI::CRLF."bar"] ) }; |
|
59 +like($@,qr/contains a newline/,'P3P header with CRLF embedded blows up'); |
|
60 + |
|
61 +eval { $cgi->header( -cookie => ["foo".$CGI::CRLF."bar"] ) }; |
|
62 +like($@,qr/contains a newline/,'Set-Cookie header with CRLF embedded blows up'); |
|
63 + |
|
64 eval { $cgi->header( -foobar => "text/html".$CGI::CRLF."evil: stuff" ) }; |
|
65 like($@,qr/contains a newline/,'unknown header with CRLF embedded blows up'); |
|
66 |