Fedora has issued an advisory on May 19: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/JBUG5I5NYLNO4I44N7J26C6RCVHX7M5Y/ The issue is fixed upstream in 8.42.
Status comment: (none) => Fixed upstream in 8.42
Advisory: This update fix a security issue that allowed for _method query parameters to be used with GET requests References: https://github.com/mojolicious/mojo/commit/3c1c99a7131a1419d8d355a6083c31a7f9ca7ba0 rpms: perl-Mojolicious-8.140.0-1.mga7 From: perl-Mojolicious-8.140.0-1.1.mga7
Assignee: thierry.vignaud => qa-bugsCC: (none) => mageiaStatus comment: Fixed upstream in 8.42 => (none)
mga7, x86_64 Not competent to try reproducing this issue so tried utility tests, before updating. Used a local gui wrapper for get_iplayer which appears in the list of whatrequires. $ strace -o bbc.trace bbc Downloaded a programme successfully. $ grep get_iplayer bbc.trace read(10, "344 /home/lcl/.get_iplayer/progr"..., 8192) = 38 chdir("/home/lcl/.get_iplayer/") = 0 openat(AT_FDCWD, "/home/lcl/.get_iplayer/", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 10 stat("get_iplayer", {st_mode=S_IFREG|0755, st_size=450710, ...}) = 0 $ grep GET bbc.trace ioctl(0, TCGETS, {B38400 opost isig icanon echo ...}) = 0 ioctl(1, TCGETS, {B38400 opost isig icanon echo ...}) = 0 ioctl(2, TCGETS, {B38400 opost isig icanon echo ...}) = 0 fcntl(3, F_GETFL) = 0 (flags O_RDONLY) fcntl(4, F_GETFL) = 0x1 (flags O_WRONLY) fcntl(5, F_GETFL) = 0 (flags O_RDONLY) fcntl(6, F_GETFL) = 0x1 (flags O_WRONLY) fcntl(7, F_GETFD) = 0x1 (flags FD_CLOEXEC) ioctl(7, TCGETS, 0x7ffe7b636ea0) = -1 ENOTTY (Inappropriate ioctl for device) .... Not even sure that perl-Mojolicious is being used. Information on the web implies that it has something to do with a perl web framework. https://perlmaven.com/getting-started-with-mojolicious-lite Started with the minimal helloworld script: $ morbo helloworld.pl Server available at http://127.0.0.1:3000 [2020-05-30 17:49:08.32016] [17822] [debug] GET "/" (442e7771) [2020-05-30 17:49:08.32080] [17822] [debug] 200 OK (0.00063s, 1587.302/s) localhost:3000/ displays "Hello World" in a browser. Tried localhost:3000/echo as well to display the error page reported online and the server shows this sort of thing: [2020-05-30 17:53:48.48313] [17822] [debug] Template "not_found.html.ep" not found [2020-05-30 17:53:48.48325] [17822] [debug] Rendering template "mojo/debug.html.ep" [2020-05-30 17:53:48.50038] [17822] [debug] Your secret passphrase needs to be changed [2020-05-30 17:53:48.50212] [17822] [debug] 404 Not Found (0.019721s, 50.707/s) All as expected. Modified the program - and ran it. This showed and entry field followed by an 'echo' button. Wrote a password into the box and clicked echo and up came the error page at Mojolicious with a little more information. The server (in the terminal) reports a 404 error. After a couple more modifications to the script, refreshing the web address posted the password enquiry and the echo button cleared all and echoed the password in the browser without restarting the server. A bit elementary but that is as far as it goes. Updated the plugin. $ morbo helloworld.pl Server available at http://127.0.0.1:3000 [2020-05-30 18:45:16.35103] [26927] [debug] GET "/echo" (5710c1b9) [2020-05-30 18:45:16.35169] [26927] [debug] 200 OK (0.000672s, 1488.095/s) [2020-05-30 18:45:29.84174] [26927] [debug] POST "/echo" (5dd0fde2) [2020-05-30 18:45:29.84203] [26927] [debug] Routing to a callback [2020-05-30 18:45:29.84230] [26927] [debug] 200 OK (0.000552s, 1811.594/s) The pasword and echo button functioned fine at localhost:3000/echo This will have to do at our end.
Whiteboard: (none) => MGA7-64-OKCC: (none) => tarazed25
Created attachment 11669 [details] Rudimentary server script for Mojolicious
Validating. Advisory in Comment 1.
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGAA-2020-0141.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED