Skip Menu |
 

Preferred bug tracker

Please visit the preferred bug tracker to report your issue.

This queue is for tickets about the CGI CPAN distribution.

Report information
The Basics
Id: 25287
Status: resolved
Priority: 0/
Queue: CGI

People
Owner: MARKSTOS [...] cpan.org
Requestors: scop [...] cpan.org
Cc:
AdminCc:

Bug Information
Severity: (no value)
Broken in: (no value)
Fixed in: (no value)



MIME-Version: 1.0
X-Mailer: MIME-tools 5.418 (Entity 5.418)
X-RT-Original-Encoding: utf-8
Content-Type: multipart/mixed; boundary="----------=_1173117722-24314-2"
Content-Length: 0
Content-Type: text/plain; charset="utf8"
Content-Disposition: inline
Content-Transfer-Encoding: binary
Content-Length: 743
Download (untitled) / with headers
text/plain 743b
In CGI.pm 3.19 and later, calling url() in a context like http://validator.w3.org/check?uri=http%3A%2F%2Fmissingno.ifrance.com%2FC%2B%2B.php , an unescaped script uri is used as a regexp, causing breakage like this: http://www.w3.org/Bugs/Public/show_bug.cgi?id=4365 Possible fix against 3.27 attached. On a related note, it is not clear to me exactly where _name_and_path_from_env should be detecting an Apache bug from, from the complete URI or only the part excluding the query string? Currently it doesn't exclude the query string, so if it contains a // (such as in the validator.w3.org case above), it is flagged as an Apache bug and consequently the returned script name will contain the query string. Surely this is not intentional?
Subject: cgi.patch
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="----------=_1173117722-24314-1"
X-Mailer: MIME-tools 5.418 (Entity 5.418)
Content-Length: 0
Content-Type: text/plain; charset="utf8"
Content-Disposition: inline
Content-Transfer-Encoding: binary
X-RT-Original-Encoding: utf-8
Content-Length: 0
Content-Type: text/x-patch; name="cgi.patch"
Content-Disposition: inline; filename="cgi.patch"
Content-Transfer-Encoding: binary
X-RT-Original-Encoding: ascii
Content-Length: 549
Download cgi.patch
text/x-diff 549b
--- CGI.pm~ 2007-03-05 18:51:52.000000000 +0200 +++ CGI.pm 2007-03-05 19:58:50.000000000 +0200 @@ -2697,7 +2697,7 @@ my $request_uri = unescape($self->request_uri) || ''; my $query_str = $self->query_string; - my $rewrite_in_use = $request_uri && $request_uri !~ /^$script_name/; + my $rewrite_in_use = $request_uri && $request_uri !~ /^\Q$script_name\E/; undef $path if $rewrite_in_use && $rewrite; # path not valid when rewriting active my $uri = $rewrite && $request_uri ? $request_uri : $script_name;
MIME-Version: 1.0
X-Mailer: MIME-tools 5.418 (Entity 5.418)
Content-Disposition: inline
Message-Id: <rt-3.6.HEAD-24500-1173118222-1865.25287-0-0 [...] rt.cpan.org>
Content-Type: text/plain; charset="utf8"
Content-Transfer-Encoding: binary
X-RT-Original-Encoding: utf-8
X-RT-Original-Encoding: utf-8
Content-Length: 82
Oh, forgot that I already reported _name_and_path_from_env issues in ticket #24479
MIME-Version: 1.0
X-Mailer: MIME-tools 5.427 (Entity 5.427)
Content-Disposition: inline
Charset: utf8
Content-Type: text/plain
Message-ID: <rt-3.6.HEAD-6413-1248314784-1441.25287-0-0 [...] rt.cpan.org>
Content-Transfer-Encoding: binary
X-RT-Original-Encoding: utf-8
Content-Length: 487
Download (untitled) / with headers
text/plain 487b
On Mon Mar 05 13:02:16 2007, SCOP wrote: Show quoted text
> In CGI.pm 3.19 and later, calling url() in a context like >
http://validator.w3.org/check?uri=http%3A%2F%2Fmissingno.ifrance.com%2FC%2B%2B.php Show quoted text
> , an unescaped script uri is used as a regexp, causing breakage like > this: > http://www.w3.org/Bugs/Public/show_bug.cgi?id=4365 > Possible fix against 3.27 attached. >
Thanks for this patch. I'm confirming it was previously applied and exists in 3.43. I'm closing this bug report now. Mark


This service is sponsored and maintained by Best Practical Solutions and runs on Perl.org infrastructure.

Please report any issues with rt.cpan.org to rt-cpan-admin@bestpractical.com.