Bug #35318 for CGI: CGI hidden values within form appearing on link

Tue Apr 22 17:09:14 2008 MV5492 [...] att.com - Ticket created

Subject:	CGI hidden values within form appearing on link
Date:	Tue, 22 Apr 2008 16:08:45 -0500
To:	<bug-CGI.pm [...] rt.cpan.org>
From:	"Vanole, Mike" <MV5492 [...] att.com>

Hi, I reported this as a webserver7 problem, but playing around with CGI versions revealed CGI.pm was causing odd behavior. Problem noticed at CGI.pm-3.33 Problem still there at CGI.pm-3.35 Downgraded to version CGI.pm-3.15 and the problem goes away. Here is the code for a test cgi that replicates the problem to see exactly what I'm talking about. At 3.33 and above clicking the buttons as directed reveals the values in the URL at the second button click when we expect them to remain hidden. The second form submission somehow gets transformed from a POST to a GET. The same cgi running under 3.15 and lower keeps the values hidden. perl 5.8.8 on Solaris 9 #!/usr/local/bin/perl use CGI; use CGI::Carp qw(fatalsToBrowser); $q = new CGI; print $q->header; print $q->start_html("test"); $ASCS1chk = $q->param('ASCS1'); $ASCS2chk = $q->param('ASCS2'); print "<CENTER>"; if (length($ASCS1chk) != 0) { &ASC_2(); } elsif (length($ASCS2chk) != 0) { &junk(); } else { &ASC_1(); } sub ASC_1 { $USERID = 'jj'; print $q->start_form(); print "<table border=0 width=400 cellspacing=2 cellpadding=0>"; print "<tr><td align=left class=ctm> </td>"; undef @ATempArray; push(@ATempArray,'Account ET - CARE History'); push(@ATempArray,'Audits'); if ($#ATempArray != -1) { print "<tr><td align=left width=30% class=ctm> </td>"; print "<tr><td><td align=right class=ctf colspan=6>"; print $q->hidden(-name=>'USER_IN',-value=>$USERID,-force=>1); print $q->submit(-style=>'font-family:arial; font-size: 11;',-name=>'ASCS1',-value=>'Click this button'); print $q->end_form; } print "</table>"; } sub ASC_2 { $USERID1 = $q->param('USER_IN'); $ASCUPD_CHK = $q->param('ASCUPD'); print "<table border=0 width=400 cellspacing=2 cellpadding=0>"; print $q->start_form(-name=>'OV2'); print "<tr><td align=left class=ctf nowrap valign=top>"; print $q->hidden(-name=>'ORIGASC',-value=>$ASCUPD_CHK,-force=>1); print $q->hidden(-name=>'USER_IN2',-value=>$USERID1,-force=>1); print $q->hidden(-name=>'DFHR',-value=>$DefHR,-force=>1); print $q->hidden(-name=>'DFHM',-value=>$DefMN,-force=>1); print $q->hidden(-name=>'ACTDT',-value=>$OVDate,-force=>1); print "<tr><td align=center valign=top> "; print "<tr><td align=center valign=top> "; print "<tr><td align=right valign=top colspan=2>"; print $q->submit(-style=>'font-family:arial; font-size: 11;',-name=>'ASCS2',-value=>'Now Click this button'); print $q->end_form(); print "<tr><td align=right valign=top colspan=6>"; print "</table>"; } sub junk { print "The values you see in the address line are hidden values within a form. We are not expecting them to be displayed here. Usually they are not displayed in this line. There are no alink refs within this cgi"; } Please let me know if there is more I can provide. Thanks for a great perl module! Mike

Wed Apr 23 06:18:31 2008 MV5492 [...] att.com - Correspondence added

Subject:	RE: [rt.cpan.org #35318] AutoReply: CGI hidden values within form appearing on link
Date:	Wed, 23 Apr 2008 05:18:10 -0500
To:	<bug-CGI.pm [...] rt.cpan.org>
From:	"Vanole, Mike" <MV5492 [...] att.com>

Here is a little more information from someone else who was looking at a workaround: --------- FYI - I updated to CGI.pm 3.29. I'm now getting the same behavior you reported. I was able to code around the behavior with: print $q->start_form(-name=>'OV2',-action => $ENV{SCRIPT_NAME}); This forces CGI.pm to pull the SCRIPT_NAME environment variable from the information passed to it by the server at request time, and use that as the action rather than the default value (which is supposed to be "this script," but is clearly now picking up data from the prior POST and appending it to "this script" as query data). I also notice that smart_form() appears to be using multipart/form-data despite the docs indicating that it will use application/x-www-form-urlencoded, and that start_multipart_form() needs to be used if a multipart form is desired. I get the impression that the docs for CGI.pm no longer accurately reflect the state of the software.

Sat Jul 25 17:52:50 2009 MARKSTOS [...] cpan.org - Taken

Sat Jul 25 17:56:49 2009 MARKSTOS [...] cpan.org - Correspondence added

On Wed Apr 23 06:18:31 2008, MV5492@att.com wrote: Show quoted text

> Here is a little more information from someone else who was looking at a > workaround: > --------- > FYI - I updated to CGI.pm 3.29. I'm now getting the same behavior you > reported. I was able to code around the behavior with: > > print $q->start_form(-name=>'OV2',-action => $ENV{SCRIPT_NAME}); > > This forces CGI.pm to pull the SCRIPT_NAME environment variable from the > information passed to it by the server at request time, and use that as > the action rather than the default value (which is supposed to be "this > script," but is clearly now picking up data from the prior POST and > appending it to "this script" as query data).

I think what you experienced in the upgrade may have been a fix rather than a bug. Including the query params in the query string is a way to save state. If you don't want that behavior, then explicitly stating the "action" you want is the recommended path. The recommendation above to use "$ENV{SCRIPT_NAME}" is reasonable. I'm marking this bug as "rejected" for now. Regarding the start_form() behavior and documentation, see this bug: https://rt.cpan.org/Ticket/Display.html?id=22046 Mark

Sat Jul 25 17:56:50 2009 The RT System itself - Status changed from 'new' to 'open'

Sat Jul 25 17:56:51 2009 MARKSTOS [...] cpan.org - Status changed from 'open' to 'rejected'

Sat Jul 25 17:57:09 2009 MARKSTOS [...] cpan.org - Reference to ticket #22046 added

Fri May 23 14:28:17 2014 The RT System itself - Queue changed from CGI.pm to CGI

Bug #35318 for CGI: CGI hidden values within form appearing on link

Preferred bug tracker