Skip Menu |
 

Preferred bug tracker

Please visit the preferred bug tracker to report your issue.

This queue is for tickets about the CGI CPAN distribution.

Report information
The Basics
Id: 35318
Status: rejected
Priority: 0/
Queue: CGI

People
Owner: MARKSTOS [...] cpan.org
Requestors: MV5492 [...] att.com
Cc:
AdminCc:

Bug Information
Severity: (no value)
Broken in: (no value)
Fixed in: (no value)



X-Originalarrivaltime: 22 Apr 2008 21:08:46.0132 (UTC) FILETIME=[0D70A740:01C8A4BD]
MIME-Version: 1.0
X-Spam-Status: No, hits=-6.6 required=8.0 tests=BAYES_00,RCVD_IN_DNSWL_MED
Content-Class: urn:content-classes:message
content-type: text/plain; charset="utf-8"
X-MS-Tnef-Correlator:
X-Env-Sender: MV5492 [...] att.com
Received: from x1.develooper.com (x1.develooper.com [63.251.223.170]) by diesel.bestpractical.com (Postfix) with SMTP id A2DD34D811A for <bug-CGI.pm [...] rt.cpan.org>; Tue, 22 Apr 2008 17:08:58 -0400 (EDT)
Received: (qmail 12893 invoked from network); 22 Apr 2008 21:08:57 -0000
Received: from x16.dev (10.0.100.26) by x1.dev with QMQP; 22 Apr 2008 21:08:57 -0000
Received: from mail203.messagelabs.com (HELO mail203.messagelabs.com) (216.82.254.243) by 16.mx.develooper.com (qpsmtpd/0.43rc1) with ESMTP; Tue, 22 Apr 2008 14:08:54 -0700
Received: (qmail 698 invoked from network); 22 Apr 2008 21:08:43 -0000
Received: from sbcsmtp3.sbc.com (HELO tlph064.enaf.dadc.sbc.com) (144.160.112.25) by server-6.tower-203.messagelabs.com with AES256-SHA encrypted SMTP; 22 Apr 2008 21:08:43 -0000
Received: from enaf.dadc.sbc.com (localhost.localdomain [127.0.0.1]) by tlph064.enaf.dadc.sbc.com (8.14.2/8.14.2) with ESMTP id m3ML8oD9004945 for <bug-CGI.pm [...] rt.cpan.org>; Tue, 22 Apr 2008 16:08:50 -0500
Received: from td03xsmtp008.US.Cingular.Net (td03xsmtp008.us.cingular.net [170.35.131.172]) by tlph064.enaf.dadc.sbc.com (8.14.2/8.14.2) with ESMTP id m3ML8kLZ004874 for <bug-CGI.pm [...] rt.cpan.org>; Tue, 22 Apr 2008 16:08:46 -0500
Received: from ad01msxmb007.US.Cingular.Net ([135.214.176.136]) by td03xsmtp008.US.Cingular.Net with Microsoft SMTPSVC(6.0.3790.1830); Tue, 22 Apr 2008 16:08:46 -0500
Delivered-To: cpan-bug+CGI.pm [...] diesel.bestpractical.com
Subject: CGI hidden values within form appearing on link
X-MSG-Ref: server-6.tower-203.messagelabs.com!1208898523!15273185!1
Return-Path: <MV5492 [...] att.com>
Thread-Index: AcikvQ0ixZtPDq/iRYipjEs1ZiWn1A==
X-Original-To: bug-CGI.pm [...] rt.cpan.org
X-Spam-Check-BY: 16.mx.develooper.com
Date: Tue, 22 Apr 2008 16:08:45 -0500
X-Starscan-Version: 5.5.12.14.2; banners=-,-,-
X-Spam-Level: *
Thread-Topic: CGI hidden values within form appearing on link
X-MS-Has-Attach:
Message-Id: <C9C075DB3961464180CE3DEF766B4A2C07EB44F7 [...] ad01msxmb007.US.Cingular.Net>
X-Viruschecked: Checked
X-Originating-Ip: [144.160.112.25]
X-Mimeole: Produced By Microsoft Exchange V6.5
To: <bug-CGI.pm [...] rt.cpan.org>
Content-Transfer-Encoding: quoted-printable
From: "Vanole, Mike" <MV5492 [...] att.com>
X-RT-Original-Encoding: us-ascii
Content-Length: 2783
