Bug #32979 for CGI: CGI::url should quotemeta($script

Wed Feb 06 18:08:09 2008 DYoung [...] zhone.com - Ticket created

Subject:	CGI::url should quotemeta($script_name)
Date:	Wed, 06 Feb 2008 18:12:27 -0500
To:	bug-CGI.pm [...] rt.cpan.org, lstein [...] cshl.org
From:	David Young <DYoung [...] zhone.com>

CGI::url uses the script_name on the right side of a regex which can be problematic if the script_name (somehow) contains special characters. The script_name should be wrapped in quotemeta() to protect against this. Here's a diff of my changes against 2.93: *** CGI.pm Wed Feb 6 12:18:21 2008 --- CGI-dyoung.pm Wed Feb 6 12:19:31 2008 *************** *** 2689,2698 **** my $path = $self->path_info; my $script_name = $self->script_name; my $request_uri = unescape($self->request_uri) || ''; my $query_str = $self->query_string; ! my $rewrite_in_use = $request_uri && $request_uri !~ /^$script_name/; undef $path if $rewrite_in_use && $rewrite; # path not valid when rewriting active my $uri = $rewrite && $request_uri ? $request_uri : $script_name; --- 2689,2699 ---- my $path = $self->path_info; my $script_name = $self->script_name; + my $q_script_name = quotemeta($script_name); my $request_uri = unescape($self->request_uri) || ''; my $query_str = $self->query_string; ! my $rewrite_in_use = $request_uri && $request_uri !~ /^$q_script_name/; undef $path if $rewrite_in_use && $rewrite; # path not valid when rewriting active my $uri = $rewrite && $request_uri ? $request_uri : $script_name;

Sat Jul 25 17:17:45 2009 MARKSTOS [...] cpan.org - Taken

Sat Jul 25 17:18:18 2009 MARKSTOS [...] cpan.org - Correspondence added

A version of this patch appeared in CGI.pm some time before 3.43.

Sat Jul 25 17:18:18 2009 The RT System itself - Status changed from 'new' to 'open'

Sat Jul 25 17:18:19 2009 MARKSTOS [...] cpan.org - Status changed from 'open' to 'resolved'

Fri May 23 14:28:49 2014 The RT System itself - Queue changed from CGI.pm to CGI

Bug #32979 for CGI: CGI::url should quotemeta($script_name)

Preferred bug tracker