| Subject: | CGI.pm bug (since v3.12): url(-rewrite=>1) assumes identical url-{en,de}coded status for REQUEST_URI and PATH_INFO |
| Date: | Sun, 2 Apr 2006 15:35:19 +0000 |
| To: | bug-CGI.pm [...] rt.cpan.org, lstein [...] cshl.org |
| From: | Julian Mehnle <julian [...] mehnle.net> |
Message body not shown because it is not plain text.
Hi Lincoln,
in CGI.pm 3.12, you introduced the following change:
| 7. The url() and self_url() methods now work better in the context of
| Apache mod_rewrite. Be advised that path_info() may give you confusing
| results when mod_rewrite is active because Apache calculates the path
| info *after* rewriting. This is mostly worked around in url() and
| self_url(), but you may notice some anomalies.
| --- CGI.pm
| +++ CGI.pm
| @@ -2612,0 +2627,9 @@
| + my $request_uri = $self->request_uri || '';
| + my $query_str = $self->query_string;
| +
| + my $rewrite_in_use = $request_uri && $request_uri !~ /^$script_name/;
| + undef $path if $rewrite_in_use && $rewrite; # path not valid when rewriting active
| +
| + my $uri = $rewrite && $request_uri ? $request_uri : $script_name;
| + $uri =~ s/\?.+$// if defined $query_str;
| + $uri =~ s/$path$// if defined $path; # remove path from URI
The last line of this diff hunk assumes (among other things) that both
REQUEST_URI and PATH_INFO are either URL-/en/coded or URL-/de/coded. This
is generally not the case: REQUEST_URI is URL-/en/coded (at least under
Apache), and PATH_INFO is URL-/de/coded (according to the CGI spec).
As a result, since 3.12 url() (which now implies -rewrite=>1) works
differently from before if REQUEST_URIs contains URL-encoding escapes: the
path info is no longer trimmed from the URI (as taken from REQUEST_URI)
correctly. See the attached test script, which demonstrates the bug.
The (not so nice) work-around is to explicitly specify -rewrite=>0 in url()
calls.
Julian Mehnle.
Message body is not shown because sender requested not to inline it.