Skip Menu |
 

Preferred bug tracker

Please visit the preferred bug tracker to report your issue.

This queue is for tickets about the CGI CPAN distribution.

Report information
The Basics
Id: 3206
Status: resolved
Priority: 0/
Queue: CGI

People
Owner: LDS [...] cpan.org
Requestors: tshinnic [...] io.com
Cc:
AdminCc:

Bug Information
Severity: Important
Broken in: (no value)
Fixed in: (no value)



Subject: startform( -action=... ) URL encoding change breaks existing code
Download (untitled) / with headers
text/plain 1.3k
New code in startform() routine causes <form action="..."> value strings to now be URL encoded and made to fail. Subsequent submissions die with 404 errors. This causes pre-existing code to fail with version 2.99. Version 2.99 added a line to startform(): $action = escape($action); forcing action values to be URL encoded. This causes preexisting code such as: print start_form( -name => 'formdsply', -method => 'POST', -action => "/cgi-bin/wacs/testing2.pl" ); to now generate HTML thusly: action="%2Fcgi-bin%2Fwacs%2Ftesting2.pl" This causes browsers (here IE 6.0SP1 on WinXP) to interpret this as POSTing to http://the.host/cgi-bin/wacs/%2Fcgi-bin%2Fwacs%2Ftesting2.pl and then receive a 404 error response. Apparent workaround (tested) is to change code to read print start_form( -name => 'formdsply', -method => 'POST', -action => "testing2.pl" ); which generates action="testing2.pl" which gets us to correct place as testing2.pl is within the same directory. But how then does one refer to another directory with 2.99? Backing off and installing 2.98 is also a workaround that fixes the problem. Revision History says merely "Patch from Ewann Corvellec to fix cross-site scripting vulnerability." hardly pointing out a major HTML generation incompatibility.
Download (untitled) / with headers
text/plain 739b
[guest - Mon Aug 11 03:30:20 2003]: Show quoted text
> New code in startform() routine causes <form action="..."> value > strings to now be URL encoded and made to fail. Subsequent > submissions die with 404 errors. This causes pre-existing code to > fail with version 2.99. > > Version 2.99 added a line to startform(): > $action = escape($action); > > [...] > > This causes browsers (here IE 6.0SP1 on WinXP) to interpret this as > POSTing to > http://the.host/cgi-bin/wacs/%2Fcgi-bin%2Fwacs%2Ftesting2.pl > and then receive a 404 error response.
Bug confirmed with Solaris mozilla 1.3 and recofirmed with W2K IE6. I just commented out the escape() line in startform() to "fix" the issue, possibly leaving us open to XSS attacks.
From: tshinnic [...] io.com
Download (untitled) / with headers
text/plain 1.9k
[guest - Thu Aug 14 14:13:22 2003]: Show quoted text
> Bug confirmed with Solaris mozilla 1.3 and recofirmed with W2K IE6. > > I just commented out the escape() line in startform() to "fix" the > issue, possibly leaving us open to XSS attacks.
Note this suggested patch (which I have _not_ tried/tested): To: perl5-porters@perl.org, lstein@cshl.org Subject: [PATCH] patch for CGI.pm 2.99 to make it sane again From: merlyn@stonehenge.com (Randal L. Schwartz) Date: 11 Aug 2003 07:45:10 -0700 I have a lightly-tested patch for CGI.pm 2.99 that fixes the start_form debacle. I'd prefer that Lincoln actually blesses this, but he seems to be absent. The problem apparently is that Lincoln confused URL encoding (which is bad in this case) with HTML encoding (which is what was needed). With this patch, it should be safe to upgrade 5.8.1 from 2.98 (with known security hole) to 2.9901 (2.99 with my patch), although some peer review would be nice... --- CGI.pm-OLD 2003-08-01 07:39:52.000000000 -0700 +++ CGI.pm 2003-08-11 07:33:01.000000000 -0700 @@ -18,8 +18,8 @@ # The most recent version and complete docs are available at: # http://stein.cshl.org/WWW/software/CGI/ -$CGI::revision = '$Id: CGI.pm,v 1.130 2003/08/01 14:39:17 lstein Exp $'; -$CGI::VERSION='2.99'; +$CGI::revision = '$Id: CGI.pm,v 1.130 2003/08/01 14:39:17 lstein Exp $ + patches by merlyn'; +$CGI::VERSION='2.9901'; # HARD-CODED LOCATION FOR FILE UPLOAD TEMPORARY FILES. # UNCOMMENT THIS ONLY IF YOU KNOW WHAT YOU'RE DOING. @@ -1639,12 +1639,11 @@ $method = lc($method) || 'post'; $enctype = $enctype || &URL_ENCODED; unless (defined $action) { - $action = $self->url(-absolute=>1,-path=>1); + $action = $self->escapeHTML($self->url(-absolute=>1,-path=>1)); if (length($ENV{QUERY_STRING})>0) { $action .= "?".$self->escapeHTML($ENV{QUERY_STRING},1); } } - $action = escape($action); $action = qq(action="$action"); my($other) = @other ? " @other" : ''; $self->{'.parametersToAdd'}={};
Download (untitled) / with headers
text/plain 1.7k
Version 3.00 fixes the startform issue using the patch submitted by Randal Schwartz. This bug was inadvertently introduced when I accepted a patch from another user that purported to fix the cross-site scripting vulnerability. Apparently I didn't review the patch carefully enough. [guest - Mon Aug 11 03:30:20 2003]: Show quoted text
> New code in startform() routine causes <form action="..."> value > strings to now be URL encoded and made to fail. Subsequent > submissions die with 404 errors. This causes pre-existing code to > fail with version 2.99. > > Version 2.99 added a line to startform(): > $action = escape($action); > forcing action values to be URL encoded. This causes preexisting
code Show quoted text
> such as: > print start_form( -name => 'formdsply', -method => 'POST', > -action => "/cgi-bin/wacs/testing2.pl" ); > to now generate HTML thusly: > action="%2Fcgi-bin%2Fwacs%2Ftesting2.pl" > > This causes browsers (here IE 6.0SP1 on WinXP) to interpret this as > POSTing to > http://the.host/cgi-bin/wacs/%2Fcgi-bin%2Fwacs%2Ftesting2.pl > and then receive a 404 error response. > > Apparent workaround (tested) is to change code to read > print start_form( -name => 'formdsply', -method => 'POST', > -action => "testing2.pl" ); > which generates > action="testing2.pl" > which gets us to correct place as testing2.pl is within the same > directory. But how then does one refer to another directory with > 2.99? > > Backing off and installing 2.98 is also a workaround that fixes the > problem. > > Revision History says merely "Patch from Ewann Corvellec to fix
cross- Show quoted text
> site scripting vulnerability." hardly pointing out a major HTML > generation incompatibility.
Subject: free ringtones<a href='http://www.ringtones-dir.com'
From: http://www.ringtones-dir.com
Download (untitled) / with headers
text/plain 392b
<a href='http://www.yahoo.com'></a> http://www.ringtones-dir.com/download/ <a href='http://www.ringtones-dir.com'>download ringtones</a>. <a href="http://www.ringtones-dir.com ">nokia ringtones</a>: Download ringtones FREE, Best free samsung ringtones, Cingular ringtones and more. [url]http://www.ringtones-dir.com/free/[/url] [link=http://www.ringtones-dir.com]ring tones[/link] From site .


This service is sponsored and maintained by Best Practical Solutions and runs on Perl.org infrastructure.

Please report any issues with rt.cpan.org to rt-cpan-admin@bestpractical.com.