Skip Menu |
 

Preferred bug tracker

Please visit the preferred bug tracker to report your issue.

This queue is for tickets about the CGI CPAN distribution.

Report information
The Basics
Id: 32979
Status: resolved
Priority: 0/
Queue: CGI

People
Owner: MARKSTOS [...] cpan.org
Requestors: DYoung [...] zhone.com
Cc:
AdminCc:

Bug Information
Severity: (no value)
Broken in: (no value)
Fixed in: (no value)



Subject: CGI::url should quotemeta($script_name)
Date: Wed, 06 Feb 2008 18:12:27 -0500
To: bug-CGI.pm [...] rt.cpan.org, lstein [...] cshl.org
From: David Young <DYoung [...] zhone.com>
Download (untitled) / with headers
text/plain 1.3k
CGI::url uses the script_name on the right side of a regex which can be problematic if the script_name (somehow) contains special characters. The script_name should be wrapped in quotemeta() to protect against this. Here's a diff of my changes against 2.93: *** CGI.pm Wed Feb 6 12:18:21 2008 --- CGI-dyoung.pm Wed Feb 6 12:19:31 2008 *************** *** 2689,2698 **** my $path = $self->path_info; my $script_name = $self->script_name; my $request_uri = unescape($self->request_uri) || ''; my $query_str = $self->query_string; ! my $rewrite_in_use = $request_uri && $request_uri !~ /^$script_name/; undef $path if $rewrite_in_use && $rewrite; # path not valid when rewriting active my $uri = $rewrite && $request_uri ? $request_uri : $script_name; --- 2689,2699 ---- my $path = $self->path_info; my $script_name = $self->script_name; + my $q_script_name = quotemeta($script_name); my $request_uri = unescape($self->request_uri) || ''; my $query_str = $self->query_string; ! my $rewrite_in_use = $request_uri && $request_uri !~ /^$q_script_name/; undef $path if $rewrite_in_use && $rewrite; # path not valid when rewriting active my $uri = $rewrite && $request_uri ? $request_uri : $script_name;
A version of this patch appeared in CGI.pm some time before 3.43.


This service is sponsored and maintained by Best Practical Solutions and runs on Perl.org infrastructure.

Please report any issues with rt.cpan.org to rt-cpan-admin@bestpractical.com.