Preferred bug tracker

Please visit the preferred bug tracker to report your issue.

This queue is for tickets about the CGI CPAN distribution.

Report information
The Basics
Id:
4709
Status:
resolved
Priority:
Low/Low
Queue:

People
Owner:
LDS [...] cpan.org
Requestors:
julian [...] mehnle.net
Cc:
AdminCc:

BugTracker
Severity:
Normal
Broken in:
(no value)
Fixed in:
(no value)

Attachments
CGI.pm-3.00-absolute_url_fix.diff



Subject: CGI->url(-absolute => 1) doesn't work correctly if PATH_INFO contains escaped characters
If PATH_INFO contains URI-escaped characters, e.g. REQUEST_URI="http://server/wiki/back=Foo+Bar/Zippo" PATH_INFO="/back=Foo+Bar/Zippo" (with "+" being an escaped space character), then CGI->url(-absolute => 1) returns "/wiki/back=Foo+Bar/Zippo" instead of "/wiki". I have verified this at least with CGI.pm 2.81, 2.98, and 3.00. Reading the code of CGI::url(), this seems obvious to me, since it tries to remove an *escaped* PATH_INFO from an *unescaped* REQUEST_URI, which is bound to fail as soon as PATH_INFO contains special characters. I attached a patch which fixes the problem. Besides, the original code (correctly) uses quotemeta() to quote regex meta-characters in PATH_INFO before using it in the s/// statement. The problem with this is that it probably makes developers (like it did for me) confuse quotemeta() with escape() or unescape(), so one might think the algorithm was indeed correct. I replaced the quotemeta() call with the use of \Q...\E in the s///, so the missing of the unescape() call kind of became obvious. :-)
--- CGI.pm 2003-12-18 17:01:53.000000000 +0100 +++ /usr/share/perl/5.8.2/CGI.pm 2003-12-18 17:03:01.000000000 +0100 @@ -2494,8 +2494,8 @@ $script_name =~ s/\?.+$//; # strip query string # and path if (exists($ENV{PATH_INFO})) { - my $encoded_path = quotemeta($ENV{PATH_INFO}); - $script_name =~ s/$encoded_path$//i; + my $encoded_path = unescape($ENV{PATH_INFO}); + $script_name =~ s/\Q$encoded_path\E$//i; } }
Send me the patch as an attachment and I'll make sure your gets into the next version of CGI.pm. Your original posting did not include the attachment. Lincoln
From: julian@mehnle.net
Lincoln_D_Stein via RT wrote:
Show quoted text
> Send me the patch as an attachment and I'll make sure your gets into > the next version of CGI.pm. Your original posting did not include the > attachment.
Well, yes, I guess it *did*. At least I can download it from <http://rt.cpan.org/NoAuth/Bug.html?id=4709>. :-) PS: I already replied by mail, but my answer doesn't seem to have made it here, so I'm replying through the web interface.
From: alex@emacswiki.org
I have the inverse problem: Here is my wiki script. The "page name" contains an encoded plus: http://localhost/cgi-bin/wiki/info%2b.el In CGI.pm versions 2.98, 3.00, and 3.01, $q->url() will return http://localhost/cgi-bin/wiki -- correct. In CGI.pm versions 3.03 and 3.10, $q->url() will return http://localhost/cgi-bin/wiki/info+.el -- incorrectly added the decoded path_info to the URL. Alex.
From: alex@emacswiki.org
[guest - Mon Jul 25 07:04:43 2005]:
Show quoted text
> In CGI.pm versions 3.03 and 3.10, $q->url() will return > http://localhost/cgi-bin/wiki/info+.el -- incorrectly added > the decoded path_info to the URL.
Here's an example: #!/usr/bin/perl use strict; use CGI; my $q = new CGI; print "Content-type: text/plain\n\n"; print $q->version, "\n"; print $q->url(), "\n"; print $q->path_info(), "\n"; When called as follows: http://localhost/cgi-bin/test.pl/info%2b It prints: 3.10 http://localhost/cgi-bin/test.pl/info+ /info+ Alex.


This service runs on Request Tracker, is sponsored by The Perl Foundation, and maintained by Best Practical Solutions.

Please report any issues with rt.cpan.org to rt-cpan-admin@bestpractical.com.