Skip Menu |
 

Preferred bug tracker

Please visit the preferred bug tracker to report your issue.

This queue is for tickets about the CGI CPAN distribution.

Report information
The Basics
Id: 17184
Status: resolved
Priority: 0/
Queue: CGI

People
Owner: Nobody in particular
Requestors: frank.fbi [...] web.de
Cc:
AdminCc:

Bug Information
Severity: Important
Broken in: (no value)
Fixed in: (no value)



Subject: CGI.pm file upload: param('upfile') returns file content instead of file name
Download (untitled) / with headers
text/plain 2.4k
Hi, I found the following: If I try to upload a file that has a SEMICOLON [;] in its name, - the upload fails - the complete file content is returned via the param('upfile') call!! (and tends to end up in a scalar that should usually hold the filename and serve as a filehandle) I'm using CGI.pm version 3.05 with Perl v5.8.6 and Apache 1.33 (Darwin) under Mac OS X 10.4 on the server. Server and client are the same machine. The problem does not occur with CGI.pm version 2.81 on a Linux server and slightly different Apache version (I don't know the exact versions) I also found the bug on the web! (See below) It does not seem to be a browser or client os issue. Mozilla 1.7, IE for Mac, and Safari all show the same effect. Same effect from a Windows client with mozilla. Here's the code - derived from http://www.cgi101.com/book/ch14/upload.html Try to upload a small text file that has a semicolon in its name! ################# #!/usr/bin/perl -wT use CGI qw(:standard); use CGI::Carp qw(fatalsToBrowser warningsToBrowser); use strict; print header; print start_html("Upload File"); print "Using CGI.pm version: ", $CGI::VERSION; print h2("Upload Results"); my $file = param('upfile'); unless ( $file ) { # Build a simple file upload form print "Nothing yet uploaded?<p>\n"; print start_multipart_form; print 'Hint: Try a ', strong('small'), ' file that as a semicolon [;] in its name', br; print filefield('upfile', '', 45), br; print reset, submit('submit','Start Upload'); print endform; } else { # Print infos # This might print the complete file content, without any html encoding, to the browser!! print "Filename: $file<br>\n"; # CGI.pm saves a temporary file for us - check its name my $tmpfile=tmpFileName($file); print "TempFile : $tmpfile<br>\n"; # Using the "filehandle" that CGI.pm gave us: try to find filesize my $fsize = (-s $file) || 0; print "File Size: $fsize Bytes<br>\n"; # print the uploadInfo associative array my $finfo_ref; if (defined ($finfo_ref = uploadInfo($file))) { my $key; foreach $key (keys %$finfo_ref) { print $key, ' : ', %{$finfo_ref}->{$key}, br, "\n"; } } print "File saved!<p>\n"; } print end_html; ################# Other places to look at: - The bug does NOT show up here: http://www.apache-asp.org/eg/file_upload.asp - but it does here [2006/01/19]: http://www.cgi101.com/book/ch14/upload.html Good luck - and thanks anyway!! Frank
Download (untitled) / with headers
text/plain 2.6k
On Fri Jan 20 07:15:37 2006, guest wrote: Show quoted text
> Hi, > > I found the following: > > If I try to upload a file that has a SEMICOLON [;] in its name, > > - the upload fails > - the complete file content is returned via the param('upfile')
call!! Show quoted text
> (and tends to end up in a scalar that should usually hold the > filename and serve as a filehandle) > > I'm using CGI.pm version 3.05 with Perl v5.8.6 and Apache 1.33
(Darwin) Show quoted text
> under Mac OS X 10.4 on the server. Server and client are the same > machine. The problem does not occur with CGI.pm version 2.81 on a
Linux Show quoted text
> server and slightly different Apache version (I don't know the exact > versions) I also found the bug on the web! (See below) > > It does not seem to be a browser or client os issue. Mozilla 1.7, IE
for Show quoted text
> Mac, and Safari all show the same effect. Same effect from a Windows > client with mozilla. > > Here's the code - derived from
http://www.cgi101.com/book/ch14/upload.html Show quoted text
