Bug #14814 for CGI: some cgi parameters may ruine cgi.pm

RT for rt.cpan.org

Preferred bug tracker

Please visit the preferred bug tracker to report your issue.

This queue is for tickets about the CGI CPAN distribution.

Report information

The Basics

Id:	14814
Status:	resolved
Priority:	0/
Queue:	CGI

People

Owner:	Nobody in particular
Requestors:	arkady74 [...] gmail.com
Cc:
AdminCc:

Bug Information

Severity:	Critical
Broken in:	(no value)
Fixed in:	(no value)

History Show all quoted text

Thu Sep 29 06:37:25 2005 Guest - Ticket created

Subject:

some cgi parameters may ruine cgi.pm

parameter names matching `internal` CGI.pm names may interfere or crush script for e.g.: "http://host/?.cookie=crack"

Tue Apr 21 22:30:33 2009 MARKSTOS [...] cpan.org - Correspondence added

On Thu Sep 29 06:37:25 2005, guest wrote: Show quoted text

> parameter names matching `internal` CGI.pm names may interfere or > crush script > > for e.g.: "http://host/?.cookie=crack"

Perhaps this was issue at some point in the past, but it's not with 3.43. You can easily see how special and normal parameters are stored. They are not in the same part of the data structure: ### use CGI; my $q = CGI->new('.cookie=crack&good=foo'); use Data::Dumper; warn Dumper ($q); ### Mark

Tue Apr 21 22:30:34 2009 The RT System itself - Status changed from 'new' to 'open'

Sun Jul 19 20:03:56 2009 MARKSTOS [...] cpan.org - Status changed from 'open' to 'resolved'

Fri May 23 14:28:30 2014 The RT System itself - Queue changed from CGI.pm to CGI