Skip Menu |
 

Preferred bug tracker

Please visit the preferred bug tracker to report your issue.

This queue is for tickets about the CGI CPAN distribution.

Report information
The Basics
Id: 18752
Status: resolved
Priority: 0/
Queue: CGI

People
Owner: Nobody in particular
Requestors: cpan [...] harkless.org
Cc:
AdminCc:

Bug Information
Severity: Critical
Broken in: (no value)
Fixed in: (no value)



Subject: url() returns incorrect results if PATH_INFO contains URL-encoded characters
Download (untitled) / with headers
text/plain 1.2k
This code in CGI.pm's url() routine is incorrect: my $uri = $rewrite && $request_uri ? $request_uri : $script_name; $uri =~ s/\?.*$//; # remove query string $uri =~ s/$path$// if defined $path; # remove path For the example URL <http://site/script.cgi/x%2By>, PATH_INFO will contain "/x+y", not "/x%2By". PATH_INFO is documented as a decoded version of the string appearing in the path info section of the URL (e.g. at <http://hoohoo.ncsa.uiuc.edu/cgi/env.html> and <http://cgi-spec.golux.com/draft-coar-cgi-v11-03-clean.html#6.1.6>). However, Apache's REQUEST_URI environment variable contains the URL without any special decoding done (documentation such as <http://httpd.apache.org/docs/2.0/mod/mod_setenvif.html> says nothing about any decoding, and this can be experimentally verified for Apache 1.x at places like <http://www.imasy.or.jp/~i16/cgi-ml/printenv.cgi/x%2By> and for Apache 2.x at <http://www.uoregon.edu/~jblick/printenv.cgi/x%2By>). Therefore, if there are any URL-encoded characters in the PATH_INFO part of the URL, the $uri =~ s/$path$// code will unexpectedly fail to remove the path info and it will incorrectly be appended to the URL in the value returned by url().
From: Dan Harkless <cpan [...] harkless.org>
Thanks -- looks like this was fixed in 3.19.


This service is sponsored and maintained by Best Practical Solutions and runs on Perl.org infrastructure.

Please report any issues with rt.cpan.org to rt-cpan-admin@bestpractical.com.