> Try to upload a small text file that has a semicolon in its name! > > ################# > #!/usr/bin/perl -wT > use CGI qw(:standard); > use CGI::Carp qw(fatalsToBrowser warningsToBrowser); > use strict; > > print header; > print start_html("Upload File"); > print "Using CGI.pm version: ", $CGI::VERSION; > print h2("Upload Results"); > > my $file = param('upfile'); > unless ( $file ) { > # Build a simple file upload form > print "Nothing yet uploaded?<p>\n"; > print start_multipart_form; > print 'Hint: Try a ', strong('small'), ' file that as a semicolon > [;] in its name', br; > print filefield('upfile', '', 45), br; > print reset, submit('submit','Start Upload'); > print endform; > > } else { > # Print infos > # This might print the complete file content, without any html > encoding, to the browser!! > print "Filename: $file<br>\n"; > > # CGI.pm saves a temporary file for us - check its name > my $tmpfile=tmpFileName($file); > print "TempFile : $tmpfile<br>\n"; > > # Using the "filehandle" that CGI.pm gave us: try to find
filesize Show quoted text
> my $fsize = (-s $file) || 0; > print "File Size: $fsize Bytes<br>\n"; > > # print the uploadInfo associative array > my $finfo_ref; > if (defined ($finfo_ref = uploadInfo($file))) { > my $key; > foreach $key (keys %$finfo_ref) { > print $key, ' : ', %{$finfo_ref}->{$key}, br, "\n"; > } > } > > print "File saved!<p>\n"; > } > > print end_html; > ################# > > > Other places to look at: > > - The bug does NOT show up here: > > http://www.apache-asp.org/eg/file_upload.asp > > > - but it does here [2006/01/19]: > > http://www.cgi101.com/book/ch14/upload.html > > Good luck - and thanks anyway!! > > Frank > > >
Download (untitled) / with headers
text/plain 2.8k
On Fri Jan 20 07:15:37 2006, guest wrote: Show quoted text
> Hi, > > I found the following: > > If I try to upload a file that has a SEMICOLON [;] in its name, > > - the upload fails > - the complete file content is returned via the param('upfile') call!! > (and tends to end up in a scalar that should usually hold the > filename and serve as a filehandle) > > I'm using CGI.pm version 3.05 with Perl v5.8.6 and Apache 1.33 (Darwin) > under Mac OS X 10.4 on the server. Server and client are the same > machine. The problem does not occur with CGI.pm version 2.81 on a Linux > server and slightly different Apache version (I don't know the exact > versions) I also found the bug on the web! (See below) > > It does not seem to be a browser or client os issue. Mozilla 1.7, IE for > Mac, and Safari all show the same effect. Same effect from a Windows > client with mozilla. > > Here's the code - derived from http://www.cgi101.com/book/ch14/upload.html > Try to upload a small text file that has a semicolon in its name! > > ################# > #!/usr/bin/perl -wT > use CGI qw(:standard); > use CGI::Carp qw(fatalsToBrowser warningsToBrowser); > use strict; > > print header; > print start_html("Upload File"); > print "Using CGI.pm version: ", $CGI::VERSION; > print h2("Upload Results"); > > my $file = param('upfile'); > unless ( $file ) { > # Build a simple file upload form > print "Nothing yet uploaded?<p>\n"; > print start_multipart_form; > print 'Hint: Try a ', strong('small'), ' file that as a semicolon > [;] in its name', br; > print filefield('upfile', '', 45), br; > print reset, submit('submit','Start Upload'); > print endform; > > } else { > # Print infos > # This might print the complete file content, without any html > encoding, to the browser!! > print "Filename: $file<br>\n"; > > # CGI.pm saves a temporary file for us - check its name > my $tmpfile=tmpFileName($file); > print "TempFile : $tmpfile<br>\n"; > > # Using the "filehandle" that CGI.pm gave us: try to find filesize > my $fsize = (-s $file) || 0; > print "File Size: $fsize Bytes<br>\n"; > > # print the uploadInfo associative array > my $finfo_ref; > if (defined ($finfo_ref = uploadInfo($file))) { > my $key; > foreach $key (keys %$finfo_ref) { > print $key, ' : ', %{$finfo_ref}->{$key}, br, "\n"; > } > } > > print "File saved!<p>\n"; > } > > print end_html; > ################# > > > Other places to look at: > > - The bug does NOT show up here: > > http://www.apache-asp.org/eg/file_upload.asp > > > - but it does here [2006/01/19]: > > http://www.cgi101.com/book/ch14/upload.html > > Good luck - and thanks anyway!!
I'll be submitting a test for this shortly that goes in "t/upload.t". The test passes with CGI.pm 3.25. Unless another test can be provided which reproduces this bug, I believe this report can be marked as "resolved". Mark
