On Sat, 06 Aug 2022 21:24:08 +0300, Niko Tyni wrote: > It looks like the recent security fix in libhttp-daemon-perl_6.14-1.1 > (or at least the associated test case) has issues with newer versions > of the HTTP::Tiny module. […] > From my build log: > Subroutine HTTP::Tiny::Handle::write_content_body redefined at > t/content_length.t line 277.
Just a quick note:
That's from debian/patches/CVE-2022-31081-testcase.patch:
#v+
+sub patch_http_tiny {
+
+ # we need to patch write_content_body
+ # this is part of HTTP::Tiny internal module HTTP::Tiny::Handle
+ #
+ # the below code is from the original HTTP::Tiny module, where just two
lines
+ # have been commented out
+
+ no strict 'refs';
+
+ *HTTP::Tiny::Handle::write_content_body = sub {
+ @_ == 2 || die(q/Usage: $handle->write_content_body(request)/ . "\n");
+ my ($self, $request) = @_;
+
+ my ($len, $content_length) = (0,
$request->{headers}{'content-length'});
+ while () {
+ my $data = $request->{cb}->();
+
+ defined $data && length $data
+ or last;
+
+ if ( $] ge '5.008' ) {
+ utf8::downgrade($data, 1)
+ or die(qq/Wide character in write_content()\n/);
+ }
+
+ $len += $self->write($data);
+ }
+
+# this should not be checked during our tests, we want to forge bad
requests
+#
+# $len == $content_length
+# or die(qq/Content-Length mismatch (got: $len expected:
$content_length)\n/);
+
+ return $len;
+ };
+}
#v-
Cheers,
gregor
--
.''`. https://info.comodo.priv.at -- Debian Developer https://www.debian.org
: :' : OpenPGP fingerprint D1E1 316E 93A7 60A8 104D 85FA BB3A 6801 8649 AA06
`. `' Member VIBE!AT & SPI Inc. -- Supporter Free Software Foundation Europe
`-
signature.asc
Description: Digital Signature

