File perl-cgi-injection.diff of Package perl

--- ./lib/CGI.pm.orig	2007-12-18 10:47:07.000000000 +0000
+++ ./lib/CGI.pm	2011-01-12 11:29:50.000000000 +0000
@@ -1379,7 +1379,13 @@ END_OF_FUNC
 sub multipart_init {
     my($self,@p) = self_or_default(@_);
     my($boundary,@other) = rearrange([BOUNDARY],@p);
-    $boundary = $boundary || '------- =_aaaaaaaaaa0';
+    if (!$boundary) {
+	$boundary = '------- =_';
+	my @chrs = ('0'..'9', 'A'..'Z', 'a'..'z');
+	for (1..17) {
+	    $boundary .= $chrs[rand(scalar @chrs)];
+	}
+    }
     $self->{'separator'} = "$CRLF--$boundary$CRLF";
     $self->{'final_separator'} = "$CRLF--$boundary--$CRLF";
     $type = SERVER_PUSH($boundary);
@@ -1464,6 +1470,23 @@ sub header {
                             'EXPIRES','NPH','CHARSET',
                             'ATTACHMENT','P3P'],@p);
 
+    # CR escaping for values, per RFC 822
+    for my $header ($type,$status,$cookie,$target,$expires,$nph,$charset,$attachment,$p3p,@other) {
+        if (defined $header) {
+            # From RFC 822:
+            # Unfolding  is  accomplished  by regarding   CRLF   immediately
+            # followed  by  a  LWSP-char  as equivalent to the LWSP-char.
+            $header =~ s/$CRLF(\s)/$1/g;
+
+            # All other uses of newlines are invalid input. 
+            if ($header =~ m/$CRLF|\015|\012/) {
+                # shorten very long values in the diagnostic
+                $header = substr($header,0,72).'...' if (length $header > 72);
+                die "Invalid header value contains a newline not followed by whitespace: $header";
+            }
+        }
+    }
+
     $nph     ||= $NPH;
 
     $type ||= 'text/html' unless defined($type);