Download (untitled) / with headers
text/plain 2.7k
Hi, I reported this as a webserver7 problem, but playing around with CGI versions revealed CGI.pm was causing odd behavior. Problem noticed at CGI.pm-3.33 Problem still there at CGI.pm-3.35 Downgraded to version CGI.pm-3.15 and the problem goes away. Here is the code for a test cgi that replicates the problem to see exactly what I'm talking about. At 3.33 and above clicking the buttons as directed reveals the values in the URL at the second button click when we expect them to remain hidden. The second form submission somehow gets transformed from a POST to a GET. The same cgi running under 3.15 and lower keeps the values hidden. perl 5.8.8 on Solaris 9 #!/usr/local/bin/perl use CGI; use CGI::Carp qw(fatalsToBrowser); $q = new CGI; print $q->header; print $q->start_html("test"); $ASCS1chk = $q->param('ASCS1'); $ASCS2chk = $q->param('ASCS2'); print "<CENTER>"; if (length($ASCS1chk) != 0) { &ASC_2(); } elsif (length($ASCS2chk) != 0) { &junk(); } else { &ASC_1(); } sub ASC_1 { $USERID = 'jj'; print $q->start_form(); print "<table border=0 width=400 cellspacing=2 cellpadding=0>"; print "<tr><td align=left class=ctm> </td>"; undef @ATempArray; push(@ATempArray,'Account ET - CARE History'); push(@ATempArray,'Audits'); if ($#ATempArray != -1) { print "<tr><td align=left width=30% class=ctm> </td>"; print "<tr><td><td align=right class=ctf colspan=6>"; print $q->hidden(-name=>'USER_IN',-value=>$USERID,-force=>1); print $q->submit(-style=>'font-family:arial; font-size: 11;',-name=>'ASCS1',-value=>'Click this button'); print $q->end_form; } print "</table>"; } sub ASC_2 { $USERID1 = $q->param('USER_IN'); $ASCUPD_CHK = $q->param('ASCUPD'); print "<table border=0 width=400 cellspacing=2 cellpadding=0>"; print $q->start_form(-name=>'OV2'); print "<tr><td align=left class=ctf nowrap valign=top>"; print $q->hidden(-name=>'ORIGASC',-value=>$ASCUPD_CHK,-force=>1); print $q->hidden(-name=>'USER_IN2',-value=>$USERID1,-force=>1); print $q->hidden(-name=>'DFHR',-value=>$DefHR,-force=>1); print $q->hidden(-name=>'DFHM',-value=>$DefMN,-force=>1); print $q->hidden(-name=>'ACTDT',-value=>$OVDate,-force=>1); print "<tr><td align=center valign=top> "; print "<tr><td align=center valign=top> "; print "<tr><td align=right valign=top colspan=2>"; print $q->submit(-style=>'font-family:arial; font-size: 11;',-name=>'ASCS2',-value=>'Now Click this button'); print $q->end_form(); print "<tr><td align=right valign=top colspan=6>"; print "</table>"; } sub junk { print "The values you see in the address line are hidden values within a form. We are not expecting them to be displayed here. Usually they are not displayed in this line. There are no alink refs within this cgi"; } Please let me know if there is more I can provide. Thanks for a great perl module! Mike
X-Originalarrivaltime: 23 Apr 2008 10:18:11.0479 (UTC) FILETIME=[55630A70:01C8A52B]
MIME-Version: 1.0
X-Spam-Status: No, hits=-6.4 required=8.0 tests=ANY_BOUNCE_MESSAGE,BAYES_00,RCVD_IN_DNSWL_MED,VBOUNCE_MESSAGE
