Skip Menu |

This queue is for tickets about the Catalyst-Runtime CPAN distribution.

Report information
The Basics
Id: 50082
Status: resolved
Priority: 0/
Queue: Catalyst-Runtime
People
Owner: bobtfish [...] bobtfish.net
Requestors: miyagawa [...] gmail.com
Cc:
AdminCc:
Bug Information
Severity: (no value)
Broken in: (no value)
Fixed in: (no value)

History Show all quoted text
  Mon Sep 28 21:59:23 2009 miyagawa [...] gmail.com - Ticket created
Subject: Catalyst::Engine::CGI and HTTP::Request::AsCGI not compatible to Apache CGI PATH_INFO escape
Date: Mon, 28 Sep 2009 18:57:43 -0700
To: bug-Catalyst-Runtime [...] rt.cpan.org
From: Tatsuhiko Miyagawa <miyagawa [...] gmail.com>
See https://issues.apache.org/bugzilla/show_bug.cgi?id=35256 and RFC 3875: In Apache, lighttpd and many web servers PATH_INFO are always decoded, including URI reserved characters. Looking at the tickets and svn logs in the past, Catalyst has dealt with this bug by masking the bug: fixing HTTP::Request::AsCGI so it won't escape %2c etc. which is not compatible to what Apache does. The partial decoding makes the situation worse since now you can't tell foo%2cbar vs foo%252cbar, and that could become a security hole with double decoding. You can reproduce this bug by creating a CGI file that does TestApp->run from Catalyst- Runtime/t/lib, and access catalyst_test.cgi/chained/capture%2Farg%3B/return_arg/foo%2Fbar%3B which would fail with UNKNOWN_RESOURCE error. Attached patch makes HTTP::Request::AsCGI to decode all characters including URI reserved characters, and let Catalyst::Engine::CGI figure out the original encoded path from $ENV{REQUEST_URI} which unfortunately is not part of CGI RFC 3875, but is available universally (and works with HTTP::Request::AsCGI too). -- Tatsuhiko Miyagawa

Message body is not shown because sender requested not to inline it.

Message body is not shown because sender requested not to inline it.

  Mon Sep 28 22:59:40 2009 miyagawa [...] gmail.com - Correspondence added
Subject: Re: [rt.cpan.org #50082] AutoReply: Catalyst::Engine::CGI and HTTP::Request::AsCGI not compatible to Apache CGI PATH_INFO escape
Date: Mon, 28 Sep 2009 19:59:21 -0700
To: bug-Catalyst-Runtime [...] rt.cpan.org
From: Tatsuhiko Miyagawa <miyagawa [...] gmail.com>
Actually, SCRIPT_NAME is also decoded by web servers: so we should encode it before doing the regex against REQUEST_URI. Here's a new patch to fix that. This actually fixe another bug, where your Catalyst runner CGI file is named "foo bar.cgi" then all URI mappings just fail. -- Tatsuhiko Miyagawa

Message body is not shown because sender requested not to inline it.

  Mon Nov 30 12:38:31 2009 bobtfish [...] bobtfish.net - Taken
  Mon Nov 30 20:18:17 2009 bobtfish [...] bobtfish.net - Correspondence added
Patches applied and present in the 5.80014_02 dev release. This is planned to be 5.80015 later this week. Thanks a lot! t0m P.S. Please yell at people in #catalyst-dev if your patches get dropped on the floor for over a week. :_)
  Mon Nov 30 20:18:18 2009 The RT System itself - Status changed from 'new' to 'open'
  Mon Nov 30 20:18:20 2009 bobtfish [...] bobtfish.net - Status changed from 'open' to 'resolved'