Skip Menu |
 

Preferred bug tracker

Please visit the preferred bug tracker to report your issue.

This queue is for tickets about the CGI CPAN distribution.

Report information
The Basics
Id: 62446
Status: rejected
Priority: 0/
Queue: CGI

People
Owner: MARKSTOS [...] cpan.org
Requestors:
Cc:
AdminCc:

Bug Information
Severity: (no value)
Broken in: 3.49
Fixed in: (no value)



Subject: LF only instead of CRLF breaks multiform POST data processing on file uploads from certain devices
MIME-Version: 1.0
X-Mailer: MIME-tools 5.427 (Entity 5.427)
X-RT-Original-Encoding: utf-8
Content-Type: multipart/mixed; boundary="----------=_1288033786-2362-153"
Content-Length: 0
Content-Type: text/plain; charset="UTF-8"
Content-Disposition: inline
Content-Transfer-Encoding: binary
Content-Length: 1373
Download (untitled) / with headers
text/plain 1.3k
CGI.pm v. 3.49 fails to process multipart POST submissions that use LF instead of CRLF as line separators in POST data. This happens at least with some Android devices. This bug may, or may not, be related to the earlier reported problem in the bug submission 31107. A suggested bug fix consists of a few modified lines of code. With the suggested modifications, the problem disappears. The revised and the original CGI.pm are attached. Run diff to see the modified lines of code. A sample multipart POST file upload request from an Android device is attached as 'testdata.htc'. Compare it with a multipart POST file upload request from a Windows client in 'testdata.win' Apparently, CGI.pm attempts to guess the line separators while processing form submissions. It appears however that guessing is done on the basis of machine architecture and not on the basis of the data in a POST submission. I believe the latter approach would make more sense since these days the client architecture is no longer a reliable indicator of whether the client machine uses CRLF or LF only. I tried contacting Lincoln Stein for a few months suggesting to incorporate this bug fix into new releases of CGI.pm. I have got no response from him so far. Regardless of that, I believe posting the suggested fix here will help at least those who experience this bug. - Val
Subject: testdata.htc
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"; name="testdata.htc"
X-Mailer: MIME-tools 5.427 (Entity 5.427)
Content-Disposition: inline; filename="testdata.htc"
Content-Transfer-Encoding: binary
X-RT-Original-Encoding: iso-8859-1
Content-Length: 1269
Download testdata.htc
text/plain 1.2k
SERVER_SOFTWARE=lighttpd/1.4.26 SERVER_NAME=erased_for_privacy GATEWAY_INTERFACE=CGI/1.1 SERVER_PROTOCOL=HTTP/1.1 SERVER_PORT=80 SERVER_ADDR=0.0.0.0 REQUEST_METHOD=POST REDIRECT_STATUS=200 REQUEST_URI=/cgi-bin/upload.php REMOTE_ADDR=erased_for_privacy REMOTE_PORT=18172 CONTENT_LENGTH=516 SCRIPT_FILENAME=/opt/share/www/cgi-bin/upload.php SCRIPT_NAME=/cgi-bin/upload.php DOCUMENT_ROOT=/opt/share/www/ HTTP_USER_AGENT=Java0 HTTP_HOST=server_name_erased_for_privacy HTTP_CONNECTION=Keep-Alive HTTP_CONTENT_LENGTH=516 CONTENT_TYPE=multipart/form-data; boundary=================================== --================================== Content-Disposition: form-data; name="userfile"; filename="vkpw.db" Content-Type: application/octet-stream UPM!ÿR}(ўQõö [#0•Zѐ²–‚)f8…š–Öó"L¡ÙvÁm•€Å ˆg^Xæt‹1¥L,~¬û]RôXˆ!ÁË[ü5 DðyAΛ2o¥€ôß>Ê­`ªÃ¯ê6·r9Eø­h¢© G6æSÈIôÉ4æiœÕ¡#ÉÉJÔ]ÿF}#CâEFóxó©ãZåMõR5Þ#ð¼Þ ´©lÙcʃ8Ž¥ÄIÔ$ª?‹"2n¶u êlQ¤¬@º2žù;\óÄ÷é4%¥pbÃðíÝü°)a¹Áo¤1žèÄ0^Ô¬ž 1u°nñf\õ ®c ’‚VOåþG¦Î¬âï…×äMCîÚÈm»/}Ñ$IFi3g$¤C´¼gšõ•z÷;¯ÏÁ¯£òG¬„Ó <-ªì»=k/•½ --==================================--
Subject: CGI.pm-3.49.original
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"; name="CGI.pm-3.49.original"
X-Mailer: MIME-tools 5.427 (Entity 5.427)
Content-Disposition: inline; filename="CGI.pm-3.49.original"
Content-Transfer-Encoding: binary
X-RT-Original-Encoding: ascii
Content-Length: 259293
Download CGI.pm-3.49.original
text/plain 253.2k

Message body is not shown because it is too large.

