- update CGI to 3.50, which includes a fix for SA42443,

"multipart_init()" HTTP Header Injection Vulnerability.
- add a mention in patchlevel.h (reminded by millert@)

ok millert@

7 files changed, 97 insertions, 21 deletions

diff --git a/gnu/usr.bin/perl/cpan/CGI/Changes b/gnu/usr.bin/perl/cpan/CGI/Changes
index fb1644ff64a..4b197ecbdeb 100644
--- a/gnu/usr.bin/perl/cpan/CGI/Changes
+++ b/gnu/usr.bin/perl/cpan/CGI/Changes
@@ -1,3 +1,21 @@
+Version 3.50
+  
+  [SECURITY]
+  1. The MIME boundary in multipart_init is now random. 
+     Thanks to Byron Jones, Masahiro Yamada, Reed Loden, and  Mark Stosberg
+  2. Further improvements to handling of newlines embedded in header values. 
+     An exception is thrown if header values contain invalid newlines. 
+     Thanks to Michal Zalewski, Max Kanat-Alexander, Yanick Champoux,
+     Lincoln Stein, Frédéric Buclin and Mark Stosberg
+
+  [DOCUMENTATION]
+  1. Correcting/clarifying documentation for param_fetch(). Thanks to 
+        Renée Bäcker. (RT#59132)
+
+  [INTERNALS]
+  1. Fixing https test in http.t. (RT#54768)
+  2. Tests were added for multipart_init(). Thanks to Mark Stosberg and CGI::Simple. 
+
 Version 3.49
 
   [BUG FIXES]
diff --git a/gnu/usr.bin/perl/cpan/CGI/lib/CGI.pm b/gnu/usr.bin/perl/cpan/CGI/lib/CGI.pm
index 355b8d1805b..c0f6752dae9 100644
--- a/gnu/usr.bin/perl/cpan/CGI/lib/CGI.pm
+++ b/gnu/usr.bin/perl/cpan/CGI/lib/CGI.pm
@@ -18,8 +18,9 @@ use Carp 'croak';
 # The most recent version and complete docs are available at:
 #   http://stein.cshl.org/WWW/software/CGI/
 
+# The revision is no longer being updated since moving to git. 
 $CGI::revision = '$Id: CGI.pm,v 1.266 2009/07/30 16:32:34 lstein Exp $';
-$CGI::VERSION='3.49';
+$CGI::VERSION='3.50';
 
 # HARD-CODED LOCATION FOR FILE UPLOAD TEMPORARY FILES.
 # UNCOMMENT THIS ONLY IF YOU KNOW WHAT YOU'RE DOING.
@@ -1457,7 +1458,14 @@ END_OF_FUNC
 sub multipart_init {
     my($self,@p) = self_or_default(@_);
     my($boundary,@other) = rearrange_header([BOUNDARY],@p);
-    $boundary = $boundary || '------- =_aaaaaaaaaa0';
+    if (!$boundary) {
+        $boundary = '------- =_';
+        my @chrs = ('0'..'9', 'A'..'Z', 'a'..'z');
+        for (1..17) {
+            $boundary .= $chrs[rand(scalar @chrs)];
+        }
+    }
+
     $self->{'separator'} = "$CRLF--$boundary$CRLF";
     $self->{'final_separator'} = "$CRLF--$boundary--$CRLF";
     $type = SERVER_PUSH($boundary);
@@ -1545,12 +1553,19 @@ sub header {
     # CR escaping for values, per RFC 822
     for my $header ($type,$status,$cookie,$target,$expires,$nph,$charset,$attachment,$p3p,@other) {
         if (defined $header) {
-            $header =~ s/
-                (?<=\n)    # For any character proceeded by a newline
-                (?=\S)     # ... that is not whitespace
-            / /xg;         # ... inject a leading space in the new line
-        }
-    }
+            # From RFC 822:
+            # Unfolding  is  accomplished  by regarding   CRLF   immediately
+            # followed  by  a  LWSP-char  as equivalent to the LWSP-char.
+            $header =~ s/$CRLF(\s)/$1/g;
+
+            # All other uses of newlines are invalid input. 
+            if ($header =~ m/$CRLF/) {
+                # shorten very long values in the diagnostic
+                $header = substr($header,0,72).'...' if (length $header > 72);
+                die "Invalid header value contains a newline not followed by whitespace: $header";
+            }
+        } 
+   }
 
     $nph     ||= $NPH;
 
@@ -1615,7 +1630,6 @@ sub header {
 }
 END_OF_FUNC
 
-
 #### Method: cache
 # Control whether header() will produce the no-cache
 # Pragma directive.
@@ -4707,9 +4721,10 @@ specialized tasks.)
    unshift @{$q->param_fetch(-name=>'address')},'George Munster';
 
 If you need access to the parameter list in a way that isn't covered
-by the methods above, you can obtain a direct reference to it by
-calling the B<param_fetch()> method with the name of the .  This
-will return an array reference to the named parameters, which you then
+by the methods given in the previous sections, you can obtain a direct 
+reference to it by
+calling the B<param_fetch()> method with the name of the parameter.  This
+will return an array reference to the named parameter, which you then
 can manipulate in any way you like.
 
 You can also use a named argument style using the B<-name> argument.
diff --git a/gnu/usr.bin/perl/cpan/CGI/lib/CGI/Cookie.pm b/gnu/usr.bin/perl/cpan/CGI/lib/CGI/Cookie.pm
index 7bc090d4186..3567c7f1089 100644
--- a/gnu/usr.bin/perl/cpan/CGI/lib/CGI/Cookie.pm
+++ b/gnu/usr.bin/perl/cpan/CGI/lib/CGI/Cookie.pm
@@ -305,7 +305,9 @@ it internally), you can use this module independently.
 
 For full information on cookies see 
 
-	http://www.ics.uci.edu/pub/ietf/http/rfc2109.txt
+	http://tools.ietf.org/html/rfc2109
+	http://tools.ietf.org/html/rfc2965
+	http://tools.ietf.org/html/draft-ietf-httpstate-cookie
 
 =head1 USING CGI::Cookie
 
@@ -355,18 +357,19 @@ that all scripts at your site will receive the cookie.
 If the "secure" attribute is set, the cookie will only be sent to your
 script if the CGI request is occurring on a secure channel, such as SSL.
 
-=item B<4. httponly flag>
+=item B<5. httponly flag>
 
 If the "httponly" attribute is set, the cookie will only be accessible
 through HTTP Requests. This cookie will be inaccessible via JavaScript
 (to prevent XSS attacks).
 
-But, currently this feature only used and recognised by 
-MS Internet Explorer 6 Service Pack 1 and later.
+This feature is only supported by recent browsers like Internet Explorer
+6 Service Pack 1, Firefox 3.0 and Opera 9.5 (and later of course).
 
-See this URL for more information:
+See these URLs for more information:
 
-L<http://msdn.microsoft.com/en-us/library/ms533046%28VS.85%29.aspx>
+	http://msdn.microsoft.com/en-us/library/ms533046.aspx
+	http://www.owasp.org/index.php/HTTPOnly#Browsers_Supporting_HTTPOnly
 
 =back
 
diff --git a/gnu/usr.bin/perl/cpan/CGI/lib/CGI/Fast.pm b/gnu/usr.bin/perl/cpan/CGI/lib/CGI/Fast.pm
index 34953beb65c..e31dac3f50f 100644
--- a/gnu/usr.bin/perl/cpan/CGI/lib/CGI/Fast.pm
+++ b/gnu/usr.bin/perl/cpan/CGI/lib/CGI/Fast.pm
@@ -181,7 +181,7 @@ documentation for C<FCGI::OpenSocket> for more information.)
 =item FCGI_SOCKET_PATH
 
 The address (TCP/IP) or path (UNIX Domain) of the socket the external FastCGI
-script to which bind can listen for incoming connections from the web server.
+script to which bind an listen for incoming connections from the web server.
 
