Skip Menu |
 

Preferred bug tracker

Please visit the preferred bug tracker to report your issue.

This queue is for tickets about the CGI CPAN distribution.

Report information
The Basics
Id: 4709
Status: resolved
Priority: 0/
Queue: CGI

People
Owner: LDS [...] cpan.org
Requestors: julian [...] mehnle.net
Cc:
AdminCc:

Bug Information
Severity: Normal
Broken in: (no value)
Fixed in: (no value)

Attachments
CGI.pm-3.00-absolute_url_fix.diff



Subject: CGI->url(-absolute => 1) doesn't work correctly if PATH_INFO contains escaped characters
If PATH_INFO contains URI-escaped characters, e.g. REQUEST_URI="http://server/wiki/back=Foo+Bar/Zippo" PATH_INFO="/back=Foo+Bar/Zippo" (with "+" being an escaped space character), then CGI->url(-absolute => 1) returns "/wiki/back=Foo+Bar/Zippo" instead of "/wiki". I have verified this at least with CGI.pm 2.81, 2.98, and 3.00. Reading the code of CGI::url(), this seems obvious to me, since it tries to remove an *escaped* PATH_INFO from an *unescaped* REQUEST_URI, which is bound to fail as soon as PATH_INFO contains special characters. I attached a patch which fixes the problem. Besides, the original code (correctly) uses quotemeta() to quote regex meta-characters in PATH_INFO before using it in the s/// statement. The problem with this is that it probably makes developers (like it did for me) confuse quotemeta() with escape() or unescape(), so one might think the algorithm was indeed correct. I replaced the quotemeta() call with the use of \Q...\E in the s///, so the missing of the unescape() call kind of became obvious. :-)
--- CGI.pm 2003-12-18 17:01:53.000000000 +0100 +++ /usr/share/perl/5.8.2/CGI.pm 2003-12-18 17:03:01.000000000 +0100 @@ -2494,8 +2494,8 @@ $script_name =~ s/\?.+$//; # strip query string # and path if (exists($ENV{PATH_INFO})) { - my $encoded_path = quotemeta($ENV{PATH_INFO}); - $script_name =~ s/$encoded_path$//i; + my $encoded_path = unescape($ENV{PATH_INFO}); + $script_name =~ s/\Q$encoded_path\E$//i; } }
Download (untitled) / with headers
text/plain 164b
Send me the patch as an attachment and I'll make sure your gets into the next version of CGI.pm. Your original posting did not include the attachment. Lincoln
From: julian [...] mehnle.net
Download (untitled) / with headers
text/plain 425b
Lincoln_D_Stein via RT wrote: Show quoted text
> Send me the patch as an attachment and I'll make sure your gets into > the next version of CGI.pm. Your original posting did not include the > attachment.
Well, yes, I guess it *did*. At least I can download it from <http://rt.cpan.org/NoAuth/Bug.html?id=4709>. :-) PS: I already replied by mail, but my answer doesn't seem to have made it here, so I'm replying through the web interface.
From: alex [...] emacswiki.org
Download (untitled) / with headers
text/plain 401b
I have the inverse problem: Here is my wiki script. The "page name" contains an encoded plus: http://localhost/cgi-bin/wiki/info%2b.el In CGI.pm versions 2.98, 3.00, and 3.01, $q->url() will return http://localhost/cgi-bin/wiki -- correct. In CGI.pm versions 3.03 and 3.10, $q->url() will return http://localhost/cgi-bin/wiki/info+.el -- incorrectly added the decoded path_info to the URL. Alex.
From: alex [...] emacswiki.org
Download (untitled) / with headers
text/plain 519b
[guest - Mon Jul 25 07:04:43 2005]: Show quoted text
> In CGI.pm versions 3.03 and 3.10, $q->url() will return > http://localhost/cgi-bin/wiki/info+.el -- incorrectly added > the decoded path_info to the URL.
Here's an example: #!/usr/bin/perl use strict; use CGI; my $q = new CGI; print "Content-type: text/plain\n\n"; print $q->version, "\n"; print $q->url(), "\n"; print $q->path_info(), "\n"; When called as follows: http://localhost/cgi-bin/test.pl/info%2b It prints: 3.10 http://localhost/cgi-bin/test.pl/info+ /info+ Alex.


This service is sponsored and maintained by Best Practical Solutions and runs on Perl.org infrastructure.

Please report any issues with rt.cpan.org to rt-cpan-admin@bestpractical.com.