Skip Menu |
 

Preferred bug tracker

Please visit the preferred bug tracker to report your issue.

This queue is for tickets about the CGI CPAN distribution.

Report information
The Basics
Id: 17441
Status: resolved
Priority: 0/
Queue: CGI

People
Owner: Nobody in particular
Requestors: glasswalk3r [...] yahoo.com.br
Cc:
AdminCc:

Bug Information
Severity: Important
Broken in: (no value)
Fixed in: (no value)



Subject: script_name method is returning CGI parameters
Download (untitled) / with headers
text/plain 528b
Perl version: v5.8.7 built for cygwin-thread-multi-64int Running on: Microsoft Windows 2000 5.00.2195, service pack 4 Apache version: Apache/1.3.33 When executing the attached CGI with a GET using the URL below: http://localhost/cgi-bin/test.cgi?url=http://localhost/7z423.exe the script_name() method return: /cgi-bin/test.cgi?url=http://localhost/7z423.exe while the url() method returns: http://localhost/cgi-bin/test.cgi A workaround is use URI::Split::uri_split() function in the value returned by CGI::url() method.
Subject: test.cgi
Download test.cgi
application/octet-stream 545b

Message body not shown because it is not plain text.

Download (untitled) / with headers
text/plain 146b
This one is a bug in _name_and_path_from_env() function. It tries to work around some obscure Apache 2 bug with two slashes and messes things up.
From: steven.hartland [...] multiplay.co.uk
Download (untitled) / with headers
text/plain 265b
On Mon Mar 20 10:45:44 2006, KAPPA wrote: Show quoted text
> This one is a bug in _name_and_path_from_env() function. It tries to > work around some obscure Apache 2 bug with two slashes and messes
things up. Indeed this broke our site. I've attached a quick patch for this case.
Download CGI.pm.patch
text/x-diff 560b
--- CGI.pm.orig Sat Mar 1 16:58:19 2008 +++ CGI.pm Sat Mar 1 18:39:21 2008 @@ -2779,5 +2779,10 @@ my $raw_script_name = $ENV{SCRIPT_NAME} || ''; my $raw_path_info = $ENV{PATH_INFO} || ''; - my $uri = unescape($self->request_uri) || ''; + my $uri = $self->request_uri || ''; + + # ensure we dont get any query string as that can include escaped // + # e.g. a url parameter, which will break the apache bug fix + $uri =~ s/\?(.*)$//; + $uri = unescape($uri); my $protected = quotemeta($raw_path_info);
From: stephane.chazelas [...] gmail.com
Download (untitled) / with headers
text/plain 1.9k
On Sat Mar 01 13:51:00 2008, steveh wrote: Show quoted text
> On Mon Mar 20 10:45:44 2006, KAPPA wrote:
> > This one is a bug in _name_and_path_from_env() function. It tries to > > work around some obscure Apache 2 bug with two slashes and messes
> things up. > > Indeed this broke our site. I've attached a quick patch for this case.
That patch is a big improvement indeed, but there remained a number of issues. Please find another patch attached. It also includes some comments (which I reproduce below) that clarify why we do that: # This function returns a potentially modified version of SCRIPT_NAME # and PATH_INFO. Some HTTP servers do sanitise the paths in those # variables. It is the case of at least Apache 2. If for instance the # user requests: /path/./to/script.cgi/x//y/z/../x?y, Apache will set: # REQUEST_URI=/path/./to/script.cgi/x//y/z/../x?y # SCRIPT_NAME=/path/to/env.cgi # PATH_INFO=/x/y/x # # This is all fine except that some bogus CGI scripts expect # PATH_INFO=/http://foo when the user requests # http://xxx/script.cgi/http://foo # # Old versions of this module used to accomodate with those scripts, so # this is why we do this here to keep those scripts backward compatible. # Basically, we accomodate with those scripts but within limits, that is # we only try to preserve the number of / that were provided by the user # if $REQUEST_URI and "$SCRIPT_NAME$PATH_INFO" only differ by the number # of consecutive /. # # So for instance, in: http://foo/x//y/script.cgi/a//b, we'll return a # script_name of /x//y/script.cgi and a path_info of /a//b, but in: # http://foo/./x//z/script.cgi/a/../b//c, we'll return the versions # possibly sanitised by the HTTP server, so in the case of Apache 2: # script_name == /foo/x/z/script.cgi and path_info == /b/c. # # Future versions of this module may no longer do that, so one should # avoid relying on the browser, proxy, server, and CGI.pm preserving the # number of consecutive slashes as no guarantee can be made there.
Download diff
application/octet-stream 3.3k

Message body not shown because it is not plain text.

Fixed in version 3.40.


This service is sponsored and maintained by Best Practical Solutions and runs on Perl.org infrastructure.

Please report any issues with rt.cpan.org to rt-cpan-admin@bestpractical.com.