Created
October 5, 2010 18:14
-
-
Save cfaulkingham/612035 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Colin Faulkingham 10/5/2010 | |
| # Below is the replacement code fixes a XSS vulnerability with Apache Server errors using CGI::Application::Plus | |
| ; sub _run_runmode # __STEP must be 2 or 3 to run this | |
| { my ($s, $RM, @args) = @_ | |
| ; $s->__STEP < 2 && croak qq(Too early to call this method) | |
| ; $s->__STEP > 3 && croak qq(Too late to call this method) | |
| ; defined $RM && length $RM || croak qq(No run mode passed) | |
| ; $s->runmode = $RM # switch RM allowed just from here | |
| ; my $rm = $s->run_modes | |
| ; my $runmethod = $$rm{$RM} | |
| || $s->can($s->RM_prefix.$RM) && $s->RM_prefix.$RM | |
| || ($$rm{AUTOLOAD} && ++ my $al && $$rm{AUTOLOAD}) | |
| ; my $badRunMode = ${\$s->runmode} | |
| ; # Decode the url parameter | |
| ; $badRunMode=~s/\%([A-Fa-f0-9]{2})/pack('C', hex($1))/seg | |
| ; # clean for XSS style attack remove <>'" from string. | |
| ; $badRunMode=~s/[\<\'\"\>]//g | |
| ; # This "could" take you to an Apache Server Error. | |
| ; $^W && $al && carp qq(No run-method found for run mode "$badRunMode" ) | |
| . qq(using run mode "AUTOLOAD") | |
| ; my $page | |
| ; if ( $runmethod ) | |
| { unshift @args, $RM if $al | |
| ; $page = $s->can($runmethod) | |
| ? $s->$runmethod( @args ) | |
| : eval{ $s->$runmethod( @args ) } | |
| ; $@ && croak qq(Error executing run mode "$badRunMode}": $@) | |
| } | |
| ; unless ( defined $s->page ) | |
| { $runmethod | |
| || croak qq(No run-method found for run mode "$badRunMode") # this could be an Apache server error | |
| ; $s->page = $page | |
| } | |
| } | |
| # Orginal Code taken from CGI::Application::Plus.pm | |
| # | |
| # ; sub _run_runmode # __STEP must be 2 or 3 to run this | |
| # { my ($s, $RM, @args) = @_ | |
| # ; $s->__STEP < 2 && croak qq(Too early to call this method) | |
| # ; $s->__STEP > 3 && croak qq(Too late to call this method) | |
| # ; defined $RM && length $RM || croak qq(No run mode passed) | |
| # ; $s->runmode = $RM # switch RM allowed just from here | |
| # ; my $rm = $s->run_modes | |
| # ; my $runmethod = $$rm{$RM} | |
| # || $s->can($s->RM_prefix.$RM) && $s->RM_prefix.$RM | |
| # || ($$rm{AUTOLOAD} && ++ my $al && $$rm{AUTOLOAD}) | |
| # ; $^W && $al && carp qq(No run-method found for run mode "${\$s->runmode}" ) | |
| # . qq(using run mode "AUTOLOAD") | |
| # ; my $page | |
| # ; if ( $runmethod ) | |
| # { unshift @args, $RM if $al | |
| # ; $page = $s->can($runmethod) | |
| # ? $s->$runmethod( @args ) | |
| # : eval{ $s->$runmethod( @args ) } | |
| # ; $@ && croak qq(Error executing run mode "${\$s->runmode}": $@) | |
| # } | |
| # ; unless ( defined $s->page ) | |
| # { $runmethod | |
| # || croak qq(No run-method found for run mode "${\$s->runmode}") | |
| # ; $s->page = $page | |
| # } | |
| # } | |
| # |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
This corrects the XSS vulnerability with Apache Server Errors using CGI::Application::Plus.pm in Version.1.21