[packages/perl-DBI.git] / cve-2014-10401.patch

From 19d0fb169eed475e1c053e99036b8668625cfa94 Mon Sep 17 00:00:00 2001
From: Jens Rehsack <sno@netbsd.org>
Date: Tue, 6 Oct 2020 10:22:17 +0200
Subject: [PATCH] lib/DBD/File.pm: fix CVE-2014-10401

Dig into the root cause of RT#99508 - which resulted in CVE-2014-10401 - and
figure out that DBI->parse_dsn is the wrong helper to parse our attributes in
DSN, since in DBD::dr::connect only the "dbname" remains from DSN which causes
parse_dsn to bailout.

Parsing on our own similar to parse_dsn shows the way out.

Signed-off-by: Jens Rehsack <sno@netbsd.org>
---
 lib/DBD/File.pm | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/lib/DBD/File.pm b/lib/DBD/File.pm
index fb14e9a..f55076f 100644
--- a/lib/DBD/File.pm
+++ b/lib/DBD/File.pm
@@ -109,7 +109,11 @@ sub connect
     # We do not (yet) care about conflicting attributes here
     # my $dbh = DBI->connect ("dbi:CSV:f_dir=test", undef, undef, { f_dir => "text" });
     # will test here that both test and text should exist
-    if (my $attr_hash = (DBI->parse_dsn ($dbname))[3]) {
+    #
+    # Parsing on our own similar to parse_dsn to find attributes in 'dbname' parameter.
+    if ($dbname) {
+	my @attrs = split /;/ => $dbname;
+	my $attr_hash = { map { split /\s*=>?\s*|\s*,\s*/, $_} @attrs };
 	if (defined $attr_hash->{f_dir} && ! -d $attr_hash->{f_dir}) {
 	    my $msg = "No such directory '$attr_hash->{f_dir}";
 	    $drh->set_err (2, $msg);
@@ -120,7 +124,6 @@ sub connect
     if ($attr and defined $attr->{f_dir} && ! -d $attr->{f_dir}) {
 	my $msg = "No such directory '$attr->{f_dir}";
 	$drh->set_err (2, $msg);
-	$attr->{RaiseError} and croak $msg;
 	return;
 	}
Commit	Line	Data
58bc7b40 AM	1	From 19d0fb169eed475e1c053e99036b8668625cfa94 Mon Sep 17 00:00:00 2001
	2	From: Jens Rehsack <sno@netbsd.org>
	3	Date: Tue, 6 Oct 2020 10:22:17 +0200
	4	Subject: [PATCH] lib/DBD/File.pm: fix CVE-2014-10401
	5
	6	Dig into the root cause of RT#99508 - which resulted in CVE-2014-10401 - and
	7	figure out that DBI->parse_dsn is the wrong helper to parse our attributes in
	8	DSN, since in DBD::dr::connect only the "dbname" remains from DSN which causes
	9	parse_dsn to bailout.
	10
	11	Parsing on our own similar to parse_dsn shows the way out.
	12
	13	Signed-off-by: Jens Rehsack <sno@netbsd.org>
	14	---
	15	lib/DBD/File.pm \| 7 +++++--
	16	1 file changed, 5 insertions(+), 2 deletions(-)
	17
	18	diff --git a/lib/DBD/File.pm b/lib/DBD/File.pm
	19	index fb14e9a..f55076f 100644
	20	--- a/lib/DBD/File.pm
	21	+++ b/lib/DBD/File.pm
	22	@@ -109,7 +109,11 @@ sub connect
	23	# We do not (yet) care about conflicting attributes here
	24	# my $dbh = DBI->connect ("dbi:CSV:f_dir=test", undef, undef, { f_dir => "text" });
	25	# will test here that both test and text should exist
	26	- if (my $attr_hash = (DBI->parse_dsn ($dbname))[3]) {
	27	+ #
	28	+ # Parsing on our own similar to parse_dsn to find attributes in 'dbname' parameter.
	29	+ if ($dbname) {
	30	+ my @attrs = split /;/ => $dbname;
	31	+ my $attr_hash = { map { split /\s=>?\s\|\s,\s/, $_} @attrs };
	32	if (defined $attr_hash->{f_dir} && ! -d $attr_hash->{f_dir}) {
	33	my $msg = "No such directory '$attr_hash->{f_dir}";
	34	$drh->set_err (2, $msg);
	35	@@ -120,7 +124,6 @@ sub connect
	36	if ($attr and defined $attr->{f_dir} && ! -d $attr->{f_dir}) {
	37	my $msg = "No such directory '$attr->{f_dir}";
	38	$drh->set_err (2, $msg);
	39	- $attr->{RaiseError} and croak $msg;
	40	return;
	41	}
	42