Skip Menu |

Preferred bug tracker

Please visit the preferred bug tracker to report your issue.

This queue is for tickets about the CGI CPAN distribution.

Report information
The Basics
Id: 25287
Status: resolved
Priority: 0/
Queue: CGI
People
Owner: MARKSTOS [...] cpan.org
Requestors: scop [...] cpan.org
Cc:
AdminCc:
Bug Information
Severity: (no value)
Broken in: (no value)
Fixed in: (no value)

History Show all quoted text
  Mon Mar 05 13:02:16 2007 scop [...] cpan.org - Ticket created
In CGI.pm 3.19 and later, calling url() in a context like http://validator.w3.org/check?uri=http%3A%2F%2Fmissingno.ifrance.com%2FC%2B%2B.php , an unescaped script uri is used as a regexp, causing breakage like this: http://www.w3.org/Bugs/Public/show_bug.cgi?id=4365 Possible fix against 3.27 attached. On a related note, it is not clear to me exactly where _name_and_path_from_env should be detecting an Apache bug from, from the complete URI or only the part excluding the query string? Currently it doesn't exclude the query string, so if it contains a // (such as in the validator.w3.org case above), it is flagged as an Apache bug and consequently the returned script name will contain the query string. Surely this is not intentional?
Subject: cgi.patch
--- CGI.pm~ 2007-03-05 18:51:52.000000000 +0200 +++ CGI.pm 2007-03-05 19:58:50.000000000 +0200 @@ -2697,7 +2697,7 @@ my $request_uri = unescape($self->request_uri) || ''; my $query_str = $self->query_string; - my $rewrite_in_use = $request_uri && $request_uri !~ /^$script_name/; + my $rewrite_in_use = $request_uri && $request_uri !~ /^\Q$script_name\E/; undef $path if $rewrite_in_use && $rewrite; # path not valid when rewriting active my $uri = $rewrite && $request_uri ? $request_uri : $script_name;
  Mon Mar 05 13:06:51 2007 scop [...] cpan.org - Subject changed from (no value) to 'Unquoted string used in regex'
  Mon Mar 05 13:10:22 2007 scop [...] cpan.org - Correspondence added
Oh, forgot that I already reported _name_and_path_from_env issues in ticket #24479
  Mon Mar 05 13:10:24 2007 scop [...] cpan.org - Status changed from 'new' to 'open'
  Wed Jul 22 22:05:37 2009 MARKSTOS [...] cpan.org - Taken
  Wed Jul 22 22:06:24 2009 MARKSTOS [...] cpan.org - Correspondence added
On Mon Mar 05 13:02:16 2007, SCOP wrote: Show quoted text
> In CGI.pm 3.19 and later, calling url() in a context like >
http://validator.w3.org/check?uri=http%3A%2F%2Fmissingno.ifrance.com%2FC%2B%2B.php Show quoted text
> , an unescaped script uri is used as a regexp, causing breakage like > this: > http://www.w3.org/Bugs/Public/show_bug.cgi?id=4365 > Possible fix against 3.27 attached. >
Thanks for this patch. I'm confirming it was previously applied and exists in 3.43. I'm closing this bug report now. Mark
  Wed Jul 22 22:06:27 2009 MARKSTOS [...] cpan.org - Status changed from 'open' to 'resolved'
  Fri May 23 14:28:45 2014 The RT System itself - Queue changed from CGI.pm to CGI