Re: Bug#810799: libcgi-session-perl: Perl DSA-3441-1 exposes taint bug in CGI::Session::Driver::file
- To: Dominic Hargreaves <dom@earth.li>, 810799@bugs.debian.org
- Cc: team@security.debian.org, Chris Boot <crb@tiger-computing.co.uk>, 810887@bugs.debian.org, debian-perl@lists.debian.org
- Subject: Re: Bug#810799: libcgi-session-perl: Perl DSA-3441-1 exposes taint bug in CGI::Session::Driver::file
- From: Niko Tyni <ntyni@debian.org>
- Date: Fri, 15 Jan 2016 00:02:00 +0200
- Message-id: <[🔎] 20160114220200.GA14488@estella.local.invalid>
- Mail-followup-to: Dominic Hargreaves <dom@earth.li>, 810799@bugs.debian.org, team@security.debian.org, Chris Boot <crb@tiger-computing.co.uk>, 810887@bugs.debian.org, debian-perl@lists.debian.org
- In-reply-to: <20160112223737.GA14257@estella.local.invalid>
- References: <5694F17A.4090901@tiger-computing.co.uk> <5694F77B.4070304@tiger-computing.co.uk> <20160112133851.GI6657@urchin.earth.li> <20160112223737.GA14257@estella.local.invalid>
On Wed, Jan 13, 2016 at 12:37:37AM +0200, Niko Tyni wrote:
> On Tue, Jan 12, 2016 at 01:38:51PM +0000, Dominic Hargreaves wrote:
> > On Tue, Jan 12, 2016 at 12:54:19PM +0000, Chris Boot wrote:
> > > > Forwarded: https://rt.cpan.org/Public/Bug/Display.html?id=80346
>
> > > > With Perl upgraded from 5.20.2-3+deb8u1 to 5.20.2-3+deb8u2, our
> > > > installation of TWiki (http://twiki.org/) no longer functions. This
> > > > happens due to CGI::Session::Driver::file complaining about taint.
[...]
> This suggests that the right place to untaint the data would be in the
> CGI::Session::Driver::*::retrieve() functions, or (more easily) centrally
> in CGI::Session::load(). Comments on the attached alternative patch?
Last call for comments: the deadline for the next jessie point release
is rather near, so I'll upload this to sid on Friday unless someone
beats me to it. A jessie-pu upload on Saturday will hopefully make it in
(see Adam's comment in #810887).
Patch re-attached for convenience.
--
Niko Tyni ntyni@debian.org
>From bd47fa4892ac910b0f7fc0466d4e2699abdb6d94 Mon Sep 17 00:00:00 2001
From: Niko Tyni <ntyni@debian.org>
Date: Tue, 12 Jan 2016 23:40:53 +0200
Subject: [PATCH] Untaint raw data coming from session storage backends
The various storage backends need to be considered trusted,
so data coming out of them should be untainted.
The _CLAIMED_ID comes from an HTTP cookie and is probably tainted,
but presumably it's OK if it matched some data in the storage.
Bug: https://rt.cpan.org/Public/Bug/Display.html?id=80346
Bug-Debian: https://bugs.debian.org/810799
---
lib/CGI/Session.pm | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/lib/CGI/Session.pm b/lib/CGI/Session.pm
index 2788b04..6460d4d 100644
--- a/lib/CGI/Session.pm
+++ b/lib/CGI/Session.pm
@@ -724,6 +724,10 @@ sub load {
# Requested session couldn't be retrieved
return $self unless $raw_data;
+ # untaint; we trust the session backend,
+ # and presumably _CLAIMED_ID too at this point
+ $raw_data =~ /^(.*)$/s and $raw_data = $1;
+
my $serializer = $self->_serializer();
$self->{_DATA} = $serializer->thaw($raw_data);
unless ( defined $self->{_DATA} ) {
--
2.6.4
Reply to: