Advisory:
This update fix a security issue that allowed for _method query parameters to be used with GET requests

References:
https://github.com/mojolicious/mojo/commit/3c1c99a7131a1419d8d355a6083c31a7f9ca7ba0

rpms:
perl-Mojolicious-8.140.0-1.mga7

From:
perl-Mojolicious-8.140.0-1.1.mga7

Assignee: thierry.vignaud => qa-bugs
CC: (none) => mageia
Status comment: Fixed upstream in 8.42 => (none)

mga7, x86_64

Not competent to try reproducing this issue so tried utility tests, before updating.
Used a local gui wrapper for get_iplayer which appears in the list of whatrequires.
$ strace -o bbc.trace bbc
Downloaded a programme successfully.

$ grep get_iplayer bbc.trace
read(10, "344 /home/lcl/.get_iplayer/progr"..., 8192) = 38
chdir("/home/lcl/.get_iplayer/")        = 0
openat(AT_FDCWD, "/home/lcl/.get_iplayer/", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 10
stat("get_iplayer", {st_mode=S_IFREG|0755, st_size=450710, ...}) = 0

$ grep GET bbc.trace
ioctl(0, TCGETS, {B38400 opost isig icanon echo ...}) = 0
ioctl(1, TCGETS, {B38400 opost isig icanon echo ...}) = 0
ioctl(2, TCGETS, {B38400 opost isig icanon echo ...}) = 0
fcntl(3, F_GETFL)                       = 0 (flags O_RDONLY)
fcntl(4, F_GETFL)                       = 0x1 (flags O_WRONLY)
fcntl(5, F_GETFL)                       = 0 (flags O_RDONLY)
fcntl(6, F_GETFL)                       = 0x1 (flags O_WRONLY)
fcntl(7, F_GETFD)                       = 0x1 (flags FD_CLOEXEC)
ioctl(7, TCGETS, 0x7ffe7b636ea0)        = -1 ENOTTY (Inappropriate ioctl for device)
....

Not even sure that perl-Mojolicious is being used.  Information on the web implies that it has something to do with a perl web framework.

https://perlmaven.com/getting-started-with-mojolicious-lite
    
Started with the minimal helloworld script:
    
$ morbo helloworld.pl
Server available at http://127.0.0.1:3000
[2020-05-30 17:49:08.32016] [17822] [debug] GET "/" (442e7771)
[2020-05-30 17:49:08.32080] [17822] [debug] 200 OK (0.00063s, 1587.302/s)

localhost:3000/ displays "Hello World" in a browser.
Tried localhost:3000/echo as well to display the error page reported online and the server shows this sort of thing:
[2020-05-30 17:53:48.48313] [17822] [debug] Template "not_found.html.ep" not found
[2020-05-30 17:53:48.48325] [17822] [debug] Rendering template "mojo/debug.html.ep"
[2020-05-30 17:53:48.50038] [17822] [debug] Your secret passphrase needs to be changed
[2020-05-30 17:53:48.50212] [17822] [debug] 404 Not Found (0.019721s, 50.707/s)

All as expected.

Modified the program - and ran it.
This showed and entry field followed by an 'echo' button.
Wrote a password into the box and clicked echo and up came the error page at Mojolicious with a little more information.  The server (in the terminal) reports a 404 error.

After a couple more modifications to the script, refreshing the web address posted the password enquiry and the echo button cleared all and echoed the password in the browser without restarting the server. 

A bit elementary but that is as far as it goes.

Updated the plugin.

$ morbo helloworld.pl
Server available at http://127.0.0.1:3000
[2020-05-30 18:45:16.35103] [26927] [debug] GET "/echo" (5710c1b9)
[2020-05-30 18:45:16.35169] [26927] [debug] 200 OK (0.000672s, 1488.095/s)
[2020-05-30 18:45:29.84174] [26927] [debug] POST "/echo" (5dd0fde2)
[2020-05-30 18:45:29.84203] [26927] [debug] Routing to a callback
[2020-05-30 18:45:29.84230] [26927] [debug] 200 OK (0.000552s, 1811.594/s)

The pasword and echo button functioned fine at localhost:3000/echo

This will have to do at our end.

Whiteboard: (none) => MGA7-64-OK
CC: (none) => tarazed25

Created attachment 11669 [details]
Rudimentary server script for Mojolicious

Validating. Advisory in Comment 1.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGAA-2020-0141.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED