Skip Menu |
 

Preferred bug tracker

Please visit the preferred bug tracker to report your issue.

This queue is for tickets about the CGI CPAN distribution.

Report information
The Basics
Id: 79516
Status: resolved
Priority: 0/
Queue: CGI

People
Owner: Nobody in particular
Requestors: brettcsmith [...] brettcsmith.org
Cc:
AdminCc:

Bug Information
Severity: (no value)
Broken in: (no value)
Fixed in: (no value)



From brettcsmith [...] brettcsmith.org Sat Sep 8 09: 35:02 2012
MIME-Version: 1.0
X-Spam-Status: No, score=-6.9 tagged_above=-99.9 required=10 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5] autolearn=ham
Content-Disposition: inline
X-Spam-Flag: NO
content-type: text/plain; charset="utf-8"
Message-ID: <20120908133337.GA4490 [...] locke>
X-Virus-Scanned: Debian amavisd-new at bestpractical.com
X-Spam-Score: -6.9
Received: from localhost (localhost [127.0.0.1]) by hipster.bestpractical.com (Postfix) with ESMTP id E67D624057B for <cpan-bug+CGI.pm [...] hipster.bestpractical.com>; Sat, 8 Sep 2012 09:35:01 -0400 (EDT)
Received: from hipster.bestpractical.com ([127.0.0.1]) by localhost (hipster.bestpractical.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id aFc1PzjfcmGh for <cpan-bug+CGI.pm [...] hipster.bestpractical.com>; Sat, 8 Sep 2012 09:35:00 -0400 (EDT)
Received: from la.mx.develooper.com (x1.develooper.com [207.171.7.70]) by hipster.bestpractical.com (Postfix) with SMTP id 0F9932403E5 for <bug-CGI.pm [...] rt.cpan.org>; Sat, 8 Sep 2012 09:34:59 -0400 (EDT)
Received: (qmail 12522 invoked by uid 103); 8 Sep 2012 13:34:59 -0000
Received: from x16.dev (10.0.100.26) by x1.dev with QMQP; 8 Sep 2012 13:34:59 -0000
Received: from brettcsmith.org (HELO brettcsmith.org) (68.233.169.77) by 16.mx.develooper.com (qpsmtpd/0.80/v0.80-19-gf52d165) with ESMTP; Sat, 08 Sep 2012 06:34:55 -0700
Received: from locke (m842436d0.tmodns.net [208.54.36.132]) by brettcsmith.org (Postfix) with ESMTPSA id 09050602F for <bug-CGI.pm [...] rt.cpan.org>; Sat, 8 Sep 2012 09:34:48 -0400 (EDT)
Delivered-To: cpan-bug+CGI.pm [...] hipster.bestpractical.com
User-Agent: Mutt/1.5.20 (2009-06-14)
Subject: [PATCH] Use only the first X_FORWARDED_HOST for building URLs.
Return-Path: <brettcsmith [...] brettcsmith.org>
X-RT-Mail-Extension: cgi.pm
X-Original-To: cpan-bug+CGI.pm [...] hipster.bestpractical.com
X-Spam-Check-BY: 16.mx.develooper.com
Date: Sat, 8 Sep 2012 09:33:45 -0400
X-Spam-Level:
To: bug-CGI.pm [...] rt.cpan.org
From: Brett Smith <brettcsmith [...] brettcsmith.org>
X-RT-Original-Encoding: us-ascii
Content-Length: 1308
Download (untitled) / with headers
text/plain 1.2k
Hi, I recently discovered an issue with an application using CGI.pm behind a proxy. In some situations, it would create redirect URLs that started with "http://example.org, example.org/". Turns out that X-Forwarded-Host can include multiple comma-space-separated hosts. Apache's mod_proxy documentation describes this in more detail. As of this morning's git checkout, CGI.pm may use X-Forwarded-Host verbatim in the host portion of a redirect URL. Since I'm pretty sure a comma-space string will never work there, this patch has CGI.pm use the first host named in X-Forwarded-Host. Thanks, --- lib/CGI.pm | 4 +++- 1 files changed, 3 insertions(+), 1 deletions(-) diff --git a/lib/CGI.pm b/lib/CGI.pm index f510680..080a4ec 100644 --- a/lib/CGI.pm +++ b/lib/CGI.pm @@ -2817,7 +2817,9 @@ sub url { my $protocol = $self->protocol(); $url = "$protocol://"; my $vh = http('x_forwarded_host') || http('host') || ''; - $vh =~ s/\:\d+$//; # some clients add the port number (incorrectly). Get rid of it. + # If there's more than one forwarded host, use the first one. + $vh = (split(/, /, $vh))[0]; + $vh =~ s/\:\d+$//; # some clients add the port number (incorrectly). Get rid of it. $url .= $vh || server_name(); -- 1.7.2.5
From mark [...] summersault.com Tue Sep 11 17: 20:26 2012
MIME-Version: 1.0
X-Spam-Status: No, score=-6.196 tagged_above=-99.9 required=10 tests=[AWL=0.039, BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, SPF_SOFTFAIL=0.665] autolearn=ham
In-Reply-To: <rt-3.8.HEAD-31122-1347111303-1407.79516-4-0 [...] rt.cpan.org>
X-Spam-Flag: NO
References: <RT-Ticket-79516 [...] rt.cpan.org> <20120908133337.GA4490 [...] locke> <rt-3.8.HEAD-31122-1347111303-1407.79516-4-0 [...] rt.cpan.org>
X-Virus-Scanned: Debian amavisd-new at bestpractical.com
Message-ID: <504FAAFD.3010201 [...] summersault.com>
Content-Type: text/plain; charset=UTF-8
X-RT-Original-Encoding: utf-8
X-Spam-Score: -6.196
Received: from localhost (localhost [127.0.0.1]) by hipster.bestpractical.com (Postfix) with ESMTP id EE5AE240745 for <cpan-bug+cgi.pm [...] hipster.bestpractical.com>; Tue, 11 Sep 2012 17:20:25 -0400 (EDT)
Received: from hipster.bestpractical.com ([127.0.0.1]) by localhost (hipster.bestpractical.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id r+jGeICssqVw for <cpan-bug+cgi.pm [...] hipster.bestpractical.com>; Tue, 11 Sep 2012 17:20:25 -0400 (EDT)
Received: from la.mx.develooper.com (x1.develooper.com [207.171.7.70]) by hipster.bestpractical.com (Postfix) with SMTP id CB2712400B6 for <bug-cgi.pm [...] rt.cpan.org>; Tue, 11 Sep 2012 17:20:24 -0400 (EDT)
Received: (qmail 4657 invoked by uid 103); 11 Sep 2012 21:20:24 -0000
Received: from x16.dev (10.0.100.26) by x1.dev with QMQP; 11 Sep 2012 21:20:24 -0000
Received: from tanagra.summersault.com (HELO tanagra.summersault.com) (12.161.105.149) by 16.mx.develooper.com (qpsmtpd/0.84/v0.84-167-g4ed6cab) with ESMTP; Tue, 11 Sep 2012 14:20:22 -0700
Received: (qmail 82060 invoked from network); 11 Sep 2012 21:20:19 -0000
Received: from simba.summersault.com (HELO ?192.168.97.182?) (192.168.97.182) by tanagra.summersault.com with SMTP; 11 Sep 2012 21:20:19 -0000
Delivered-To: cpan-bug+cgi.pm [...] hipster.bestpractical.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:15.0) Gecko/20120827 Thunderbird/15.0
Subject: Re: [rt.cpan.org #79516] [PATCH] Use only the first X_FORWARDED_HOST for building URLs.
Return-Path: <mark [...] summersault.com>
X-Spam-Check-BY: 16.mx.develooper.com
X-Original-To: cpan-bug+cgi.pm [...] hipster.bestpractical.com
X-RT-Mail-Extension: cgi.pm
Date: Tue, 11 Sep 2012 17:19:57 -0400
X-Spam-Level:
To: bug-cgi.pm [...] rt.cpan.org
Content-Transfer-Encoding: 7bit
From: Mark Stosberg <mark [...] summersault.com>
RT-Message-ID: <rt-3.8.HEAD-14736-1347398426-823.79516-0-0 [...] rt.cpan.org>
Content-Length: 133
Download (untitled) / with headers
text/plain 133b
I'm familiar with X-Forwarded-Host possibly having multiple domains in it and will take a look. Thanks for the feedback. Mark
X-RT-Interface: REST
MIME-Version: 1.0
X-Mailer: MIME-tools 5.504 (Entity 5.504)
RT-Message-ID: <rt-4.0.18-26766-1400760887-602.79516-0-0 [...] rt.cpan.org>
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
Content-Transfer-Encoding: binary
Content-Length: 241
Download (untitled) / with headers
text/plain 241b
This issue has been copied to: https://github.com/leejo/CGI.pm/issues/102 please take all future correspondence there. This ticket will remain open but please do not reply here. This ticket will be closed when the github issue is dealt with.
MIME-Version: 1.0
In-Reply-To: <20120908133337.GA4490 [...] locke>
X-Mailer: MIME-tools 5.504 (Entity 5.504)
Content-Disposition: inline
X-RT-Interface: Web
References: <20120908133337.GA4490 [...] locke>
Content-Type: text/plain; charset="utf-8"
Message-ID: <rt-4.0.18-14018-1406039330-420.79516-0-0 [...] rt.cpan.org>
Content-Transfer-Encoding: binary
X-RT-Original-Encoding: utf-8
X-RT-Encrypt: 0
X-RT-Sign: 0
Content-Length: 170
Download (untitled) / with headers
text/plain 170b
Well this is interesting, see #70 and 786165e1ed07e42b2590608ec117a0dcb366d39c. We are now taking the *last* IP in the list as this is the convention in other frameworks.


This service is sponsored and maintained by Best Practical Solutions and runs on Perl.org infrastructure.

Please report any issues with rt.cpan.org to rt-cpan-admin@bestpractical.com.