From nobody@FreeBSD.org  Thu Apr 10 18:09:58 2008
Return-Path: <nobody@FreeBSD.org>
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 7255C106567A
	for <freebsd-gnats-submit@FreeBSD.org>; Thu, 10 Apr 2008 18:09:58 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (www.freebsd.org [IPv6:2001:4f8:fff6::21])
	by mx1.freebsd.org (Postfix) with ESMTP id 5F9D88FC39
	for <freebsd-gnats-submit@FreeBSD.org>; Thu, 10 Apr 2008 18:09:58 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (localhost [127.0.0.1])
	by www.freebsd.org (8.14.2/8.14.2) with ESMTP id m3AI9bZK083361
	for <freebsd-gnats-submit@FreeBSD.org>; Thu, 10 Apr 2008 18:09:37 GMT
	(envelope-from nobody@www.freebsd.org)
Received: (from nobody@localhost)
	by www.freebsd.org (8.14.2/8.14.1/Submit) id m3AI9brm083360;
	Thu, 10 Apr 2008 18:09:37 GMT
	(envelope-from nobody)
Message-Id: <200804101809.m3AI9brm083360@www.freebsd.org>
Date: Thu, 10 Apr 2008 18:09:37 GMT
From: Fred Cox <sailorfred@yahoo.com>
To: freebsd-gnats-submit@FreeBSD.org
Subject: port www/p5-CGI.pm: CGI->pathinfo unsafely uses URI in regular expression, allowing easy crashes
X-Send-Pr-Version: www-3.1
X-GNATS-Notify:

>Number:         122632
>Category:       ports
>Synopsis:       port www/p5-CGI.pm: CGI->pathinfo unsafely uses URI in regular expression, allowing easy crashes
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    tobez
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Thu Apr 10 18:20:00 UTC 2008
>Closed-Date:    Mon Nov 24 14:40:54 CET 2008
>Last-Modified:  Mon Nov 24 14:40:54 CET 2008
>Originator:     Fred Cox
>Release:        6.2
>Organization:
vLane.com
>Environment:
FreeBSD ut.vlane.com 6.2-RELEASE-p8 FreeBSD 6.2-RELEASE-p8 #1: Mon Nov  5 01:48:40 UTC 2007     root@ut.vlane.com:/usr/obj/usr/src/sys/MOTO  amd64
>Description:
If a CGI/CGI::Fast program calls CGI->pathinfo, and the URL contains an illegal sequence for a regular expression, it dies with an error similar to:

Nested quantifiers in regex; marked by <-- HERE in m//articleVote/13Y(134)aNDTLAK61A++ <-- HERE kVBhneW6yw|2000.-.BMW.-.Z8.-.http-3a-2f-2fwww-2enadaguides-2ecom-2fdefault-2easpx-3fLI-3d1-2d22-2d1-2d5006-2d0-2d0-2d0-26l-3d1-26w-3d22-26p-3d1-26f-3d5012-26m-3d1026-26c-3d7-26da-3d-2d1-26y-3d2000-26da-2d1$/ at (eval 1582) line 7.

Note that the attached patch does not clean up all instances of the usage of untrustworthy data in regular expressions.  I only fixed the part that was crashing for me.

>How-To-Repeat:
Write a CGI that uses CGI->pathinfo, and feed it a URL that includes ++ or something else that won't work within a regular expression.
>Fix:
Rewrite section of code to use substr instead of regular expression.

See patch.

Patch attached with submission follows:

*** CGI.pm.orig	Mon Dec 17 17:05:39 2007
--- CGI.pm	Thu Apr 10 10:50:24 2008
***************
*** 2766,2777 ****
     my $self = shift;
     my $raw_script_name = $ENV{SCRIPT_NAME} || '';
     my $raw_path_info   = $ENV{PATH_INFO}   || '';
     my $uri             = $ENV{REQUEST_URI} || '';
  
!    if ($raw_script_name =~ m/$raw_path_info$/) {
!      $raw_script_name =~ s/$raw_path_info$//;
     }
  
     my @uri_double_slashes  = $uri =~ m^(/{2,}?)^g;
     my @path_double_slashes = "$raw_script_name $raw_path_info" =~ m^(/{2,}?)^g;
  
--- 2766,2780 ----
     my $self = shift;
     my $raw_script_name = $ENV{SCRIPT_NAME} || '';
     my $raw_path_info   = $ENV{PATH_INFO}   || '';
     my $uri             = $ENV{REQUEST_URI} || '';
  
!    # trim the pathinfo from the script name
!    my $raw_path_info_len = length $raw_path_info;
! 
!    if ( substr( $raw_script_name, -$raw_path_info_len ) eq $raw_path_info ) {
!       $raw_script_name = substr( $raw_script_name, 0, -$raw_path_info_len );
     }
  
     my @uri_double_slashes  = $uri =~ m^(/{2,}?)^g;
     my @path_double_slashes = "$raw_script_name $raw_path_info" =~ m^(/{2,}?)^g;
  


>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-ports-bugs->tobez 
Responsible-Changed-By: edwin 
Responsible-Changed-When: Thu Apr 10 18:20:10 UTC 2008 
Responsible-Changed-Why:  
Over to maintainer (via the GNATS Auto Assign Tool) 

http://www.freebsd.org/cgi/query-pr.cgi?pr=122632 
State-Changed-From-To: open->feedback 
State-Changed-By: tobez 
State-Changed-When: Thu Apr 10 20:40:04 CEST 2008 
State-Changed-Why:  
Normally, we prefer submitter to send patches and bugfixes that are not 
specific to FreeBSD directly "upstream" to the software authors; after 
such fixes are incorporated into the next release of the software, they 
will be included in FreeBSD port of the software once it is updated. 

Have you considered submitting your patch to the author of CGI.pm, 
either via http://rt.cpan.org/Public/Dist/Display.html?Name=CGI.pm , 
or directly to Lincoln Stein? 

http://www.freebsd.org/cgi/query-pr.cgi?pr=122632 

From: Fred Cox <sailorfred@yahoo.com>
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: ports/122632: port www/p5-CGI.pm: CGI-&gt;pathinfo unsafely uses URI in regular expression, allowing easy crashes
Date: Thu, 10 Apr 2008 11:38:24 -0700 (PDT)

 It turns out that the bug has been fixed in www/p5-CGI.pm, so this PR is invalid.
 
 The problem is in lang/perl5.8, which installs an old version of CGI.pm (3.15).  I have submitted a new PR against lang/perl5.8.
 
 
 
 __________________________________________________
 Do You Yahoo!?
 Tired of spam?  Yahoo! Mail has the best spam protection around 
 http://mail.yahoo.com 
State-Changed-From-To: feedback->closed 
State-Changed-By: tobez 
State-Changed-When: Mon Nov 24 14:40:28 CET 2008 
State-Changed-Why:  
As noted, this problem is not relevant to the port in question. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=122632 
>Unformatted:
