CGI::Application information disclosure flaw

I don't believe a CVE was requested for this issue. Looks like it requires a 2013 CVE. Copying-and-pasting from our bug [5]:

It was reported [1],[2] that the CGI::Application perl module suffered from a flaw where, in certain cases, it would unexpectedly dump a complete set of web query data and server environment information as an error page. This could allow unintended disclosure of sensitive information.

A suggested fix is available [3] and the commit that caused the problem [4] was most likely introduced in version 4.19.

[1] https://rt.cpan.org/Public/Bug/Display.html?id=84403
[2] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=739505
[3] https://github.com/markstos/CGI--Application/pull/15
[4] https://github.com/markstos/CGI--Application/commit/61d327646f01fe
[5] https://bugzilla.redhat.com/show_bug.cgi?id=1067180

This pull request resolves the issue raised in https://rt.cpan.org/Public/Bug/Display.html?id=84403

Application.pm

A new runmode named no_runmodes is now called rather than dump_html when no run modes are specified. This returns a message to the user reporting the problem, without exposing anything which may raise security concerns. The POD has been updated, asking the user to think about potential security issues when calling dump_html.

basic.t/TestApp.pm

Add tests for the new runmode

load_tmpl_hook.t

Test required an update as it was dependant on Application.pm returning the output of dump_html

In addition to the changes above, some very minor changes to the indentation.

If there are any issues please let me know.
MartinMcGrath added some commits a month ago
Martin McGrath Update Application.pm &#8230; dcadc36
Martin McGrath Update basic.t - &#8230; 08b75f1
Martin McGrath Update TestApp.pm - add runmode dump_htm &#8230; fe7e9bf
Martin McGrath Update basic.t &#8230; b6058d9
Martin McGrath Update loat_tmpl_hook.t &#8230; 727bb70
Martin McGrath Update Build.PL &#8230; b913740
Martin McGrath Update Build.PL &#8230; c359b6b
Martin McGrath Update basic.t b746df9
Martin McGrath Update Application.pm - Update POD, add warning &#8230; 7849b4c
fionnb
fionnb commented 10 hours ago

I would like to STRONGLY endorse the application of this patch.
I just was about to open an report for exactly this issue when I found it already addressed by Martin. The problem has been introduced with commit 61d3276 already but probably did not cause major hassle until it arrived in recent debian repos lately. The security implications of an unexpected and potentially uncontrollable var dump to the world are very serious. We also have lost quite some time trying to find out where this unexpected dump came from in the first place and how it was caused. As an added "bonus", the output of dump_html is not even a valid html page.