debian/0002755000000000000000000000000011714027330007166 5ustar debian/compat0000644000000000000000000000000211712071677010375 0ustar 7 debian/rules0000755000000000000000000000003611712071677010256 0ustar #!/usr/bin/make -f %: dh $@ debian/source/0002755000000000000000000000000011712071677010501 5ustar debian/source/format0000644000000000000000000000001411712071677011705 0ustar 3.0 (quilt) debian/watch0000644000000000000000000000015711712071677010233 0ustar version=3 http://search.cpan.org/dist/CGI-Simple/ .*/CGI-Simple-v?(\d[\d.]+)\.(?:tar(?:\.gz|\.bz2)?|tgz|zip) debian/changelog0000644000000000000000000001307011714027330011037 0ustar libcgi-simple-perl (1.113-2) unstable; urgency=low [ Ansgar Burchardt ] * debian/control: Convert Vcs-* fields to Git. [ Salvatore Bonaccorso ] * debian/copyright: Replace DEP5 Format-Specification URL from svn.debian.org to anonscm.debian.org URL. [ Dominic Hargreaves ] * Fix lintian warning perl-module-uses-perl4-libs-without-dep by replacing use of shellwords.pl with Text::ParseWords * Update Standards-Version (no changes) -- Dominic Hargreaves Mon, 06 Feb 2012 19:49:43 +0000 libcgi-simple-perl (1.113-1) unstable; urgency=low [ Nathan Handler ] * debian/watch: Update to ignore development releases. [ Ryan Niebur ] * Email change: Ryan Niebur -> ryan@debian.org [ gregor herrmann ] * Improve reference to documentation in long description, thanks to Frank Gevaerts for the bug report (closes: #576530). * Email change: gregor herrmann -> gregoa@debian.org * Email change: Jose Luis Rivas -> ghostbar@debian.org * Minimize debian/rules. * debian/copyright: update formatting. * Set Standards-Version to 3.9.1; remove version from perl build dependency. * Rephrase short description. [ Ansgar Burchardt ] * Email change: Ansgar Burchardt -> ansgar@debian.org [ Damyan Ivanov ] * New upstream release + Contains fixes to CVE-2010-4410 and CVE-2010-2761 * add a patch for CVE-2010-4410 + add libtest-exception-perl to dependencies * use "3.0 (quilt)" source format [ Niko Tyni ] * [SECURITY] CVE-2010-4411: fix a newline injection issue that resulted from an incomplete fix for CVE-2010-4410. -- gregor herrmann Wed, 09 Feb 2011 17:14:01 +0100 libcgi-simple-perl (1.111-2) unstable; urgency=medium * [SECURITY] CVE-2010-2761 CVE-2010-4410 CVE-2010-4411: backport fixes for MIME boundary and multiline header vulnerabilities (Closes: #606379) * Add myself to Uploaders. -- Niko Tyni Fri, 14 Jan 2011 21:47:20 +0200 libcgi-simple-perl (1.111-1) unstable; urgency=low * New upstream release -- Ryan Niebur Thu, 28 May 2009 18:35:38 -0700 libcgi-simple-perl (1.109-1) unstable; urgency=low * New upstream release -- Ryan Niebur Sat, 18 Apr 2009 10:07:12 -0700 libcgi-simple-perl (1.108-1) unstable; urgency=low * New upstream release * add myself to uploaders * policy 3.8.1 -- Ryan Niebur Fri, 13 Mar 2009 16:53:36 -0700 libcgi-simple-perl (1.107-1) unstable; urgency=low [ gregor herrmann ] * debian/control: Changed: Switched Vcs-Browser field to ViewSVN (source stanza). [ Ansgar Burchardt ] * New upstream release. * Add myself to Uploaders. [ gregor herrmann ] * debian/copyright: update formatting and add information about files under debian/. -- Ansgar Burchardt Sun, 08 Mar 2009 16:43:51 +0100 libcgi-simple-perl (1.106-1) unstable; urgency=low * New upstream release. * Set debhelper compatibility level to 7; adapt debian/{control,compat,rules}. Drop cdbs. * debian/control: improve short description. * Set Standards-Version to 3.8.0 (no changes). -- gregor herrmann Wed, 01 Oct 2008 23:53:59 +0200 libcgi-simple-perl (1.105-1) unstable; urgency=low * New upstream release. -- gregor herrmann Sat, 17 May 2008 17:09:09 +0200 libcgi-simple-perl (1.104-1) unstable; urgency=low * New upstream release. * debian/control: - change my email address - add libwww-perl, libtest-pod-perl, libtest-pod-coverage-perl to Build-Depends-Indep in order to enable additional tests -- gregor herrmann Fri, 16 May 2008 15:41:24 +0200 libcgi-simple-perl (1.103-2) unstable; urgency=low [ Damyan Ivanov ] * debian/control: Added: Vcs-Svn field (source stanza); Vcs-Browser field (source stanza); Homepage field (source stanza). [ gregor herrmann ] * debian/rules: delete /usr/lib/perl5 only if it exists. * debian/control: Changed: Maintainer set to Debian Perl Group (was: Jose Luis Rivas ); Jose Luis Rivas moved to Uploaders. * debian/watch: use dist-based URL. * Set Standards-Version to 3.7.3 (no changes). * Set debhelper compatibility level to 6. * Remove debian/docs and don't install README anymore (doesn't provide any useful information. * debian/copyright: sync with reality and convert to new format. * Remove Homepage from long description. * Add /me to Uploaders. -- gregor herrmann Sun, 03 Feb 2008 20:15:20 +0100 libcgi-simple-perl (1.103-1) unstable; urgency=low * New upstream release -- Jose Luis Rivas Fri, 17 Aug 2007 00:50:43 -0400 libcgi-simple-perl (1.0-1) unstable; urgency=low * New upstream release * debian/rules: + Updated the cleaning after installing * debian/watch: + Updated being more specific, this avoid false-positives. -- Jose Luis Rivas Wed, 30 May 2007 16:05:27 -0400 libcgi-simple-perl (0.080-1) unstable; urgency=low * New maintainer (Closes: #416280) * New upstream release * debian/rules: Switch to CDBS * debian/control: + Updated debhelper to (>= 5) + Added cdbs as Build-Depends + Updated Standards-Version to 3.7.2 -- Jose Luis Rivas Sat, 31 Mar 2007 12:14:16 -0400 libcgi-simple-perl (0.077-1) unstable; urgency=low * Initial Release. Closes: #296357 -- Christopher Sacca Tue, 22 Feb 2005 13:36:59 -0500 debian/patches/0002755000000000000000000000000011714026023010613 5ustar debian/patches/series0000644000000000000000000000007711714025241012033 0ustar cve-2010-4410.patch cve-2010-4411.patch no-shellwords-pl.patch debian/patches/cve-2010-4410.patch0000644000000000000000000000221211712071677013367 0ustar Description: test for Fix CVS-2010-4410 Always check for CRLF in supplied header values and require that CRLF is followed by a whitespace, in which case the CRLF is stripped. Die if CRLF is followed by non-whitespace character. Bug-Debian: http://bugs.debian.org/606379 Author: Damyan Ivanov Forwarded: https://rt.cpan.org/Ticket/Display.html?id=64160 --- /dev/null +++ b/t/120.header-crlf.t @@ -0,0 +1,20 @@ +use strict; +use Test::More tests => 2; +use Test::Exception; +use CGI::Simple; + +my $cgi = CGI::Simple->new; + +my $CRLF = $cgi->crlf; + +is( $cgi->header( '-Test' => "test$CRLF part" ), + "Test: test part" + . $CRLF + . 'Content-Type: text/html; charset=ISO-8859-1' + . $CRLF + . $CRLF +); + +throws_ok { $cgi->header( '-Test' => "test$CRLF$CRLF part" ) } +qr/Invalid header value contains a newline not followed by whitespace:/, + 'invalid CRLF caught'; --- a/Makefile.PL +++ b/Makefile.PL @@ -11,6 +11,7 @@ PL_FILES => {}, PREREQ_PM => { 'Test::More' => 0, + 'Test::Exception' => 0, 'IO::Scalar' => 0 }, dist => { COMPRESS => 'gzip -9f', SUFFIX => 'gz', }, debian/patches/cve-2010-4411.patch0000644000000000000000000000222111712071677013370 0ustar Author: Mark Stosberg Origin: http://github.com/markstos/CGI--Simple/commit/daff9ca164a7d88d68b6d4d729331e03e32d00dd Origin: http://github.com/markstos/CGI--Simple/commit/e811ab874a5e0ac8a99e76b645a0e537d8f714da Subject: [CVE-2010-4411] Port latest header-injection refinement from CGI.pm See also http://www.openwall.com/lists/oss-security/2011/01/04/9 --- libcgi-simple-perl.orig/lib/CGI/Simple.pm +++ libcgi-simple-perl/lib/CGI/Simple.pm @@ -1007,7 +1007,7 @@ $header =~ s/$CRLF(\s)/$1/g; # All other uses of newlines are invalid input. - if ( $header =~ m/$CRLF/ ) { + if ($header =~ m/$CRLF|\015|\012/) { # shorten very long values in the diagnostic $header = substr( $header, 0, 72 ) . '...' if ( length $header > 72 ); --- libcgi-simple-perl.orig/t/headers.t +++ libcgi-simple-perl/t/headers.t @@ -76,3 +76,9 @@ 'redirect with leading newlines blows up' ); +{ + my $cgi = CGI::Simple->new('t=bogus%0A%0A'); + my $out; + eval { $out = $cgi->redirect( $cgi->param('t') ) }; + like($@,qr/contains a newline/, "redirect does not allow double-newline injection"); +} debian/patches/no-shellwords-pl.patch0000644000000000000000000000165611714026023015053 0ustar From: Dominic Hargreaves Subject: Use Text::ParseWords instead of shellwords.pl The shellwords.pl library is deprecated and will be removed in a future version of perl. Text::ParseWords has been in core since 5.0.0 and it is used by shellwords.pl already. Adapted from diff --git a/lib/CGI/Simple.pm b/lib/CGI/Simple.pm index 230606f..85b02fb 100644 --- a/lib/CGI/Simple.pm +++ b/lib/CGI/Simple.pm @@ -1185,10 +1185,10 @@ sub read_from_cmdline { @words = @ARGV; } elsif ( $_[0]->{'.globals'}->{'DEBUG'} == 2 ) { - require "shellwords.pl"; + require Text::ParseWords; print "(offline mode: enter name=value pairs on standard input)\n"; chomp( my @lines = ); - @words = &shellwords( join " ", @lines ); + @words = &Text::ParseWords::old_shellwords( join " ", @lines ); } else { return ''; debian/control0000644000000000000000000000313011714027271010570 0ustar Source: libcgi-simple-perl Section: perl Priority: optional Build-Depends: debhelper (>= 7) Build-Depends-Indep: perl, libwww-perl, libtest-pod-perl, libtest-pod-coverage-perl, libtest-exception-perl Maintainer: Debian Perl Group Uploaders: Jose Luis Rivas , gregor herrmann , Ansgar Burchardt , Ryan Niebur , Niko Tyni , Dominic Hargreaves Standards-Version: 3.9.2 Homepage: http://search.cpan.org/dist/CGI-Simple/ Vcs-Git: git://git.debian.org/pkg-perl/packages/libcgi-simple-perl.git Vcs-Browser: http://anonscm.debian.org/gitweb/?p=pkg-perl/packages/libcgi-simple-perl.git Package: libcgi-simple-perl Architecture: all Depends: ${perl:Depends}, ${misc:Depends} Description: simple CGI.pm compatible OO CGI interface CGI::Simple provides a relatively lightweight drop in replacement for CGI.pm. It shares an identical OO interface to CGI.pm for parameter parsing, file upload, cookie handling and header generation. This module is entirely object oriented, however a complete functional interface is available by using the CGI::Simple::Standard module. . Essentially everything in CGI.pm that relates to the CGI (not HTML) side of things is available. There are even a few new methods and additions to old ones! If you are interested in what has gone on under the hood see the "Compatibility with CGI.pm" section in CGI::Simple(3pm). . In practical testing this module loads and runs about twice as fast as CGI.pm depending on the precise task. debian/copyright0000644000000000000000000000350311712071677011133 0ustar Format-Specification: http://anonscm.debian.org/viewvc/dep/web/deps/dep5.mdwn?view=markup&pathrev=135 Maintainer: Andy Armstrong Source: http://search.cpan.org/dist/CGI-Simple/ Name: CGI-Simple Files: * Copyright: 2007, Andy Armstrong License: Artistic or GPL-1+ Files: lib/CGI/Simple/Util.pm Copyright: 1995-1998, Lincoln D. Stein 2001, Dr James Freeman 2007, Andy Armstrong License: Artistic or GPL-1+ Files: lib/CGI/Simple/Cookie.pm Copyright: 1997-1998, Lincoln D. Stein 2001, Dr James Freeman 2007, Andy Armstrong License: Artistic or GPL-1+ Files: lib/CGI/Simple.pm Copyright: 2001, Dr James Freeman 2007, Andy Armstrong License-Alias: Perl License: Artistic Files: debian/* Copyright: 2005, Christopher Sacca 2007, Jose Luis Rivas 2008, 2011, gregor herrmann 2009, Ansgar Burchardt 2009, Ryan Niebur 2010, Damyan Ivanov 2011, Niko Tyni License: Artistic or GPL-1+ License: Artistic This program is free software; you can redistribute it and/or modify it under the terms of the Artistic License, which comes with Perl. . On Debian systems, the complete text of the Artistic License can be found in `/usr/share/common-licenses/Artistic'. License: GPL-1+ This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 1, or (at your option) any later version. . On Debian systems, the complete text of version 1 of the GNU General Public License can be found in `/usr/share/common-licenses/GPL-1'.