1 Escape new-lines in Cookie and P3P headers

     2 

     3 This is relevant difference between CGI 3.62 and 3.63.

     4 See <https://bugzilla.redhat.com/show_bug.cgi?id=876974>.

     5 

     6 diff --git a/cpan/CGI/lib/CGI.pm b/cpan/CGI/lib/CGI.pm

     7 index d8d91f4..5bc9b17 100644

     8 --- a/cpan/CGI/lib/CGI.pm

     9 +++ b/cpan/CGI/lib/CGI.pm

    10 @@ -1497,8 +1497,17 @@ sub header {

    11                              'EXPIRES','NPH','CHARSET',

    12                              'ATTACHMENT','P3P'],@p);

    13  

    14 +    # Since $cookie and $p3p may be array references,

    15 +    # we must stringify them before CR escaping is done.

    16 +    my @cookie;

    17 +    for (ref($cookie) eq 'ARRAY' ? @{$cookie} : $cookie) {

    18 +        my $cs = UNIVERSAL::isa($_,'CGI::Cookie') ? $_->as_string : $_;

    19 +        push(@cookie,$cs) if defined $cs and $cs ne '';

    20 +    }

    21 +    $p3p = join ' ',@$p3p if ref($p3p) eq 'ARRAY';

    22 +

    23      # CR escaping for values, per RFC 822

    24 -    for my $header ($type,$status,$cookie,$target,$expires,$nph,$charset,$attachment,$p3p,@other) {

    25 +    for my $header ($type,$status,@cookie,$target,$expires,$nph,$charset,$attachment,$p3p,@other) {

    26          if (defined $header) {

    27              # From RFC 822:

    28              # Unfolding  is  accomplished  by regarding   CRLF   immediately

    29 @@ -1542,18 +1551,9 @@ sub header {

    30  

    31      push(@header,"Status: $status") if $status;

    32      push(@header,"Window-Target: $target") if $target;

    33 -    if ($p3p) {

    34 -       $p3p = join ' ',@$p3p if ref($p3p) eq 'ARRAY';

    35 -       push(@header,qq(P3P: policyref="/w3c/p3p.xml", CP="$p3p"));

    36 -    }

    37 +    push(@header,"P3P: policyref=\"/w3c/p3p.xml\", CP=\"$p3p\"") if $p3p;

    38      # push all the cookies -- there may be several

    39 -    if ($cookie) {

    40 -	my(@cookie) = ref($cookie) && ref($cookie) eq 'ARRAY' ? @{$cookie} : $cookie;

    41 -	for (@cookie) {

    42 -            my $cs = UNIVERSAL::isa($_,'CGI::Cookie') ? $_->as_string : $_;

    43 -	    push(@header,"Set-Cookie: $cs") if $cs ne '';

    44 -	}

    45 -    }

    46 +    push(@header,map {"Set-Cookie: $_"} @cookie);

    47      # if the user indicates an expiration time, then we need

    48      # both an Expires and a Date header (so that the browser is

    49      # uses OUR clock)

    50 diff --git a/t/headers.t b/t/headers.t

    51 index 661b74b..4b4922c 100644

    52 --- a/cpan/CGI/t/headers.t

    53 +++ b/cpan/CGI/t/headers.t

    54 @@ -22,6 +22,12 @@ like($@,qr/contains a newline/,'invalid header blows up');

    55  like $cgi->header( -type => "text/html".$CGI::CRLF." evil: stuff " ),

    56      qr#Content-Type: text/html evil: stuff#, 'known header, with leading and trailing whitespace on the continuation line';

    57  

    58 +eval { $cgi->header( -p3p => ["foo".$CGI::CRLF."bar"] ) };

    59 +like($@,qr/contains a newline/,'P3P header with CRLF embedded blows up');

    60 +

    61 +eval { $cgi->header( -cookie => ["foo".$CGI::CRLF."bar"] ) };

    62 +like($@,qr/contains a newline/,'Set-Cookie header with CRLF embedded blows up');

    63 +

    64  eval { $cgi->header( -foobar => "text/html".$CGI::CRLF."evil: stuff" ) };

    65  like($@,qr/contains a newline/,'unknown header with CRLF embedded blows up');

    66