| commit | 4a688db853fecbef2808bd97b6b4ec96eac5ecd0 | |
| author | Kyle J. McKay <mackyle@gmail.com> | |
| Tue, 10 Sep 2013 06:42:11 +0000 (9 23:42 -0700) | ||
| committer | Kyle J. McKay <mackyle@gmail.com> | |
| Tue, 10 Sep 2013 06:42:11 +0000 (9 23:42 -0700) | ||
| tree | db88a8b529bc17eba70b348aac385cc7465dd3a1 | treesnapshot (tar.gz zip) |
| parent | e68f8a6fd69f26cb670c6d67ed806f4b42e637a5 | commitdiff |
CGI.pm: mitigate VU#987798/CVE-2013-3587 with random padding
See http://www.kb.cert.org/vuls/id/987798 for information on the
vulnerability.
Mitigate the problem by adding random padding at the beginning and end of
every CGI.pm generated page. The limited number of plain text "secrets"
that Girocco uses are all contained in pages generated with CGI.pm. The
random padding is only generated when HTTPS is on as there's no point in
doing anything if the connection is unencrypted and easily sniffable to
start with and the request is a POST as only those contain sensitive data.
See http://www.kb.cert.org/vuls/id/987798 for information on the
vulnerability.
Mitigate the problem by adding random padding at the beginning and end of
every CGI.pm generated page. The limited number of plain text "secrets"
that Girocco uses are all contained in pages generated with CGI.pm. The
random padding is only generated when HTTPS is on as there's no point in
doing anything if the connection is unencrypted and easily sniffable to
start with and the request is a POST as only those contain sensitive data.
| Girocco/CGI.pm | diffblobblamehistory |