/ 
CGI.pm-3.02_alpha
/ autoload
Security Advisories (6)
CVE-2012-5526 (2012-11-21)

CGI.pm module before 3.63 for Perl does not properly escape newlines in (1) Set-Cookie or (2) P3P headers, which might allow remote attackers to inject arbitrary headers into responses from applications that use CGI.pm.

CVE-2011-2766 (2011-11-08)

Usage of deprecated FCGI.pm API.

CPANSA-CGI-2010-02 (2010-11-08)

Non-random MIME boundary.

CPANSA-CGI-2010-01 (2010-02-05)

Newlines in headers.

CVE-2010-4411 (2010-12-06)

Unspecified vulnerability in CGI.pm 3.50 and earlier allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via unknown vectors. NOTE: this issue exists because of an incomplete fix for CVE-2010-2761.

CVE-2010-2761 (2010-12-06)

The multipart_init function in (1) CGI.pm before 3.50 and (2) Simple.pm in CGI::Simple 1.112 and earlier uses a hardcoded value of the MIME boundary string in multipart/x-mixed-replace content, which allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via crafted input that contains this value, a different vulnerability than CVE-2010-3172.

NAME

autoload - only load modules when they're used

SYNOPSIS

# For a better example, see CGI::Object.pm. It uses # autoload.pm in quite a nice way.

package MySimpleCookie; use autoload qw(Exporter CGI::Object::Cookie);

@ISA = qw(Exporter CGI::Object::Cookie); @EXPORT = qw(raw_fetch cookie raw_cookie);

# raw_fetch a list of cookies from the environment and # return as a hash. The cookie values are not unescaped # or altered in any way. sub raw_fetch { my $raw_cookie = $ENV{HTTP_COOKIE} || $ENV{COOKIE}; my %results; my(@pairs) = split("; ",$raw_cookie); foreach (@pairs) { if (/^([^=]+)=(.*)/) { $results{$1} = $2; } else { $results{$_} = ''; } } return wantarray ? %results : \%results; }

my $cookies; sub raw_cookie { my $name = shift; if (!$cookies) { $cookies = raw_fetch() } return $cookies->{$name}; }

package main; # Now, people can use you just for your raw_cookie... use MySimpleCookie('raw_fetch','raw_cookie'); $result = raw_cookie('blah');

# And it won't cost 'em a cent. They didn't use any # functions from CGI::Object::Cookie, so the module # wasn't loaded.

# But if they do use the functions, the module will load automatically package main; use MySimpleCookie('raw_fetch','cookie'); $result = cookie('blah');

# Or, if they even did this, the module would load automatically and work. package main; use MySimpleCookie; $me = new MySimpleCookie; print "Set-Cookie: ", $me->raw_cookie('blah'); print "Set-Cookie: ", $me->cookie('blah');

DESCRIPTION

AUTHOR

David James (david@jamesgang.com)

SEE ALSO

CGI::Object(1).