Bug#766087: marked as done (libcgi-formbuilder-perl: please call CGI->param_fetch instead of CGI->param in array context)

[Debian Bug Tracking System]

Your message dated Sat, 25 Oct 2014 00:20:35 +0000
with message-id <e1xhp5v-0004go...@franck.debian.org>
and subject line Bug#766087: fixed in libcgi-formbuilder-perl 3.09-1
has caused the Debian Bug report #766087,
regarding libcgi-formbuilder-perl: please call CGI->param_fetch instead of 
CGI->param in array context
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
766087: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=766087
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: libcgi-formbuilder-perl
Version: 3.08-2
Severity: normal
Tags: patch
X-Debbugs-Cc: Amitai Schlair <schmonz-web-ikiw...@schmonz.com>

CGI->param has the misfeature that it is context-sensitive, and in
particular can expand to more than one scalar in function calls.
This led to a security vulnerability in Bugzilla, and recent versions
of CGI.pm will warn when it is used in this way.

% REQUEST_METHOD=GET QUERY_STRING='a=1&a=2&b=3' \
  perl -Mstrict -Mwarnings -MCGI \
  -e 'my $q = new CGI; my $as = join ",", $q->param("a"); print "$as\n"'
CGI::param called in list context from package main line 1, this can lead to 
vulnerabilities. See the warning in "Fetching the value or values of a single 
named parameter" at /usr/share/perl5/CGI.pm line 436.
1,2

I have checked the CGI::FormBuilder code and I could not find any instances
of this being an actual vulnerability.

The attached patches 0004 to 0007 switch from list-context param('x')
to explicitly list-valued @{param_fetch('x')} to avoid these warnings.
Two of them are from Amitai Schlair via pkgsrc, two are additional
patches from me. They appear to be compatible with all CGI.pm versions
back to at least 2000.

The attached patch "Add-patches-from-pkgsrc-and-an-extra-similar-patch-t.patch"
alters the Debian packaging (based on the version in pkg-perl git) to add
those patches.

Please consider applying these and/or forwarding them upstream.

Thanks,
    S

-- System Information:
Debian Release: jessie/sid
  APT prefers proposed-updates
  APT policy: (500, 'proposed-updates'), (500, 'unstable'), (500, 'testing'), 
(500, 'stable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.16-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_GB.utf8, LC_CTYPE=en_GB.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages libcgi-formbuilder-perl depends on:
ii  perl  5.20.1-2

Versions of packages libcgi-formbuilder-perl recommends:
ii  libhtml-parser-perl  3.71-1+b2

Versions of packages libcgi-formbuilder-perl suggests:
ii  libcgi-session-perl    4.48-1
pn  libcgi-ssi-perl        <none>
ii  libhtml-template-perl  2.95-1
pn  libtemplate-perl       <none>
ii  libtext-template-perl  1.46-1

-- no debconf information

From 1394d3e2bf9ef4c598801dda3548b91daa7bad68 Mon Sep 17 00:00:00 2001
From: Simon McVittie <s...@debian.org>
Date: Thu, 16 Oct 2014 10:43:30 +0100
Subject: [PATCH] Add patches from pkgsrc, and an extra similar patch, to avoid
 warnings about calling CGI->param in list context with recent CGI.pm

---
 debian/changelog                                   |  5 +++++
 ...nneeded-warning-from-CGI.pm-4.05-or-newer.patch | 22 ++++++++++++++++++++++
 ...nneeded-warning-from-CGI.pm-4.05-or-newer.patch | 22 ++++++++++++++++++++++
 ...-use-of-param-that-will-cause-a-warning-i.patch | 21 +++++++++++++++++++++
 ...t-cgi_param-is-context-sensitive-just-lik.patch | 21 +++++++++++++++++++++
 debian/patches/series                              |  4 ++++
 6 files changed, 95 insertions(+)
 create mode 100644 debian/patches/0004-Avoid-unneeded-warning-from-CGI.pm-4.05-or-newer.patch
 create mode 100644 debian/patches/0005-Avoid-unneeded-warning-from-CGI.pm-4.05-or-newer.patch
 create mode 100644 debian/patches/0006-Fix-another-use-of-param-that-will-cause-a-warning-i.patch
 create mode 100644 debian/patches/0007-Comment-that-cgi_param-is-context-sensitive-just-lik.patch

diff --git a/debian/changelog b/debian/changelog
index 0603795..94d3fd4 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,7 +1,12 @@
 libcgi-formbuilder-perl (3.08-3) UNRELEASED; urgency=medium
 