In-Reply-To: <rt-3.6.HEAD-9093-1208898555-1727.35318-3-0 [...] rt.cpan.org>
Content-Class: urn:content-classes:message
References: <RT-Ticket-35318 [...] rt.cpan.org> <C9C075DB3961464180CE3DEF766B4A2C07EB44F7 [...] ad01msxmb007.US.Cingular.Net> <rt-3.6.HEAD-9093-1208898555-1727.35318-3-0 [...] rt.cpan.org>
Content-Type: text/plain; charset="utf-8"
X-Env-Sender: MV5492 [...] att.com
X-MS-Tnef-Correlator:
X-RT-Original-Encoding: us-ascii
Received: from x1.develooper.com (x1.develooper.com [63.251.223.170]) by diesel.bestpractical.com (Postfix) with SMTP id 10B024D80CF for <bug-CGI.pm [...] rt.cpan.org>; Wed, 23 Apr 2008 06:18:25 -0400 (EDT)
Received: (qmail 27391 invoked from network); 23 Apr 2008 10:18:25 -0000
Received: from x16.dev (10.0.100.26) by x1.dev with QMQP; 23 Apr 2008 10:18:25 -0000
Received: from mail120.messagelabs.com (HELO mail120.messagelabs.com) (216.82.250.83) by 16.mx.develooper.com (qpsmtpd/0.43rc1) with ESMTP; Wed, 23 Apr 2008 03:18:20 -0700
Received: (qmail 3267 invoked from network); 23 Apr 2008 10:18:16 -0000
Received: from sbcsmtp3.sbc.com (HELO tlph064.enaf.dadc.sbc.com) (144.160.112.25) by server-2.tower-120.messagelabs.com with AES256-SHA encrypted SMTP; 23 Apr 2008 10:18:16 -0000
Received: from enaf.dadc.sbc.com (localhost.localdomain [127.0.0.1]) by tlph064.enaf.dadc.sbc.com (8.14.2/8.14.2) with ESMTP id m3NAIFqU012336 for <bug-CGI.pm [...] rt.cpan.org>; Wed, 23 Apr 2008 05:18:15 -0500
Received: from td03xsmtp007.US.Cingular.Net (td03xsmtp007.us.cingular.net [170.35.131.171]) by tlph064.enaf.dadc.sbc.com (8.14.2/8.14.2) with ESMTP id m3NAIBvW012317 for <bug-CGI.pm [...] rt.cpan.org>; Wed, 23 Apr 2008 05:18:11 -0500
Received: from ad01msxmb007.US.Cingular.Net ([135.214.176.136]) by td03xsmtp007.US.Cingular.Net with Microsoft SMTPSVC(6.0.3790.1830); Wed, 23 Apr 2008 05:18:11 -0500
Delivered-To: cpan-bug+CGI.pm [...] diesel.bestpractical.com
X-MSG-Ref: server-2.tower-120.messagelabs.com!1208945895!19372963!1
Subject: RE: [rt.cpan.org #35318] AutoReply: CGI hidden values within form appearing on link
Return-Path: <MV5492 [...] att.com>
X-Spam-Check-BY: 16.mx.develooper.com
X-Original-To: bug-CGI.pm [...] rt.cpan.org
Thread-Index: AcikvSgimkDN5ljCQdeSfBTz+84XSQAbdfdQ
Date: Wed, 23 Apr 2008 05:18:10 -0500
X-Starscan-Version: 5.5.12.14.2; banners=-,-,-
X-Spam-Level: *
X-MS-Has-Attach:
Thread-Topic: [rt.cpan.org #35318] AutoReply: CGI hidden values within form appearing on link
Message-Id: <C9C075DB3961464180CE3DEF766B4A2C07EB456D [...] ad01msxmb007.US.Cingular.Net>
X-Viruschecked: Checked
X-Mimeole: Produced By Microsoft Exchange V6.5
X-Originating-Ip: [144.160.112.25]
To: <bug-CGI.pm [...] rt.cpan.org>
Content-Transfer-Encoding: quoted-printable
From: "Vanole, Mike" <MV5492 [...] att.com>
X-RT-Original-Encoding: utf-8
RT-Message-ID: <rt-3.6.HEAD-9095-1208945910-807.35318-0-0 [...] rt.cpan.org>
Content-Length: 954
Download (untitled) / with headers
text/plain 954b
