Bug #3206 for CGI: startform( -action=... ) URL encoding change breaks existing code

Mon Aug 11 03:30:20 2003 Guest - Ticket created

Subject:

startform( -action=... ) URL encoding change breaks existing code

New code in startform() routine causes <form action="..."> value strings to now be URL encoded and made to fail. Subsequent submissions die with 404 errors. This causes pre-existing code to fail with version 2.99. Version 2.99 added a line to startform(): $action = escape($action); forcing action values to be URL encoded. This causes preexisting code such as: print start_form( -name => 'formdsply', -method => 'POST', -action => "/cgi-bin/wacs/testing2.pl" ); to now generate HTML thusly: action="%2Fcgi-bin%2Fwacs%2Ftesting2.pl" This causes browsers (here IE 6.0SP1 on WinXP) to interpret this as POSTing to http://the.host/cgi-bin/wacs/%2Fcgi-bin%2Fwacs%2Ftesting2.pl and then receive a 404 error response. Apparent workaround (tested) is to change code to read print start_form( -name => 'formdsply', -method => 'POST', -action => "testing2.pl" ); which generates action="testing2.pl" which gets us to correct place as testing2.pl is within the same directory. But how then does one refer to another directory with 2.99? Backing off and installing 2.98 is also a workaround that fixes the problem. Revision History says merely "Patch from Ewann Corvellec to fix cross-site scripting vulnerability." hardly pointing out a major HTML generation incompatibility.

Thu Aug 14 14:13:22 2003 Guest - Correspondence added

[guest - Mon Aug 11 03:30:20 2003]: Show quoted text

> New code in startform() routine causes <form action="..."> value > strings to now be URL encoded and made to fail. Subsequent > submissions die with 404 errors. This causes pre-existing code to > fail with version 2.99. > > Version 2.99 added a line to startform(): > $action = escape($action); > > [...] > > This causes browsers (here IE 6.0SP1 on WinXP) to interpret this as > POSTing to > http://the.host/cgi-bin/wacs/%2Fcgi-bin%2Fwacs%2Ftesting2.pl > and then receive a 404 error response.

Bug confirmed with Solaris mozilla 1.3 and recofirmed with W2K IE6. I just commented out the escape() line in startform() to "fix" the issue, possibly leaving us open to XSS attacks.

Thu Aug 14 15:31:00 2003 Guest - Correspondence added

From:

tshinnic [...] io.com

[guest - Thu Aug 14 14:13:22 2003]: Show quoted text

> Bug confirmed with Solaris mozilla 1.3 and recofirmed with W2K IE6. > > I just commented out the escape() line in startform() to "fix" the > issue, possibly leaving us open to XSS attacks.

Note this suggested patch (which I have _not_ tried/tested): To: perl5-porters@perl.org, lstein@cshl.org Subject: [PATCH] patch for CGI.pm 2.99 to make it sane again From: merlyn@stonehenge.com (Randal L. Schwartz) Date: 11 Aug 2003 07:45:10 -0700 I have a lightly-tested patch for CGI.pm 2.99 that fixes the start_form debacle. I'd prefer that Lincoln actually blesses this, but he seems to be absent. The problem apparently is that Lincoln confused URL encoding (which is bad in this case) with HTML encoding (which is what was needed). With this patch, it should be safe to upgrade 5.8.1 from 2.98 (with known security hole) to 2.9901 (2.99 with my patch), although some peer review would be nice... --- CGI.pm-OLD 2003-08-01 07:39:52.000000000 -0700 +++ CGI.pm 2003-08-11 07:33:01.000000000 -0700 @@ -18,8 +18,8 @@ # The most recent version and complete docs are available at: # http://stein.cshl.org/WWW/software/CGI/ -$CGI::revision = '$Id: CGI.pm,v 1.130 2003/08/01 14:39:17 lstein Exp $'; -$CGI::VERSION='2.99'; +$CGI::revision = '$Id: CGI.pm,v 1.130 2003/08/01 14:39:17 lstein Exp $ + patches by merlyn'; +$CGI::VERSION='2.9901'; # HARD-CODED LOCATION FOR FILE UPLOAD TEMPORARY FILES. # UNCOMMENT THIS ONLY IF YOU KNOW WHAT YOU'RE DOING. @@ -1639,12 +1639,11 @@ $method = lc($method) || 'post'; $enctype = $enctype || &URL_ENCODED; unless (defined $action) { - $action = $self->url(-absolute=>1,-path=>1); + $action = $self->escapeHTML($self->url(-absolute=>1,-path=>1)); if (length($ENV{QUERY_STRING})>0) { $action .= "?".$self->escapeHTML($ENV{QUERY_STRING},1); } } - $action = escape($action); $action = qq(action="$action"); my($other) = @other ? " @other" : ''; $self->{'.parametersToAdd'}={};

