Skip Menu |

Preferred bug tracker

Please visit the preferred bug tracker to report your issue.

This queue is for tickets about the CGI CPAN distribution.

Report information
The Basics
Id: 51109
Status: resolved
Priority: 0/
Queue: CGI
People
Owner: MARKSTOS [...] cpan.org
Requestors: cpan [...] chmrr.net
Cc:
AdminCc:
Bug Information
Severity: Critical
Broken in: (no value)
Fixed in: (no value)

History Show all quoted text
  Wed Nov 04 11:46:52 2009 cpan [...] chmrr.net - Ticket created
Subject: Infinite-length reads with Content-Length: 0
CGI.pm 3.44 added a mode which reads until EOF is found, if Content-Length isn't found. Unfortunately, the implementation means that it does this if "Content-Length: 0" is specified. This breaks HTTP::Server::Simple::CGI in HTTP/1.1 with keep-alive, for instance, with LWP as a client -- the client hangs indefinitely. The attached patch against 3.48 fixes the problem by adding a "not defined" check.
Subject: content-length-0.patch
diff -ru CGI.pm-3.48/lib/CGI.pm CGI.pm-3.48-patched/lib/CGI.pm --- CGI.pm-3.48/lib/CGI.pm 2009-09-25 11:04:22.000000000 -0400 +++ CGI.pm-3.48-patched/lib/CGI.pm 2009-11-04 11:45:08.000000000 -0500 @@ -663,7 +663,7 @@ if ( $content_length > 0 ) { $self->read_from_client(\$query_string,$content_length,0); } - else { + elsif (not defined $ENV{CONTENT_LENGTH}) { $self->read_from_stdin(\$query_string); # should this be PUTDATA in case of PUT ? my($param) = $meth . 'DATA' ; Only in CGI.pm-3.48-patched/lib: CGI.pm.orig
  Wed Nov 04 12:34:20 2009 yanick+cpan [...] babyl.dyndns.org - Correspondence added
On Wed Nov 04 11:46:52 2009, ALEXMV wrote: Show quoted text
> The attached > patch against 3.48 fixes the problem by adding a "not defined" check.
Thanks! Patch added to the Git repo at http://github.com/yanick/CGI.pm/tree/rt-51109
  Wed Nov 04 12:34:21 2009 The RT System itself - Status changed from 'new' to 'open'
  Wed Nov 04 12:59:56 2009 chmrr [...] chmrr.net - Correspondence added
Subject: Re: [rt.cpan.org #51109] Infinite-length reads with Content-Length: 0
Date: Wed, 04 Nov 2009 12:59:41 -0500
To: bug-CGI.pm <bug-cgi.pm [...] rt.cpan.org>
From: Alex Vandiver <chmrr [...] chmrr.net>
At Wed Nov 04 12:34:23 -0500 2009, Yanick Champoux via RT wrote: Show quoted text
> Patch added to the Git repo at http://github.com/yanick/CGI.pm/tree/rt-51109
Oh, I hadn't managed to find the git repository previously; I'm glad to see that the current META.yml lists it. Attached is a trivial documentation patch I noticed in passing, in addition. - Alex -- Networking -- only one letter away from not working

Message body is not shown because sender requested not to inline it.

