Skip Menu |
 

Preferred bug tracker

Please visit the preferred bug tracker to report your issue.

This queue is for tickets about the CGI CPAN distribution.

Report information
The Basics
Id: 18500
Status: resolved
Priority: 0/
Queue: CGI

People
Owner: LDS [...] cpan.org
Requestors: julian [...] mehnle.net
Cc:
AdminCc:

Bug Information
Severity: Important
Broken in: (no value)
Fixed in: (no value)



Subject: CGI.pm bug (since v3.12): url(-rewrite=>1) assumes identical url-{en,de}coded status for REQUEST_URI and PATH_INFO
Date: Sun, 2 Apr 2006 15:35:19 +0000
To: bug-CGI.pm [...] rt.cpan.org, lstein [...] cshl.org
From: Julian Mehnle <julian [...] mehnle.net>
Download (untitled)
application/pgp-signature 191b

Message body not shown because it is not plain text.

Download (untitled) / with headers
text/plain 1.6k
Hi Lincoln, in CGI.pm 3.12, you introduced the following change: | 7. The url() and self_url() methods now work better in the context of | Apache mod_rewrite. Be advised that path_info() may give you confusing | results when mod_rewrite is active because Apache calculates the path | info *after* rewriting. This is mostly worked around in url() and | self_url(), but you may notice some anomalies. | --- CGI.pm | +++ CGI.pm | @@ -2612,0 +2627,9 @@ | + my $request_uri = $self->request_uri || ''; | + my $query_str = $self->query_string; | + | + my $rewrite_in_use = $request_uri && $request_uri !~ /^$script_name/; | + undef $path if $rewrite_in_use && $rewrite; # path not valid when rewriting active | + | + my $uri = $rewrite && $request_uri ? $request_uri : $script_name; | + $uri =~ s/\?.+$// if defined $query_str; | + $uri =~ s/$path$// if defined $path; # remove path from URI The last line of this diff hunk assumes (among other things) that both REQUEST_URI and PATH_INFO are either URL-/en/coded or URL-/de/coded. This is generally not the case: REQUEST_URI is URL-/en/coded (at least under Apache), and PATH_INFO is URL-/de/coded (according to the CGI spec). As a result, since 3.12 url() (which now implies -rewrite=>1) works differently from before if REQUEST_URIs contains URL-encoding escapes: the path info is no longer trimmed from the URI (as taken from REQUEST_URI) correctly. See the attached test script, which demonstrates the bug. The (not so nice) work-around is to explicitly specify -rewrite=>0 in url() calls. Julian Mehnle.

Message body is not shown because sender requested not to inline it.

Subject: [rt.cpan.org #18500] Re: CGI.pm bug (since v3.12): url(-rewrite=>1) assumes identical url-{en,de}coded status for REQUEST_URI and PATH_INFO
Date: Tue, 4 Apr 2006 23:18:26 +0000
To: bug-CGI.pm [...] rt.cpan.org
From: Julian Mehnle <julian [...] mehnle.net>
Download (untitled)
application/pgp-signature 191b

Message body not shown because it is not plain text.

Download (untitled) / with headers
text/plain 798b
Lincoln Stein wrote: Show quoted text
> Sorry about the url rewrite bug. If you can suggest a working patch, I > would be most grateful. I have had great difficulty getting this to work > reliably in all circumstances.
Try the attached patch against v3.17, it passes the attached test script. The patch does essentially the following: In both url() and _name_and_path_from_env(), REQUEST_URI is now unescaped before any comparisons with unescaped URIs/paths are performed on it (per the CGI spec, PATH_INFO and SCRIPT_NAME are always URL-unescaped). As a side effect, the local URL-escaping of $path_info_search in _name_and_path_from_env() is now unnecessary. The patch also reduces a redundant if-match-then-substitute in _name_and_path_from_env() to a simple substitute, which is equivalent. Julian.

Message body is not shown because sender requested not to inline it.

Message body is not shown because sender requested not to inline it.



This service is sponsored and maintained by Best Practical Solutions and runs on Perl.org infrastructure.

Please report any issues with rt.cpan.org to rt-cpan-admin@bestpractical.com.