Skip Menu |
 

Preferred bug tracker

Please visit the preferred bug tracker to report your issue.

This queue is for tickets about the CGI CPAN distribution.

Report information
The Basics
Id: 30504
Status: resolved
Priority: 0/
Queue: CGI

People
Owner: MARKSTOS [...] cpan.org
Requestors: alech [...] cpan.org
andy [...] hexten.net
Cc:
AdminCc:

Bug Information
Severity: Important
Broken in: (no value)
Fixed in: (no value)



Download (untitled) / with headers
text/plain 177b
In Mac OS 10.5 (Leopard) the temporary directory may have a '+' in its name - which breaks a couple of checks in CGI.pm. The attached patch allows all tests to pass on Leopard.
Subject: cgi-pm-leopard.patch
--- CGI.pm-3.29-orig/CGI.pm 2007-11-05 21:26:33.000000000 +0000 +++ CGI.pm-3.29/CGI.pm 2007-11-05 21:37:01.000000000 +0000 @@ -3696,7 +3696,7 @@ (my $safename = $name) =~ s/([':%])/ sprintf '%%%02X', ord $1 /eg; my $fv = ++$FH . $safename; my $ref = \*{"Fh::$fv"}; - $file =~ m!^([a-zA-Z0-9_ \'\":/.\$\\-]+)$! || return; + $file =~ m!^([a-zA-Z0-9_ \'\":/.\$\\\+-]+)$! || return; my $safe = $1; sysopen($ref,$safe,Fcntl::O_RDWR()|Fcntl::O_CREAT()|Fcntl::O_EXCL(),0600) || return; unlink($safe) if $delete; @@ -4035,7 +4035,7 @@ last if ! -f ($filename = sprintf("${TMPDIRECTORY}${SL}CGItemp%d",$sequence++)); } # check that it is a more-or-less valid filename - return unless $filename =~ m!^([a-zA-Z0-9_ \'\":/.\$\\-]+)$!; + return unless $filename =~ m!^([a-zA-Z0-9_ \'\":/.\$\\\+-]+)$!; # this used to untaint, now it doesn't # $filename = $1; return bless \$filename;
Subject: [PATCH] file upload fails on Mac OS X 10.5 ($ENV{TMPDIR} contains '+')
Download (untitled) / with headers
text/plain 478b
After updating to Mac OS X Leopard, my file uploads in Jifty failed. I've investigated that the problem comes from CGI's handling of temporary filenames. $ENV{TMPDIR} looks like the following on my freshly installed system: trinidad:~ klink$ echo $TMPDIR /var/folders/RB/RBdqb0lZG2iU541e-bUIyU+++yg/-Tmp-/ This does not match the regex check in CGI.pm, because of the '+'s. The attached patch solves this problem by adding + as an allowed character to the regular expressions.
Subject: CGI.patch
Download CGI.patch
text/x-diff 922b
diff --git a/CGI.pm b/CGI.pm index 0d5ef00..d01e18d 100644 --- a/CGI.pm +++ b/CGI.pm @@ -3696,7 +3696,7 @@ sub new { (my $safename = $name) =~ s/([':%])/ sprintf '%%%02X', ord $1 /eg; my $fv = ++$FH . $safename; my $ref = \*{"Fh::$fv"}; - $file =~ m!^([a-zA-Z0-9_ \'\":/.\$\\-]+)$! || return; + $file =~ m!^([a-zA-Z0-9_\+ \'\":/.\$\\-]+)$! || return; my $safe = $1; sysopen($ref,$safe,Fcntl::O_RDWR()|Fcntl::O_CREAT()|Fcntl::O_EXCL(),0600) || return; unlink($safe) if $delete; @@ -4035,7 +4035,7 @@ sub new { last if ! -f ($filename = sprintf("${TMPDIRECTORY}${SL}CGItemp%d",$sequence++)); } # check that it is a more-or-less valid filename - return unless $filename =~ m!^([a-zA-Z0-9_ \'\":/.\$\\-]+)$!; + return unless $filename =~ m!^([a-zA-Z0-9_\+ \'\":/.\$\\-]+)$!; # this used to untaint, now it doesn't # $filename = $1; return bless \$filename;
Download (untitled) / with headers
text/plain 381b
On Mon Nov 05 16:40:04 2007, ANDYA wrote: Show quoted text
> In Mac OS 10.5 (Leopard) the temporary directory may have a '+' in its > name - which breaks a > couple of checks in CGI.pm. The attached patch allows all tests to > pass on Leopard.
Andy, Thanks for the patch. I see it has still not been applied in 3.43. It looks reasonable to me, and I recommend that the patch be applied. Mark
Thanks, this patch has been applied in my git repo now.
Subject: released, thanks.
I believe this change was released today as part of CGI.pm 3.45. Thanks for the contribution.


This service is sponsored and maintained by Best Practical Solutions and runs on Perl.org infrastructure.

Please report any issues with rt.cpan.org to rt-cpan-admin@bestpractical.com.