Mon Aug 18 13:52:04 2003 LDS [...] cpan.org - Taken

Mon Aug 18 13:55:35 2003 LDS [...] cpan.org - Correspondence added

Version 3.00 fixes the startform issue using the patch submitted by Randal Schwartz. This bug was inadvertently introduced when I accepted a patch from another user that purported to fix the cross-site scripting vulnerability. Apparently I didn't review the patch carefully enough. [guest - Mon Aug 11 03:30:20 2003]: Show quoted text

> New code in startform() routine causes <form action="..."> value > strings to now be URL encoded and made to fail. Subsequent > submissions die with 404 errors. This causes pre-existing code to > fail with version 2.99. > > Version 2.99 added a line to startform(): > $action = escape($action); > forcing action values to be URL encoded. This causes preexisting

code Show quoted text

> such as: > print start_form( -name => 'formdsply', -method => 'POST', > -action => "/cgi-bin/wacs/testing2.pl" ); > to now generate HTML thusly: > action="%2Fcgi-bin%2Fwacs%2Ftesting2.pl" > > This causes browsers (here IE 6.0SP1 on WinXP) to interpret this as > POSTing to > http://the.host/cgi-bin/wacs/%2Fcgi-bin%2Fwacs%2Ftesting2.pl > and then receive a 404 error response. > > Apparent workaround (tested) is to change code to read > print start_form( -name => 'formdsply', -method => 'POST', > -action => "testing2.pl" ); > which generates > action="testing2.pl" > which gets us to correct place as testing2.pl is within the same > directory. But how then does one refer to another directory with > 2.99? > > Backing off and installing 2.98 is also a workaround that fixes the > problem. > > Revision History says merely "Patch from Ewann Corvellec to fix

cross- Show quoted text

> site scripting vulnerability." hardly pointing out a major HTML > generation incompatibility.

Mon Aug 18 13:55:40 2003 LDS [...] cpan.org - Status changed from 'new' to 'resolved'

Mon Jun 19 03:36:31 2006 Guest - Correspondence added

Subject:	free ringtones<a href='http://www.ringtones-dir.com'
From:	http://www.ringtones-dir.com

<a href='http://www.yahoo.com'></a> http://www.ringtones-dir.com/download/ <a href='http://www.ringtones-dir.com'>download ringtones</a>. <a href="http://www.ringtones-dir.com ">nokia ringtones</a>: Download ringtones FREE, Best free samsung ringtones, Cingular ringtones and more. [url]http://www.ringtones-dir.com/free/[/url] [link=http://www.ringtones-dir.com]ring tones[/link] From site .

Mon Jun 19 03:36:32 2006 The RT System itself - Status changed from 'resolved' to 'open'

Mon Jul 20 22:15:36 2009 MARKSTOS [...] cpan.org - Status changed from 'open' to 'resolved'

Fri May 23 14:28:22 2014 The RT System itself - Queue changed from CGI.pm to CGI

Bug #3206 for CGI: startform( -action=... ) URL encoding change breaks existing code

Preferred bug tracker