Bug #3216 for CGI: Escaping form "action" confuses Mozilla

RT for rt.cpan.org

Preferred bug tracker

Please visit the preferred bug tracker to report your issue.

This queue is for tickets about the CGI CPAN distribution.

Report information

The Basics

Id:	3216
Status:	resolved
Priority:	0/
Queue:	CGI

People

Owner:	LDS [...] cpan.org
Requestors:	gbrock [...] cpan.org
Cc:
AdminCc:

Bug Information

Severity:	Important
Broken in:	(no value)
Fixed in:	(no value)

History Show all quoted text

Tue Aug 12 03:44:43 2003 gbrock [...] cpan.org - Ticket created

Subject:

Escaping form "action" confuses Mozilla

I gather you added a cross-site scripting fix to CGI.pm 2.99. However the escaping of the default form action causes Mozilla and IE to submit the form to the wrong location. e.g. if the following URL generates a form (with "start_form") but does not specify an "-action" acttribute: http://foo/bar/test.cgi then the form will have the following action: CGI.pm 2.98 action="/bar/test.cgi" CGI.pm 2.99 action="%2Fbar%2Ftest.cgi" The 2.99 version causes the browser to submit to the form to: http://foo/bar/2Fbar%2Ftest.cgi I guess the $action=escape($action) at line 1648 is not quite what you want. Gavin Tested with perl 5.6.0 5.6.1 and 5.8 on Solaris, Linux and OpenBSD

Mon Aug 18 13:51:54 2003 LDS [...] cpan.org - Taken

Mon Aug 18 13:57:20 2003 LDS [...] cpan.org - Correspondence added

Fixed in 3.00 [GBROCK - Tue Aug 12 03:44:43 2003]: Show quoted text

> I gather you added a cross-site scripting fix to CGI.pm 2.99. However > the escaping of the default form action causes Mozilla and IE to > submit the form to the wrong location. > > e.g. if the following URL generates a form (with "start_form") but > does not specify an "-action" acttribute: > > http://foo/bar/test.cgi > > then the form will have the following action: > > CGI.pm 2.98 action="/bar/test.cgi" > CGI.pm 2.99 action="%2Fbar%2Ftest.cgi" > > The 2.99 version causes the browser to submit to the form to: > > http://foo/bar/2Fbar%2Ftest.cgi > > I guess the $action=escape($action) at line 1648 is not quite what

you Show quoted text

> want. > > Gavin > > Tested with perl 5.6.0 5.6.1 and 5.8 on Solaris, Linux and OpenBSD

Mon Aug 18 13:57:20 2003 LDS [...] cpan.org - Status changed from 'new' to 'resolved'

Fri May 23 14:28:22 2014 The RT System itself - Queue changed from CGI.pm to CGI