From: bitcard [...] aithal.org
Download (untitled) / with headers
text/plain 722b
Show quoted text
> I'll be submitting a test for this shortly that goes in "t/upload.t". > The test passes with CGI.pm 3.25. > > Unless another test can be provided which reproduces this bug, I believe > this report can be marked as "resolved". >
I am seeing a very similar behaviour with upload() not returning a filehandle for the upload, and param(<filename>) returning the file content. I'm seeing it on: SuSE 9.3 Apache 2.0.55 mod_perl 2.0.2-1.1.20060119 CGI 3.25 and CentOS 4 mod_perl 2.0.3 CGI 3.25 This doesn't seem to relate to the filename. The script is running under mod_perl, with the following options: PerlOptions -ParseHeaders +GlobalRequest PerlResponseHandler ModPerl::Registry Cheers vittal
From: bitcard [...] aithal.org
Download (untitled) / with headers
text/plain 481b
On Mon Dec 18 06:45:47 2006, vittala wrote: Show quoted text
> > I'll be submitting a test for this shortly that goes in "t/upload.t". > > The test passes with CGI.pm 3.25. > > > > Unless another test can be provided which reproduces this bug, I believe > > this report can be marked as "resolved". > >
A bit more information. Downgrading to CGI 3.20 results in the expected behaviour. 3.21 and 3.22 both fail due to the upload typo. 3.23 did not return the upload filehandle. cheers vittal
From: idallen [...] idallen.ca
Download (untitled) / with headers
text/plain 1.7k
In CGI.pm-3.35 the semicolon problem is fixed for Web use and broken for command-line use. Semicolon characters used on the command line, like this: $ ./cgipm filename="/abc;def" cause the filename parameter returned to be "abc" (not "abc;def") and create a spurious extra CGI paramater named "def". The script below shows this. The web parsing of filenames is still broken for filenames that contain double-quote characters, e.g. names such as: xx" "yy" "zz If the files actually exist and contain content, the content will often be returned instead of any parts of the file name. Here's the sample script: #!/usr/bin/perl -w # # CGI.pm-3.35 # # If you run this script from a web browser (Firefox) and give file names # with double-quote characters in them, CGI.pm mis-parses the names. If the # file doesn't exist, CGI.pm usually returns an empty name. If the file # exists and has content, CGI.pm may return the *content* as the file name! # # Running the script from the shell command line and passing in strings # via filename='string' also misbehaves. A semicolon in the file name # will create new CGI parameters instead of being part of the file name. # # Some names to enter into the filefield box, showing the problems: # # /tmp/xx" # /tmp/"yy" # /tmp/"zz # /tmp/abc;def # broken at the command line only use strict; use CGI qw/:standard/; print header, start_html('Bug parsing file names'), h1('Bug parsing file names'), start_multipart_form(), "filename? ",filefield( '-name' => 'filename'), submit, end_form, hr; if (param()) { my @a = param(); print "<br>params are: @a"; my $filename = param('filename'); print "<br>filename is: ",escapeHTML($filename); }
Download (untitled) / with headers
text/plain 616b
On Thu Apr 17 13:57:58 2008, idallen@idallen.ca wrote: Show quoted text
> In CGI.pm-3.35 the semicolon problem is fixed for Web use and broken > for command-line use. Semicolon characters used on the command line, > like this: > > $ ./cgipm filename="/abc;def"
This is not a CGI.pm bug: The shell is terminating your command after the semicolon. I'll bet you'll find that this works as expected: $ ./cgipm 'filename="/abc;def"' Regarding the file names with quotes in them. It would be great to have an automated test for that, and I agree it should be patched. If you would like to submit such a patch, that would be great.
Download (untitled) / with headers
text/plain 192b
Resolving due to lack of activity since 2009. If you have a Test::More-style test case that reproduces the issue, or otherwise can still confirm it exists, feel free to re-open it. Mark


This service is sponsored and maintained by Best Practical Solutions and runs on Perl.org infrastructure.

Please report any issues with rt.cpan.org to rt-cpan-admin@bestpractical.com.