Bug 7060

perl-Data-FormValidator-4.660.0-1.1.mga1 now available in core/updates_testing for mageia 1.

Thanks Jerome. Would you have an example of a basic script that uses Data::FormValidator?

CC: (none) => stormi

rt ticket on upstream data::formvalidator has this snippet.

================================
#!/usr/bin/perl
use strict;
use warnings;
use Data::FormValidator;
"some_unrelated_string" =~ m/^.*$/;
my $profile = {
    untaint_all_constraints => 1,
    required                => [qw(a)],
    constraint_methods      => { a => qr/will_never_match/, },
};
my $results = Data::FormValidator->check( { a => 1 }, $profile );
warn $results->valid('a');
================================

but since i don't have a mageia 1 box at hand, i don't know what it does before patching.

note however that the patch comes with a test checking that behaviour is changed. i tried the test before applying the patch => failure, when applying the full patch, test is working.

Thanks Jerome!

Advisory:
========================

Updated perl-Data-FormValidator package fixes security vulnerability:

The Data::FormValidator module 4.66 and earlier for Perl, when
untaint_all_constraints is enabled, does not properly preserve the taint
attribute of data, which might allow remote attackers to bypass the taint
protection mechanism via form input (CVE-2011-2201).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2201
http://lists.fedoraproject.org/pipermail/package-announce/2011-September/065416.html

Tested using test script from upstream RT ticket ( https://rt.cpan.org/Public/Bug/Display.html?id=61792#txn-1006168 )

============================
use strict;
use warnings;

use Test::More tests => 3;

use Data::FormValidator;

"unrelated match" =~ /match/;

my $result = Data::FormValidator->check(
 { a => 'invalid value' }, # input data
 { # validation profile
 untaint_all_constraints => 1,
 optional => ['a'],
 constraints => { a => qr/never matches/, },
 },
);

ok( not $result->success )
 or diag( 'Valid: ', $result->valid );
ok( $result->has_invalid );
is_deeply( scalar($result->invalid), { 'a' => [ qr/never matches/ ] } );
=============================

Output with version in release:

[samuel@localhost QA]$ perl test2.pl
1..3
not ok 1
#   Failed test at test2.pl line 19.
# Valid: a
not ok 2
#   Failed test at test2.pl line 21.
not ok 3
#   Failed test at test2.pl line 22.
#     Structures begin differing at:
#          $got->{a} = Does not exist
#     $expected->{a} = ARRAY(0x88b0778)
# Looks like you failed 3 tests of 3.

Output with version in updates_testing:
[samuel@localhost QA]$ perl test2.pl
1..3
ok 1
ok 2
ok 3

Testing complete i586.

Testing complete on Mageia 1 x86-64.

Could someone from the sysadmin team push the srpm
perl-Data-FormValidator-4.660.0-1.1.mga1.src.rpm
from Mageia 1 Core Updates Testing to Core Updates.

Advisory: Updated perl-Data-FormValidator package fixes security vulnerability:

The Data::FormValidator module 4.66 and earlier for Perl, when
untaint_all_constraints is enabled, does not properly preserve the taint
attribute of data, which might allow remote attackers to bypass the taint
protection mechanism via form input (CVE-2011-2201).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2201
http://lists.fedoraproject.org/pipermail/package-announce/2011-September/065416.html

https://bugs.mageia.org/show_bug.cgi?id=7060

Keywords: (none) => validated_update
CC: (none) => davidwhodgins, sysadmin-bugs
Whiteboard: has_procedure MGA1-32-OK => has_procedure MGA1-32-OK MGA1-64-OK

Update pushed:
https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0225

Status: NEW => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED