Skip Menu |
 

Preferred bug tracker

Please visit the preferred bug tracker to report your issue.

This queue is for tickets about the CGI CPAN distribution.

Report information
The Basics
Id: 35318
Status: rejected
Priority: 0/
Queue: CGI

People
Owner: MARKSTOS [...] cpan.org
Requestors: MV5492 [...] att.com
Cc:
AdminCc:

Bug Information
Severity: (no value)
Broken in: (no value)
Fixed in: (no value)



Subject: CGI hidden values within form appearing on link
Date: Tue, 22 Apr 2008 16:08:45 -0500
To: <bug-CGI.pm [...] rt.cpan.org>
From: "Vanole, Mike" <MV5492 [...] att.com>
Download (untitled) / with headers
text/plain 2.7k
Hi, I reported this as a webserver7 problem, but playing around with CGI versions revealed CGI.pm was causing odd behavior. Problem noticed at CGI.pm-3.33 Problem still there at CGI.pm-3.35 Downgraded to version CGI.pm-3.15 and the problem goes away. Here is the code for a test cgi that replicates the problem to see exactly what I'm talking about. At 3.33 and above clicking the buttons as directed reveals the values in the URL at the second button click when we expect them to remain hidden. The second form submission somehow gets transformed from a POST to a GET. The same cgi running under 3.15 and lower keeps the values hidden. perl 5.8.8 on Solaris 9 #!/usr/local/bin/perl use CGI; use CGI::Carp qw(fatalsToBrowser); $q = new CGI; print $q->header; print $q->start_html("test"); $ASCS1chk = $q->param('ASCS1'); $ASCS2chk = $q->param('ASCS2'); print "<CENTER>"; if (length($ASCS1chk) != 0) { &ASC_2(); } elsif (length($ASCS2chk) != 0) { &junk(); } else { &ASC_1(); } sub ASC_1 { $USERID = 'jj'; print $q->start_form(); print "<table border=0 width=400 cellspacing=2 cellpadding=0>"; print "<tr><td align=left class=ctm> </td>"; undef @ATempArray; push(@ATempArray,'Account ET - CARE History'); push(@ATempArray,'Audits'); if ($#ATempArray != -1) { print "<tr><td align=left width=30% class=ctm> </td>"; print "<tr><td><td align=right class=ctf colspan=6>"; print $q->hidden(-name=>'USER_IN',-value=>$USERID,-force=>1); print $q->submit(-style=>'font-family:arial; font-size: 11;',-name=>'ASCS1',-value=>'Click this button'); print $q->end_form; } print "</table>"; } sub ASC_2 { $USERID1 = $q->param('USER_IN'); $ASCUPD_CHK = $q->param('ASCUPD'); print "<table border=0 width=400 cellspacing=2 cellpadding=0>"; print $q->start_form(-name=>'OV2'); print "<tr><td align=left class=ctf nowrap valign=top>"; print $q->hidden(-name=>'ORIGASC',-value=>$ASCUPD_CHK,-force=>1); print $q->hidden(-name=>'USER_IN2',-value=>$USERID1,-force=>1); print $q->hidden(-name=>'DFHR',-value=>$DefHR,-force=>1); print $q->hidden(-name=>'DFHM',-value=>$DefMN,-force=>1); print $q->hidden(-name=>'ACTDT',-value=>$OVDate,-force=>1); print "<tr><td align=center valign=top> "; print "<tr><td align=center valign=top> "; print "<tr><td align=right valign=top colspan=2>"; print $q->submit(-style=>'font-family:arial; font-size: 11;',-name=>'ASCS2',-value=>'Now Click this button'); print $q->end_form(); print "<tr><td align=right valign=top colspan=6>"; print "</table>"; } sub junk { print "The values you see in the address line are hidden values within a form. We are not expecting them to be displayed here. Usually they are not displayed in this line. There are no alink refs within this cgi"; } Please let me know if there is more I can provide. Thanks for a great perl module! Mike
Subject: RE: [rt.cpan.org #35318] AutoReply: CGI hidden values within form appearing on link
Date: Wed, 23 Apr 2008 05:18:10 -0500
To: <bug-CGI.pm [...] rt.cpan.org>
From: "Vanole, Mike" <MV5492 [...] att.com>
Download (untitled) / with headers
text/plain 954b
Here is a little more information from someone else who was looking at a workaround: --------- FYI - I updated to CGI.pm 3.29. I'm now getting the same behavior you reported. I was able to code around the behavior with: print $q->start_form(-name=>'OV2',-action => $ENV{SCRIPT_NAME}); This forces CGI.pm to pull the SCRIPT_NAME environment variable from the information passed to it by the server at request time, and use that as the action rather than the default value (which is supposed to be "this script," but is clearly now picking up data from the prior POST and appending it to "this script" as query data). I also notice that smart_form() appears to be using multipart/form-data despite the docs indicating that it will use application/x-www-form-urlencoded, and that start_multipart_form() needs to be used if a multipart form is desired. I get the impression that the docs for CGI.pm no longer accurately reflect the state of the software.
Download (untitled) / with headers
text/plain 1.1k
On Wed Apr 23 06:18:31 2008, MV5492@att.com wrote: Show quoted text
> Here is a little more information from someone else who was looking at a > workaround: > --------- > FYI - I updated to CGI.pm 3.29. I'm now getting the same behavior you > reported. I was able to code around the behavior with: > > print $q->start_form(-name=>'OV2',-action => $ENV{SCRIPT_NAME}); > > This forces CGI.pm to pull the SCRIPT_NAME environment variable from the > information passed to it by the server at request time, and use that as > the action rather than the default value (which is supposed to be "this > script," but is clearly now picking up data from the prior POST and > appending it to "this script" as query data).
I think what you experienced in the upgrade may have been a fix rather than a bug. Including the query params in the query string is a way to save state. If you don't want that behavior, then explicitly stating the "action" you want is the recommended path. The recommendation above to use "$ENV{SCRIPT_NAME}" is reasonable. I'm marking this bug as "rejected" for now. Regarding the start_form() behavior and documentation, see this bug: https://rt.cpan.org/Ticket/Display.html?id=22046 Mark


This service is sponsored and maintained by Best Practical Solutions and runs on Perl.org infrastructure.

Please report any issues with rt.cpan.org to rt-cpan-admin@bestpractical.com.