perl-HTTP-Daemon/HTTP-Daemon-6.01-CVE-2026-8450.patch
RHEL Packaging Agent 33172531b3 Fix CVE-2026-8450: send_file() RCE via 2-arg open() shell-magic
Backport upstream fix (commit 945d3514) for CVE-2026-8450 to
perl-HTTP-Daemon 6.01. The send_file() method in
HTTP::Daemon::ClientConn used the insecure 2-argument form of
open(), which allowed shell-magic interpretation of filenames
(pipe commands, redirections, etc.). The fix switches to
3-argument open() with an explicit '<' mode, replacing the
typeglob with a lexical filehandle. Additional hardening
includes proper binmode() failure handling and a '0E0'
true-zero return for empty successful transfers.

CVE: CVE-2026-8450
Upstream patches:
 - 945d35141d.patch
Resolves: RHEL-184825

This commit was backported by Ymir, a Red Hat Enterprise Linux software maintenance AI agent.

Assisted-by: Ymir
2026-06-17 09:02:09 +00:00

114 lines
4.3 KiB
Diff

From 241989d49b5aedcde4bfd2a5e8257ea2c2fd252b Mon Sep 17 00:00:00 2001
From: Olaf Alders <olaf@wundersolutions.com>
Date: Thu, 14 May 2026 00:09:58 +0000
Subject: [PATCH] Fix CVE-2026-8450: send_file() honoured 2-arg open()
shell-magic
HTTP::Daemon::ClientConn::send_file() used the 2-arg form
open(FILE, $file), which interprets shell-magic prefixes in the
path argument: '| cmd' (write pipe -- RCE), 'cmd |' (read pipe --
RCE plus response-body exfiltration via the sysread / print loop
below), '> path' (write-truncate -- arbitrary file write), and
'>> path', '+< path', '<&fd', and leading-whitespace variants of
the above.
Any HTTP::Daemon-based application that passed attacker-influenced
bytes to send_file($string) -- for example, a download endpoint
that derived the filename from a query parameter -- granted command
execution and/or arbitrary file write at the daemon's UID.
Switch to 3-arg open(my $fh, '<', $file): the explicit '<' mode
makes the path argument a literal filename, so every magic shape
above is opened (and fails, returning undef) as an ordinary file by
that exact name. The localized typeglob is no longer needed and is
replaced with a lexical filehandle.
Two collateral hardening changes ride along:
- binmode() failure now closes the handle and returns undef,
rather than streaming the file with a wrong PerlIO layer.
- send_file() returns '0E0' (true zero) on a successful zero-byte
transfer so callers using "send_file or die" can distinguish
open failure (undef) from an empty-but-successful copy.
The POD now documents the new return-value contract and spells
out that the fix only neutralises 2-arg open() shell-magic;
callers remain responsible for validating attacker-influenced
paths against symlinks, character/block devices (e.g. /dev/zero),
named pipes, and document-root escapes.
Reported and patched by Stig Palmquist (stigtsp).
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
---
lib/HTTP/Daemon.pm | 37 +++++++++++++++++++++++++++++++------
1 file changed, 31 insertions(+), 6 deletions(-)
diff --git a/lib/HTTP/Daemon.pm b/lib/HTTP/Daemon.pm
index 216c73f..a715159 100644
--- a/lib/HTTP/Daemon.pm
+++ b/lib/HTTP/Daemon.pm
@@ -617,12 +617,11 @@ sub send_file
{
my($self, $file) = @_;
my $opened = 0;
- local(*FILE);
if (!ref($file)) {
- open(FILE, $file) || return undef;
- binmode(FILE);
- $file = \*FILE;
- $opened++;
+ open(my $fh, '<', $file) || return undef;
+ binmode($fh) || do { close($fh); return undef };
+ $file = $fh;
+ $opened++;
}
my $cnt = 0;
my $buf = "";
@@ -633,7 +632,11 @@ sub send_file
print $self $buf;
}
close($file) if $opened;
- $cnt;
+
+ # Return a "true zero" for empty-but-successful copies so callers
+ # using `send_file or die` can distinguish open failure (undef)
+ # from a successful zero-byte transfer.
+ $cnt || '0E0';
}
@@ -917,6 +920,28 @@ Copy the file to the client. The file can be a string (which
will be interpreted as a filename) or a reference to an C<IO::Handle>
or glob.
+Returns the number of bytes copied on success, or C<undef> if the
+filename form failed to open. An empty file returns the string
+C<'0E0'> (zero numerically, true in boolean context) so that callers
+using C<< send_file or die >> can distinguish open failure from a
+successful zero-byte transfer.
+
+The filename form uses Perl's 3-argument C<open> with an explicit C<<
+< >> mode, so the path is no longer interpreted as a 2-argument
+C<open> shell-magic shape such as C<< | cmd >>, C<< cmd | >>, or
+C<< > path >>. See
+L<CVE-2026-8450|https://www.cve.org/CVERecord?id=CVE-2026-8450> for
+the prior 2-argument C<open> behaviour this replaces.
+
+Note that this fix only neutralises 2-argument C<open> shell-magic.
+Callers remain responsible for validating attacker-influenced paths:
+C<send_file> will still happily open symlinks, character/block devices
+(e.g. C</dev/zero>, C</dev/stdin>), named pipes (which may block the
+worker), and files outside an intended document root. If C<$filename>
+can be derived from request input, validate it (canonicalise, reject
+C<..> segments, require C<-f _> and a vetted prefix) before passing it
+in.
+
=item $c->daemon
Return a reference to the corresponding C<HTTP::Daemon> object.
--
2.52.0