Several CPAN modules follow the same pattern of calling Storable::thaw() on session data stored client side with no signature verification mechanisms in place to prevent tampering. Perl's Storable module was recently documented as being unsafe for use with untrusted inputs: http://perl5.git.perl.org/perl.git/commit/664f237a84176c09b20b62dbfe64dd736a7ce05e The vulnerable modules are: Both App::Session::Cookie and App::Session::HTMLHidden in the App::Context bundle. https://rt.cpan.org/Ticket/Display.html?id=85215 HTML::EP::Session::Cookie in the HTML::EP bundle. https://rt.cpan.org/Ticket/Display.html?id=85216 Spoon::Cookie in the Spoon bundle. https://rt.cpan.org/Ticket/Display.html?id=85217 diff --git a/dist/Storable/Storable.pm b/dist/Storable/Storable.pm index 668bf44..7d53454 100644 (file) --- a/dist/Storable/Storable.pm +++ b/dist/Storable/Storable.pm @@ -21,7 +21,7 @@ package Storable; @ISA = qw(Exporter); use vars qw($canonical $forgive_me $VERSION); -$VERSION = '2.39'; +$VERSION = '2.40'; BEGIN { if (eval { local $SIG{__DIE__}; require Log::Agent; 1 }) { @@ -1019,6 +1019,38 @@ compartment: =for example_testing is( $code->(), 42 );