f357856448
Calling CGI::FormBuilder::field with a name argument in list context
returns zero or more user-specified values of the named field, even
if that field was not declared as supporting multiple values.
Passing the result of field as a function parameter counts as list
context. This is the same bad behaviour that is now discouraged
for CGI::param.
In this case we pass the multiple values to CGI::Session::param.
That accessor has six possible calling conventions, of which four are
documented. If an attacker passes (2*n + 1) values for the 'name'
field, for example name=a&name=b&name=c, we end up in one of the
undocumented calling conventions for param:
# equivalent to: (name => 'a', b => 'c')
$session->param('name', 'a', 'b', 'c')
and the 'b' session parameter is unexpectedly set to an
attacker-specified value.
In particular, if an attacker "bob" specifies
name=bob&name=name&name=alice, then authentication is carried out
for "bob" but the CGI::Session ends up containing {name => 'alice'},
an authentication bypass vulnerability.
This vulnerability is tracked as OVE-20170111-0001.
(cherry picked from commit e909eb93f4530a175d622360a8433e833ecf0254)
|
||
|---|---|---|
| Bundle | ||
| IkiWiki | ||
| cpan | ||
| debian | ||
| doc | ||
| icons | ||
| plugins | ||
| po | ||
| t | ||
| templates | ||
| themes | ||
| underlays | ||
| .gitattributes | ||
| .gitignore | ||
| .perlcriticrc | ||
| CHANGELOG | ||
| IkiWiki.pm | ||
| Makefile.PL | ||
| NEWS | ||
| README | ||
| auto-blog.setup | ||
| auto.setup | ||
| docwiki.setup | ||
| gitremotes | ||
| ikiwiki-calendar.in | ||
| ikiwiki-comment.in | ||
| ikiwiki-makerepo | ||
| ikiwiki-mass-rebuild | ||
| ikiwiki-transition.in | ||
| ikiwiki-update-wikilist | ||
| ikiwiki-w3m.cgi | ||
| ikiwiki.in | ||
| ikiwiki.spec | ||
| mdwn2man | ||
| pm_filter | ||
| wikilist | ||
README
Use ./Makefile.PL to generate a Makefile, "make" will build the documentation wiki and a man page, and "make install" will install ikiwiki. All other documentation is in the ikiwiki documentation wiki, which is also available online at <http://ikiwiki.info/> A few special variables you can set while using the Makefile.PL: PROFILE=1 turns on profiling for the build of the doc wiki. (Uses Devel::NYTProf) NOTAINT=0 turns on the taint flag in the ikiwiki program. (Not recommended unless your perl is less buggy than mine -- see http://bugs.debian.org/411786) MAKE, FIND, and SED can be used to specify where you have the GNU versions of those tools installed, if the normal make, find, and sed are not GNU. There are also other variables supported by MakeMaker, including PREFIX, INSTALL_BASE, and DESTDIR. See ExtUtils::MakeMaker(3). In particular, INSTALL_BASE is very useful if you want to install ikiwiki to some other location, as it configures it to see the perl libraries there. See `doc/tips/nearlyfreespeech.mdwn` for an example of using this to install ikiwiki and its dependencies in a home directory.