Skip Menu |
 

This queue is for tickets about the Catalyst-Runtime CPAN distribution.

Report information
The Basics
Id: 50082
Status: resolved
Priority: 0/
Queue: Catalyst-Runtime

People
Owner: bobtfish [...] bobtfish.net
Requestors: miyagawa [...] gmail.com
Cc:
AdminCc:

Bug Information
Severity: (no value)
Broken in: (no value)
Fixed in: (no value)



Subject: Catalyst::Engine::CGI and HTTP::Request::AsCGI not compatible to Apache CGI PATH_INFO escape
Date: Mon, 28 Sep 2009 18:57:43 -0700
To: bug-Catalyst-Runtime [...] rt.cpan.org
From: Tatsuhiko Miyagawa <miyagawa [...] gmail.com>
See https://issues.apache.org/bugzilla/show_bug.cgi?id=35256 and RFC 3875: In Apache, lighttpd and many web servers PATH_INFO are always decoded, including URI reserved characters. Looking at the tickets and svn logs in the past, Catalyst has dealt with this bug by masking the bug: fixing HTTP::Request::AsCGI so it won't escape %2c etc. which is not compatible to what Apache does. The partial decoding makes the situation worse since now you can't tell foo%2cbar vs foo%252cbar, and that could become a security hole with double decoding. You can reproduce this bug by creating a CGI file that does TestApp->run from Catalyst- Runtime/t/lib, and access catalyst_test.cgi/chained/capture%2Farg%3B/return_arg/foo%2Fbar%3B which would fail with UNKNOWN_RESOURCE error. Attached patch makes HTTP::Request::AsCGI to decode all characters including URI reserved characters, and let Catalyst::Engine::CGI figure out the original encoded path from $ENV{REQUEST_URI} which unfortunately is not part of CGI RFC 3875, but is available universally (and works with HTTP::Request::AsCGI too). -- Tatsuhiko Miyagawa

Message body is not shown because sender requested not to inline it.

Message body is not shown because sender requested not to inline it.

Subject: Re: [rt.cpan.org #50082] AutoReply: Catalyst::Engine::CGI and HTTP::Request::AsCGI not compatible to Apache CGI PATH_INFO escape
Date: Mon, 28 Sep 2009 19:59:21 -0700
To: bug-Catalyst-Runtime [...] rt.cpan.org
From: Tatsuhiko Miyagawa <miyagawa [...] gmail.com>
Download (untitled) / with headers
text/plain 302b
Actually, SCRIPT_NAME is also decoded by web servers: so we should encode it before doing the regex against REQUEST_URI. Here's a new patch to fix that. This actually fixe another bug, where your Catalyst runner CGI file is named "foo bar.cgi" then all URI mappings just fail. -- Tatsuhiko Miyagawa

Message body is not shown because sender requested not to inline it.

Download (untitled) / with headers
text/plain 231b
Patches applied and present in the 5.80014_02 dev release. This is planned to be 5.80015 later this week. Thanks a lot! t0m P.S. Please yell at people in #catalyst-dev if your patches get dropped on the floor for over a week. :_)


This service is sponsored and maintained by Best Practical Solutions and runs on Perl.org infrastructure.

Please report any issues with rt.cpan.org to rt-cpan-admin@bestpractical.com.