Here is a little more information from someone else who was looking at a workaround: --------- FYI - I updated to CGI.pm 3.29. I'm now getting the same behavior you reported. I was able to code around the behavior with: print $q->start_form(-name=>'OV2',-action => $ENV{SCRIPT_NAME}); This forces CGI.pm to pull the SCRIPT_NAME environment variable from the information passed to it by the server at request time, and use that as the action rather than the default value (which is supposed to be "this script," but is clearly now picking up data from the prior POST and appending it to "this script" as query data). I also notice that smart_form() appears to be using multipart/form-data despite the docs indicating that it will use application/x-www-form-urlencoded, and that start_multipart_form() needs to be used if a multipart form is desired. I get the impression that the docs for CGI.pm no longer accurately reflect the state of the software.
MIME-Version: 1.0
In-Reply-To: <rt-3.6.HEAD-9095-1208945910-807.35318-0-0 [...] rt.cpan.org>
X-Mailer: MIME-tools 5.427 (Entity 5.427)
Content-Disposition: inline
Charset: utf8
References: <RT-Ticket-35318 [...] rt.cpan.org> <C9C075DB3961464180CE3DEF766B4A2C07EB44F7 [...] ad01msxmb007.US.Cingular.Net> <rt-3.6.HEAD-9093-1208898555-1727.35318-3-0 [...] rt.cpan.org> <C9C075DB3961464180CE3DEF766B4A2C07EB456D [...] ad01msxmb007.US.Cingular.Net> <rt-3.6.HEAD-9095-1208945910-807.35318-0-0 [...] rt.cpan.org>
Content-Type: text/plain
Message-ID: <rt-3.6.HEAD-6413-1248559009-1724.35318-0-0 [...] rt.cpan.org>
Content-Transfer-Encoding: binary
X-RT-Original-Encoding: utf-8
Content-Length: 1198
Download (untitled) / with headers
text/plain 1.1k
On Wed Apr 23 06:18:31 2008, MV5492@att.com wrote: Show quoted text
> Here is a little more information from someone else who was looking at a > workaround: > --------- > FYI - I updated to CGI.pm 3.29. I'm now getting the same behavior you > reported. I was able to code around the behavior with: > > print $q->start_form(-name=>'OV2',-action => $ENV{SCRIPT_NAME}); > > This forces CGI.pm to pull the SCRIPT_NAME environment variable from the > information passed to it by the server at request time, and use that as > the action rather than the default value (which is supposed to be "this > script," but is clearly now picking up data from the prior POST and > appending it to "this script" as query data).
I think what you experienced in the upgrade may have been a fix rather than a bug. Including the query params in the query string is a way to save state. If you don't want that behavior, then explicitly stating the "action" you want is the recommended path. The recommendation above to use "$ENV{SCRIPT_NAME}" is reasonable. I'm marking this bug as "rejected" for now. Regarding the start_form() behavior and documentation, see this bug: https://rt.cpan.org/Ticket/Display.html?id=22046 Mark


This service is sponsored and maintained by Best Practical Solutions and runs on Perl.org infrastructure.

Please report any issues with rt.cpan.org to rt-cpan-admin@bestpractical.com.