Subject: testdata.win
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"; name="testdata.win"
X-Mailer: MIME-tools 5.427 (Entity 5.427)
Content-Disposition: inline; filename="testdata.win"
Content-Transfer-Encoding: binary
X-RT-Original-Encoding: UTF-16BE
Content-Length: 1543
Download testdata.win
text/plain 1.5k
卅剖䕒当但呗䅒䔽汩杨瑴灤⼱⸴⸲㘊卅剖䕒彎䅍䔽敲慳敤彦潲彰物癡捹䝁呅坁奟䥎呅剆䅃䔽䍇䤯ㄮㄊ卅剖䕒彐剏呏䍏䰽䡔呐⼱⸱卅剖䕒彐佒吽㠰卅剖䕒彁䑄刽〮〮〮《剅兕䕓呟䵅呈佄㵐体吊剅䑉剅䍔当呁呕匽㈰《剅兕䕓呟啒䤽⽣杩ⵢ楮⽵灬潡搮灨瀊剅䵏呅彁䑄刽敲慳敤彦潲彰物癡捹剅䵏呅彐佒吽㌹㠳䍏乔䕎呟䱅乇呈㴴㜸千剉偔彆䥌䕎䅍䔽⽯灴⽳桡牥⽷睷⽣杩ⵢ楮⽵灬潡搮灨瀊千剉偔彎䅍䔽⽣杩ⵢ楮⽵灬潡搮灨瀊䑏䍕䵅乔归住吽⽯灴⽳桡牥⽷睷⼊䡔呐录卅剟䅇䕎吽䩡歡牴愠䍯浭潮猭䡴瑰䍬楥湴⼳⸰䡔呐彈体吽敲慳敤彦潲彰物癡捹䡔呐彃低呅乔彌䕎䝔䠽㐷㠊䍏乔䕎呟呙偅㵭畬瑩灡牴⽦潲洭摡瑡㬠扯畮摡特㵷稱浍猶娵剡䈶捫㐰搴㡫䍖畔兎噦扄ⴊⴭ睺ㅭ䵳㙚㕒慂㙣欴つ㐸歃噵呑乖晢䐭䍯湴敮琭䑩獰潳楴楯渺⁦潲洭摡瑡㬠湡浥㴢畳敲晩汥∻⁦楬敮慭攽≶歰眮摢∊䍯湴敮琭呹灥㨠慰灬楣慴楯港潣瑥琭獴牥慭㬠捨慲獥琽䥓伭㠸㔹ⴱ䍯湴敮琭呲慮獦敲ⵅ湣潤楮机⁢楮慲礊啐䴂⇿剿紨톞퍏輜鎩醪ﶠ橇큺튭迷靌儍䉴忂�ᖞ⭞퉷襹쏦㡳혛뒘쎌懀⹩敢鈿셪勅乻�땚䈺数Ù䳼쮲삃藾푰㩦≰㶉貅⅘�抾㏝ᶈゥ덺뿤蘳ꋤ灝藌ꞃ䎝⎜묚ⴜꯝ邝커ꊒꘜ푗Ꝺ넋�埽말⟕㥇쪪 䪚蘌欌殈ᵿ䨋�ᬆ郣㹉T鼎숗褺輼엞��悳쉠ŧ큯ଊⴭ睺ㅭ䵳㙚㕒慂㙣欴つ㐸歃噵呑乖晢䐭ⴭ
Subject: CGI.pm-3.49.revised
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"; name="CGI.pm-3.49.revised"
X-Mailer: MIME-tools 5.427 (Entity 5.427)
Content-Disposition: inline; filename="CGI.pm-3.49.revised"
Content-Transfer-Encoding: binary
X-RT-Original-Encoding: ascii
Content-Length: 259551
Download CGI.pm-3.49.revised
text/plain 253.4k

Message body is not shown because it is too large.