+  [ Salvatore Bonaccorso ]
   * Update Vcs-Browser URL to cgit web frontend
 
+  [ Simon McVittie ]
+  * Add patches from pkgsrc, and an extra similar patch, to avoid warnings
+    about calling CGI->param in list context with recent CGI.pm
+
  -- Salvatore Bonaccorso <car...@debian.org>  Sat, 16 Aug 2014 09:30:14 +0200
 
 libcgi-formbuilder-perl (3.08-2) unstable; urgency=low
diff --git a/debian/patches/0004-Avoid-unneeded-warning-from-CGI.pm-4.05-or-newer.patch b/debian/patches/0004-Avoid-unneeded-warning-from-CGI.pm-4.05-or-newer.patch
new file mode 100644
index 0000000..3b0b3ca
--- /dev/null
+++ b/debian/patches/0004-Avoid-unneeded-warning-from-CGI.pm-4.05-or-newer.patch
@@ -0,0 +1,22 @@
+From: Amitai Schlair <schmonz-web-ikiw...@schmonz.com>
+Date: Thu, 16 Oct 2014 10:33:57 +0100
+Subject: Avoid unneeded warning from CGI.pm 4.05 or newer
+
+Origin: http://cvsweb.netbsd.org/bsdweb.cgi/pkgsrc/www/p5-CGI-FormBuilder/patches/patch-lib_CGI_FormBuilder.pm?rev=1.1&content-type=text/plain
+---
+ lib/CGI/FormBuilder.pm | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/lib/CGI/FormBuilder.pm b/lib/CGI/FormBuilder.pm
+index e8fc358..1ac861e 100644
+--- a/lib/CGI/FormBuilder.pm
++++ b/lib/CGI/FormBuilder.pm
+@@ -855,7 +855,7 @@ sub keepextras {
+ 
+     # Make sure to get all values
+     for my $p (@keep) {
+-        for my $v ($self->{params}->param($p)) {
++        for my $v (@{$self->{params}->param_fetch($p)}) {
+             debug 1, "keepextras: saving hidden param $p = $v";
+             push @html, htmltag('input', name => $p, type => 'hidden', value => $v);
+         }
diff --git a/debian/patches/0005-Avoid-unneeded-warning-from-CGI.pm-4.05-or-newer.patch b/debian/patches/0005-Avoid-unneeded-warning-from-CGI.pm-4.05-or-newer.patch
new file mode 100644
index 0000000..81cfaa9
--- /dev/null
+++ b/debian/patches/0005-Avoid-unneeded-warning-from-CGI.pm-4.05-or-newer.patch
@@ -0,0 +1,22 @@
+From: Amitai Schlair <schmonz-web-ikiw...@schmonz.com>
+Date: Thu, 16 Oct 2014 10:34:45 +0100
+Subject: Avoid unneeded warning from CGI.pm 4.05 or newer
+
+Origin: http://cvsweb.netbsd.org/bsdweb.cgi/pkgsrc/www/p5-CGI-FormBuilder/patches/patch-lib_CGI_FormBuilder_Field.pm?rev=1.1&content-type=text/plain
+---
+ lib/CGI/FormBuilder/Field.pm | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/lib/CGI/FormBuilder/Field.pm b/lib/CGI/FormBuilder/Field.pm
+index 67bbcee..fa08e25 100644
+--- a/lib/CGI/FormBuilder/Field.pm
++++ b/lib/CGI/FormBuilder/Field.pm
+@@ -189,7 +189,7 @@ sub cgi_value {
+     my $self = shift;
+     debug 2, "$self->{name}: called \$field->cgi_value";
+     puke "Cannot set \$field->cgi_value manually" if @_;
+-    if (my @v = $self->{_form}{params}->param($self->name)) {