 =item FCGI_LISTEN_QUEUE
 
diff --git a/gnu/usr.bin/perl/cpan/CGI/t/fast.t b/gnu/usr.bin/perl/cpan/CGI/t/fast.t
new file mode 100644
index 00000000000..a660c4400b9
--- /dev/null
+++ b/gnu/usr.bin/perl/cpan/CGI/t/fast.t
@@ -0,0 +1,39 @@
+#!perl -w
+
+my $fcgi;
+BEGIN {
+	local $@;
+	eval { require FCGI };
+	$fcgi = $@ ? 0 : 1;
+}
+
+use Test::More tests => 10;
+
+# Shut up "used only once" warnings.
+() = $CGI::Q;
+() = $CGI::Fast::Ext_Request;
+
+SKIP: {
+	skip( 'FCGI not installed, cannot continue', 10 ) unless $fcgi;
+
+	require CGI::Fast;
+	ok( my $q = CGI::Fast->new(), 'created new CGI::Fast object' );
+	is( $q, $CGI::Q, 'checking to see if the object was stored properly' );
+	is( $q->param(), (), 'no params' );
+
+	ok( $q = CGI::Fast->new({ foo => 'bar' }), 'creating object with params' );
+	is( $q->param('foo'), 'bar', 'checking passed param' );
+
+	# if this is false, the package var will be empty
+	$ENV{FCGI_SOCKET_PATH} = 0;
+	is( $CGI::Fast::Ext_Request, undef, 'checking no active request' );
+
+    is($CGI::PRIVATE_TEMPFILES,0, "reality check default value for CGI::PRIVATE_TEMPFILES");
+	import CGI::Fast '-private_tempfiles';
+    CGI::Fast->new;
+    is($CGI::PRIVATE_TEMPFILES,1, "pragma in subclass set package variable in parent class. ");
+    $q = CGI::Fast->new({ a => 1 });
+    ok($q, "reality check: something was returned from CGI::Fast->new besides undef");
+    is($CGI::PRIVATE_TEMPFILES,1, "package variable in parent class persists through multiple calls to CGI::Fast->new ");
+
+};
diff --git a/gnu/usr.bin/perl/cpan/CGI/t/http.t b/gnu/usr.bin/perl/cpan/CGI/t/http.t
index 8ca3974e157..324da26fd4e 100755
--- a/gnu/usr.bin/perl/cpan/CGI/t/http.t
+++ b/gnu/usr.bin/perl/cpan/CGI/t/http.t
@@ -34,8 +34,8 @@ my $cgi = CGI->new();
     # https()
     # The same as http(), but operates on the HTTPS environment variables present when the SSL protocol is in
     # effect.  Can be used to determine whether SSL is turned on.
-    local $ENV{'HTTPS'} = 'ON';
-    local $ENV{'HTTPS_KEYSIZE'} = 512;
+    local %ENV;
+    @ENV{qw/ HTTPS HTTPS_KEYSIZE /} = ('ON', 512);
     is $cgi->https(), 'ON', 'scalar context to check SSL is on';
     ok eq_set( [$cgi->https()], [qw(HTTPS HTTPS_KEYSIZE)]), 'list context returns https keys';
 }
diff --git a/gnu/usr.bin/perl/patchlevel.h b/gnu/usr.bin/perl/patchlevel.h
index 373fd972d59..2d0673957bd 100644
--- a/gnu/usr.bin/perl/patchlevel.h
+++ b/gnu/usr.bin/perl/patchlevel.h
@@ -128,6 +128,7 @@ hunk.
 static const char * const local_patches[] = {
 	NULL
 	,"CVE-2010-0405"
+	,"Updated CGI to 3.50"
 #ifdef PERL_GIT_UNCOMMITTED_CHANGES
 	,"uncommitted-changes"
 #endif