From mark [...] summersault.com Mon Oct 25 15: 40:43 2010
MIME-Version: 1.0
X-Spam-Status: No, score=-7.879 tagged_above=-99.9 required=10 tests=[AWL=-1.644, BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, SPF_SOFTFAIL=0.665] autolearn=ham
In-Reply-To: <rt-3.8.HEAD-2362-1288033787-1026.62446-4-0 [...] rt.cpan.org>
X-Spam-Flag: NO
References: <RT-Ticket-62446 [...] rt.cpan.org> <rt-3.8.HEAD-2362-1288033787-1026.62446-4-0 [...] rt.cpan.org>
X-Virus-Scanned: Debian amavisd-new at bestpractical.com
Message-ID: <4CC5DD34.6070409 [...] summersault.com>
Content-Type: text/plain; charset=UTF-8
X-RT-Original-Encoding: utf-8
X-Spam-Score: -7.879
Received: from localhost (localhost [127.0.0.1]) by hipster.bestpractical.com (Postfix) with ESMTP id 2777B240F34 for <cpan-bug+CGI [...] hipster.bestpractical.com>; Mon, 25 Oct 2010 15:40:43 -0400 (EDT)
Received: from hipster.bestpractical.com ([127.0.0.1]) by localhost (hipster.bestpractical.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dpx2e5tl93ru for <cpan-bug+CGI [...] hipster.bestpractical.com>; Mon, 25 Oct 2010 15:40:41 -0400 (EDT)
Received: from la.mx.develooper.com (x1.develooper.com [207.171.7.70]) by hipster.bestpractical.com (Postfix) with SMTP id 1068E240E74 for <bug-CGI [...] rt.cpan.org>; Mon, 25 Oct 2010 15:40:33 -0400 (EDT)
Received: (qmail 2085 invoked by uid 103); 25 Oct 2010 19:40:44 -0000
Received: from x16.dev (10.0.100.26) by x1.dev with QMQP; 25 Oct 2010 19:40:44 -0000
Received: from tanagra.summersault.com (HELO tanagra.summersault.com) (12.161.105.149) by 16.mx.develooper.com (qpsmtpd/0.80) with ESMTP; Mon, 25 Oct 2010 12:40:42 -0700
Received: (qmail 76070 invoked from network); 25 Oct 2010 19:40:36 -0000
Received: from simba.summersault.com (192.168.97.182) by tanagra.summersault.com with SMTP; 25 Oct 2010 19:40:36 -0000
Delivered-To: cpan-bug+CGI [...] hipster.bestpractical.com
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.9) Gecko/20100922 Thunderbird/3.1.4
Subject: Re: [rt.cpan.org #62446] LF only instead of CRLF breaks multiform POST data processing on file uploads from certain devices
Return-Path: <mark [...] summersault.com>
X-Spam-Check-BY: 16.mx.develooper.com
X-Original-To: cpan-bug+CGI [...] hipster.bestpractical.com
X-RT-Mail-Extension: cgi
Date: Mon, 25 Oct 2010 15:40:36 -0400
X-Spam-Level:
To: bug-CGI [...] rt.cpan.org
X-Enigmail-Version: 1.1.1
Content-Transfer-Encoding: 7bit
From: Mark Stosberg <mark [...] summersault.com>
RT-Message-ID: <rt-3.8.HEAD-2363-1288035654-1670.62446-0-0 [...] rt.cpan.org>
Content-Length: 186
Download (untitled) / with headers
text/plain 186b
Thanks for the report. There are other people helping maintain CGI.pm now, and we also get these bug reports and act on them as we have time. We'll look into your suggestion. Mark
MIME-Version: 1.0
X-Mailer: MIME-tools 5.427 (Entity 5.427)
Content-Disposition: inline
Content-Type: text/plain; charset="UTF-8"
Message-ID: <rt-3.8.HEAD-2358-1290289006-712.62446-0-0 [...] rt.cpan.org>
Content-Transfer-Encoding: binary
X-RT-Original-Encoding: utf-8
RT-Send-CC: yanick-cpan [...] babyl.dyndns.org
Content-Length: 938
Download (untitled) / with headers
text/plain 938b
Before going further with this I would like to be sure that the change we are making brings CGI.pm closer in line with RFCs, and is not just bloat to support other buggy software. Here's a couple related primary documents I've found so far: RFC 2387 - The MIME Multipart/Related Content-type http://www.faqs.org/rfcs/rfc2387.html This document refers to neither newlines nor CRLF. The CGI 1.1 RFC http://www.ietf.org/rfc/rfc3875 says a bit on the topic, including " the newline (NL) sequence is LF; servers SHOULD also accept CR LF as a newline." From my so far of the two documents above, it looks like we should support LF as well as CRLF. For an additional reference, here is the "diff" of CGI.pm 3.27 with the version before it: http://search.cpan.org/diff?from=CGI.pm-3.25&to=CGI.pm-3.27&w=1 To move this ticket forward, I'd like a proposal that's backed by standards, not just how some user agents behave. Mark
X-RT-Interface: REST
MIME-Version: 1.0
X-Mailer: MIME-tools 5.504 (Entity 5.504)
RT-Message-ID: <rt-4.0.18-6007-1400760556-1179.62446-0-0 [...] rt.cpan.org>
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
Content-Transfer-Encoding: binary
Content-Length: 240
Download (untitled) / with headers
text/plain 240b
This issue has been copied to: https://github.com/leejo/CGI.pm/issues/77 please take all future correspondence there. This ticket will remain open but please do not reply here. This ticket will be closed when the github issue is dealt with.
MIME-Version: 1.0
X-Mailer: MIME-tools 5.504 (Entity 5.504)
Content-Disposition: inline
X-RT-Interface: Web
Content-Type: text/plain; charset="utf-8"
Message-ID: <rt-4.0.18-16349-1411220260-1298.62446-0-0 [...] rt.cpan.org>
Content-Transfer-Encoding: binary
X-RT-Original-Encoding: utf-8
X-RT-Encrypt: 0
X-RT-Sign: 0
Content-Length: 126
Download (untitled) / with headers
text/plain 126b
Rejecting - patch lacks automated tests and breaks existing automated tests. If you can fix both these i am happy to apply it.


This service is sponsored and maintained by Best Practical Solutions and runs on Perl.org infrastructure.

Please report any issues with rt.cpan.org to rt-cpan-admin@bestpractical.com.