++    if (my @v = @{$self->{_form}{params}->param_fetch($self->name)}) {
+         for my $v (@v) {
+             if ($self->other && $v eq $self->othername) {
+                 debug 1, "$self->{name}: redoing value from _other field";
diff --git a/debian/patches/0006-Fix-another-use-of-param-that-will-cause-a-warning-i.patch b/debian/patches/0006-Fix-another-use-of-param-that-will-cause-a-warning-i.patch
new file mode 100644
index 0000000..44c3533
--- /dev/null
+++ b/debian/patches/0006-Fix-another-use-of-param-that-will-cause-a-warning-i.patch
@@ -0,0 +1,21 @@
+From: Simon McVittie <s...@debian.org>
+Date: Thu, 16 Oct 2014 10:39:16 +0100
+Subject: Fix another use of param that will cause a warning in recent CGI.pm
+
+---
+ lib/CGI/FormBuilder/Multi.pm | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/lib/CGI/FormBuilder/Multi.pm b/lib/CGI/FormBuilder/Multi.pm
+index bdc9f45..215f68f 100644
+--- a/lib/CGI/FormBuilder/Multi.pm
++++ b/lib/CGI/FormBuilder/Multi.pm
+@@ -218,7 +218,7 @@ sub navbar {
+         }
+         for my $k (@{$self->{keepextras}}) {
+             next if $k eq $pnam;
+-            for my $v ($self->{params}->param($k)) {
++            for my $v (@{$self->{params}->param_fetch($k)}) {
+                 push @keep, { name => $k, value => $v };
+             }
+         }
diff --git a/debian/patches/0007-Comment-that-cgi_param-is-context-sensitive-just-lik.patch b/debian/patches/0007-Comment-that-cgi_param-is-context-sensitive-just-lik.patch
new file mode 100644
index 0000000..184affd
--- /dev/null
+++ b/debian/patches/0007-Comment-that-cgi_param-is-context-sensitive-just-lik.patch
@@ -0,0 +1,21 @@
+From: Simon McVittie <s...@debian.org>
+Date: Thu, 16 Oct 2014 10:40:29 +0100
+Subject: Comment that cgi_param is context-sensitive just like param
+
+---
+ lib/CGI/FormBuilder.pm | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/lib/CGI/FormBuilder.pm b/lib/CGI/FormBuilder.pm
+index 1ac861e..ad322c3 100644
+--- a/lib/CGI/FormBuilder.pm
++++ b/lib/CGI/FormBuilder.pm
+@@ -1175,6 +1175,8 @@ sub required_tag {
+ 
+ sub cgi_param {
+     my $self = shift;
++    # This returns a scalar or a list, depending on context, like CGI.pm.
++    # For best results, don't call it with a parameter in list context.
+     $self->{params}->param(@_);
+ }
+ 
diff --git a/debian/patches/series b/debian/patches/series
index 7636b8e..ae55f21 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1,3 +1,7 @@
 perl5.18-hashes.patch
 pod-encoding.patch
 pod-spelling.patch
+0004-Avoid-unneeded-warning-from-CGI.pm-4.05-or-newer.patch
+0005-Avoid-unneeded-warning-from-CGI.pm-4.05-or-newer.patch
+0006-Fix-another-use-of-param-that-will-cause-a-warning-i.patch
+0007-Comment-that-cgi_param-is-context-sensitive-just-lik.patch
-- 
2.1.1


From: Amitai Schlair <schmonz-web-ikiw...@schmonz.com>
Date: Thu, 16 Oct 2014 10:33:57 +0100
Subject: Avoid unneeded warning from CGI.pm 4.05 or newer

Origin: http://cvsweb.netbsd.org/bsdweb.cgi/pkgsrc/www/p5-CGI-FormBuilder/patches/patch-lib_CGI_FormBuilder.pm?rev=1.1&content-type=text/plain
---
 lib/CGI/FormBuilder.pm | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/CGI/FormBuilder.pm b/lib/CGI/FormBuilder.pm
index e8fc358..1ac861e 100644
--- a/lib/CGI/FormBuilder.pm
+++ b/lib/CGI/FormBuilder.pm
@@ -855,7 +855,7 @@ sub keepextras {
 
     # Make sure to get all values
     for my $p (@keep) {
-        for my $v ($self->{params}->param($p)) {
+        for my $v (@{$self->{params}->param_fetch($p)}) {
             debug 1, "keepextras: saving hidden param $p = $v";
             push @html, htmltag('input', name => $p, type => 'hidden', value => $v);
         }

From: Amitai Schlair <schmonz-web-ikiw...@schmonz.com>
Date: Thu, 16 Oct 2014 10:34:45 +0100
Subject: Avoid unneeded warning from CGI.pm 4.05 or newer

Origin: http://cvsweb.netbsd.org/bsdweb.cgi/pkgsrc/www/p5-CGI-FormBuilder/patches/patch-lib_CGI_FormBuilder_Field.pm?rev=1.1&content-type=text/plain
---
 lib/CGI/FormBuilder/Field.pm | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/CGI/FormBuilder/Field.pm b/lib/CGI/FormBuilder/Field.pm
index 67bbcee..fa08e25 100644
--- a/lib/CGI/FormBuilder/Field.pm
+++ b/lib/CGI/FormBuilder/Field.pm
@@ -189,7 +189,7 @@ sub cgi_value {
     my $self = shift;
     debug 2, "$self->{name}: called \$field->cgi_value";
     puke "Cannot set \$field->cgi_value manually" if @_;
-    if (my @v = $self->{_form}{params}->param($self->name)) {
+    if (my @v = @{$self->{_form}{params}->param_fetch($self->name)}) {
         for my $v (@v) {
             if ($self->other && $v eq $self->othername) {
                 debug 1, "$self->{name}: redoing value from _other field";

From: Simon McVittie <s...@debian.org>
Date: Thu, 16 Oct 2014 10:39:16 +0100
Subject: Fix another use of param that will cause a warning in recent CGI.pm

---
 lib/CGI/FormBuilder/Multi.pm | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/CGI/FormBuilder/Multi.pm b/lib/CGI/FormBuilder/Multi.pm
index bdc9f45..215f68f 100644
--- a/lib/CGI/FormBuilder/Multi.pm
+++ b/lib/CGI/FormBuilder/Multi.pm
@@ -218,7 +218,7 @@ sub navbar {
         }
         for my $k (@{$self->{keepextras}}) {
             next if $k eq $pnam;
-            for my $v ($self->{params}->param($k)) {
+            for my $v (@{$self->{params}->param_fetch($k)}) {
                 push @keep, { name => $k, value => $v };
             }
         }

From: Simon McVittie <s...@debian.org>
Date: Thu, 16 Oct 2014 10:40:29 +0100
Subject: Comment that cgi_param is context-sensitive just like param

---
 lib/CGI/FormBuilder.pm | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/lib/CGI/FormBuilder.pm b/lib/CGI/FormBuilder.pm
index 1ac861e..ad322c3 100644
--- a/lib/CGI/FormBuilder.pm
+++ b/lib/CGI/FormBuilder.pm
@@ -1175,6 +1175,8 @@ sub required_tag {
 
 sub cgi_param {
     my $self = shift;
+    # This returns a scalar or a list, depending on context, like CGI.pm.
+    # For best results, don't call it with a parameter in list context.
     $self->{params}->param(@_);
 }
 

signature.asc
Description: Digital signature

--- End Message ---

--- Begin Message ---

Source: libcgi-formbuilder-perl
Source-Version: 3.09-1

We believe that the bug you reported is fixed in the latest version of
libcgi-formbuilder-perl, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 766...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Jonas Smedegaard <d...@jones.dk> (supplier of updated libcgi-formbuilder-perl 
package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sat, 25 Oct 2014 02:04:39 +0200
Source: libcgi-formbuilder-perl
Binary: libcgi-formbuilder-perl
Architecture: source all
Version: 3.09-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Perl Group <pkg-perl-maintain...@lists.alioth.debian.org>
Changed-By: Jonas Smedegaard <d...@jones.dk>
Description:
 libcgi-formbuilder-perl - Easily generate and process stateful CGI forms
Closes: 766087
Changes:
 libcgi-formbuilder-perl (3.09-1) unstable; urgency=medium
 .
   [ Salvatore Bonaccorso ]
   * Update Vcs-Browser URL to use cgit web frontend.
 .
   [ Simon McVittie ]
   * Add patches from pkgsrc, and an extra similar patch, to avoid
     warnings about calling CGI->param in list context with recent CGI.pm
     Closes: bug#766087.
 .
   [ Jonas Smedegaard ]
   * Declare compliance with Debian Policy 3.9.6.
   * Bump debhelper compatibility to 8: Needed debhelper satisfied even
     in oldstable.
   * Update github part of watch file.
   * Stop track checksum of upstream tarball.
   * Drop patch fixing test failures with perl5.18: Applied upstream.
   * Refresh patches with shortening quilt options.
   * Relax to build-depend unversioned on cdbs: Needed version satisfied
     even in oldstable.
Checksums-Sha1:
 d00ef6ec3f2235ce3078abe4fb799839e366f683 2323 
libcgi-formbuilder-perl_3.09-1.dsc
 b255d05b4af376b304e752d122ce377915d2883f 163526 
libcgi-formbuilder-perl_3.09.orig.tar.gz
 5fae586c347902ebd8c666d8f768e0a6caf25095 10348 
libcgi-formbuilder-perl_3.09-1.debian.tar.xz
 d7fe765cdaf023e146c01c81732bb46fc4a1dc06 196264 
libcgi-formbuilder-perl_3.09-1_all.deb
Checksums-Sha256:
 6b63eb4dab9a92f4f0b3154db5afda698c75a8d7ff47f1ce97be9bcb90281c3a 2323 
libcgi-formbuilder-perl_3.09-1.dsc
 654907527717c3bbb169c739a9a817f14552054619ab3c93d6a5f808649fa863 163526 
libcgi-formbuilder-perl_3.09.orig.tar.gz
 b053acf64325bdde3d5ef490c4ba1909649ad34b372a64119024d3ad5e908503 10348 
libcgi-formbuilder-perl_3.09-1.debian.tar.xz
 a10a5fc622cd9eb02f48ac1d3b63b9d7d267ae5946d1604ada86d9e1fff84ebe 196264 
libcgi-formbuilder-perl_3.09-1_all.deb
Files:
 dd7e3cdf90b9cf741e08125d45ca3b49 2323 perl optional 
libcgi-formbuilder-perl_3.09-1.dsc
 11aa9bc8bb64f2c1f6139eb19b77b923 163526 perl optional 
libcgi-formbuilder-perl_3.09.orig.tar.gz
 13d77a10176bc2d16473c9219036f4de 10348 perl optional 
libcgi-formbuilder-perl_3.09-1.debian.tar.xz
 083893cd7ae11004d0493251d8a1b10d 196264 perl optional 
libcgi-formbuilder-perl_3.09-1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQJ8BAEBCgBmBQJUSuqFXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ5RkUzRTlDMzY2OTFBNjlGRjUzQ0M2ODQy
QzdDMzE0NkMxQTAwMTIxAAoJECx8MUbBoAEhbEEP/itWZK2CkQ8T7NF3DO/lO5wF
nW9bLW94Zf7qkcrxk9i3yQ1841uAeujRRvZR/9Z6+FORGUS0koe6/Yok7/oz7kjx
dBsPRsb80RTkXcmvsSVBFPWkxz3U1JVxUPrjRZ+eHufKVahzOgTgxGAMpIGEu3DW
8S+uqYXqBBNUOXMES2UwjsrNOcMZtSUd2kaOjJ8jn8Q+KC5FYfTgfR5KAQ6g8bWk
c8wsT00yBH1N+eoeVuwmK3wk16kWL7s6N3QL2iNQo+74BD0CcK3bsbNT50XHMsM5
M1Ms0AJEfRJfdgYkgnqGqutdX6o63QusEpD4l/DQTQMiT+Eu942jOEi1PVVzci+a
anYrpLRvizr/kxs/qR85t2ah8r83BM/Xn9dtxHqjDethG1XMH9aaQzPQzEzMx/ho
lOaUrtVEcflgTD2HZ0ET/6orfEzVgqF1apO+9wYXJpi63Ch30bqIoyEGTtbPbPwJ
g/6cVTrPY2bAVTRfopkrTBs1AluXvASbDzCudKxA3+VwLsvATRnsrc8g819lFjFX
iLZQYNGT5enHBDigm9nSho90NIJ3xsEQ4ALN4SN6j4jfPLHvJcccEN9vl/N3N7ln
7H/zWecTa/HcxvKWqH/s66GOqlyTR0R/i7BaA8fxAnh+q8uKLRg+22xNxQu5VCOb
3uHw5jxj188wdv9VMtZQ
=Vut6
-----END PGP SIGNATURE-----

--- End Message ---