  Wed Nov 04 13:15:50 2009 mark [...] summersault.com - Correspondence added
Subject: Re: [rt.cpan.org #51109] Infinite-length reads with Content-Length: 0
Date: Wed, 4 Nov 2009 13:15:34 -0500
To: bug-CGI.pm [...] rt.cpan.org
From: Mark Stosberg <mark [...] summersault.com>
Thanks. I'll try to finish preparing a new release to recommend to Lincoln soon. I had less computer access and time for a couple weeks as I recovered from a laptop theft, but I've finished setting up replacement system now. Mark
  Sun Nov 08 21:03:12 2009 yanick [...] babyl.dyndns.org - Correspondence added
Subject: Re: [rt.cpan.org #51109] Infinite-length reads with Content-Length: 0
Date: Sun, 08 Nov 2009 12:06:54 -0500
To: bug-CGI.pm [...] rt.cpan.org
From: Yanick Champoux <yanick [...] babyl.dyndns.org>
Alex Vandiver via RT wrote: Show quoted text
> Attached is a trivial documentation patch I noticed in passing, in > addition.
Patch applied. Thanks!
  Wed Nov 18 16:26:14 2009 chmrr [...] chmrr.net - Correspondence added
Subject: Re: [rt.cpan.org #51109] Infinite-length reads with Content-Length: 0
Date: Wed, 18 Nov 2009 16:25:54 -0500
To: bug-CGI.pm <bug-cgi.pm [...] rt.cpan.org>
From: Alex Vandiver <chmrr [...] chmrr.net>
At Wed Nov 04 13:15:52 -0500 2009, mark@summersault.com via RT wrote: Show quoted text
> Thanks. I'll try to finish preparing a new release to recommend to > Lincoln soon.
Has there been any progress on this? I'd like to release a new version of jifty which depends on a fixed version of CGI.pm, as more people are running into this in the wild. - Alex -- Networking -- only one letter away from not working
  Wed Nov 18 16:33:43 2009 mark [...] summersault.com - Correspondence added
Subject: Re: [rt.cpan.org #51109] Infinite-length reads with Content-Length: 0
Date: Wed, 18 Nov 2009 16:33:27 -0500
To: bug-CGI.pm [...] rt.cpan.org
From: Mark Stosberg <mark [...] summersault.com>
On Wed, 18 Nov 2009 16:26:15 -0500 "Alex Vandiver via RT" <bug-CGI.pm@rt.cpan.org> wrote: Show quoted text
> Queue: CGI.pm > Ticket <URL: http://rt.cpan.org/Ticket/Display.html?id=51109 > > > At Wed Nov 04 13:15:52 -0500 2009, mark@summersault.com via RT wrote:
> > Thanks. I'll try to finish preparing a new release to recommend to > > Lincoln soon.
> > Has there been any progress on this? I'd like to release a new > version of jifty which depends on a fixed version of CGI.pm, as more > people are running into this in the wild.
Alex, There is not been progress on this, although I do hear your request for some. In the meantime, feel free to depend on an older version of CGI.pm that meets your needs. Mark
  Thu Nov 19 03:01:07 2009 chmrr [...] chmrr.net - Correspondence added
Subject: Re: [rt.cpan.org #51109] Infinite-length reads with Content-Length: 0
Date: Thu, 19 Nov 2009 03:00:54 -0500
To: bug-CGI.pm <bug-cgi.pm [...] rt.cpan.org>
From: Alex Vandiver <chmrr [...] chmrr.net>
At Wed Nov 18 16:33:44 -0500 2009, mark@summersault.com via RT wrote: Show quoted text
> feel free to depend on an older version of CGI.pm that meets your > needs.
The difficulty is it is hard to depend on "CGI.pm <= 3.43," and that doesn't prevent some well-meaning person from breakages down the line when they upgrade to the latest-and-greatest CGI.pm later. Show quoted text
> There is not been progress on this, although I do hear your request for > some.
Is there anything I can do to help prep the dist for a release? - Alex -- Networking -- only one letter away from not working
  Thu Nov 19 09:33:31 2009 mark [...] summersault.com - Correspondence added
Subject: Re: [rt.cpan.org #51109] Infinite-length reads with Content-Length: 0
Date: Thu, 19 Nov 2009 09:33:15 -0500
To: bug-CGI.pm [...] rt.cpan.org
From: Mark Stosberg <mark [...] summersault.com>
Show quoted text
> The difficulty is it is hard to depend on "CGI.pm <= 3.43," and that > doesn't prevent some well-meaning person from breakages down the line > when they upgrade to the latest-and-greatest CGI.pm later.
Understood. You also have the option to distribute a private copy (which I realize has it's own drawbacks). Show quoted text
> > There is not been progress on this, although I do hear your request for > > some.
> > Is there anything I can do to help prep the dist for a release?
Yes. You could peer-review and comment on Yanick's patch for this other bug: http://rt.cpan.org/Public/Bug/Display.html?id=50576 I was just getting to that last night when I ran out of time. Do you see a problem alway sending Expires and Max-Age? Is it important to have the options provided to turn off one or the other? I would prefer the simplicity of not having extra options if they aren't needed (or can be reasonably deferred until later when the need is clearer). Mark -- . . . . . . . . . . . . . . . . . . . . . . . . . . . Mark Stosberg Principal Developer mark@summersault.com Summersault, LLC 765-939-9301 ext 202 database driven websites . . . . . http://www.summersault.com/ . . . . . . . .
  Mon Nov 23 21:26:49 2009 MARKSTOS [...] cpan.org - Taken
  Mon Nov 23 21:30:04 2009 MARKSTOS [...] cpan.org - Correspondence added
Subject: CGI.pm release recommended, due to fix for "Infinite-length reads with Content-Length: 0"
RT-Send-CC: lds [...] cpan.org, yanick%2Bcpan [...] babyl.dyndns.org
Lincoln, I have now prepared a recommended release for CGI.pm 3.49 in my github "master" branch. My prep work includes updating the Changes file and bumping the versions. The release recommendation centers around the fix provided through this ticket for a regression introduced in 3.44 as part of improving something else. Just another small bug fix and a documentation update are also included. Here are the updates as they framed in the "Changes" file: ### [BUG FIXES] 1. Fix a regression since 3.44 involving a case when the header includes "Content-Length: 0". Thanks to Alex Vandiver (RT#51109) 2. Suppress uninitialized warnings under -w. Thanks to burak. (RT#50301) [DOCUMENTATION] 1. README was updated to reflect that CGI.pm was moved under ./lib. Thanks to Alex Vandiver.
  Wed Dec 09 21:55:31 2009 MARKSTOS [...] cpan.org - Reference by ticket #52469 added
  Wed Dec 09 22:20:31 2009 MARKSTOS [...] cpan.org - Correspondence added
Subject: Infinite-length reads with Content-Length: 0 (a second look)
RT-Send-CC: lds [...] cpan.org, yanick%2Bcpan [...] babyl.dyndns.org, pi [...] complx.LF.net
I have looked again at this, it appears that the related change between 3.43 and 3.44 strayed from the RFC: The patch was described as: "Patch from Kurt Jaeger to allow HTTP PUT even if the content length is unknown." And can be seen here: http://search.cpan.org/diff?from=CGI.pm-3.43&to=CGI.pm-3.44 The new behavior seems to be in conflict with the CGI RFC, particularly section 4.1.2: " The server MUST set [Content-Length] if and only if the request is accompanied by a message-body entity." http://www.ietf.org/rfc/rfc3875 So the behavior to read from STDIN when content-length is missing appears to be wrong. The same change in the 3.44 release also caused a second bug: #52469: PUT method with empty body seems to freeze CGI->new() http://rt.cpan.org/Public/Bug/Display.html?id=52469 So, rather than accepting the patch as it is proposed, I now recommend that we back-out the related update in 3.44. There appear to be several "Kurt Jaegers" in the world. I'm copying one of them who is hopefully the right one and can provide some more context about the original patch. Mark
  Thu Dec 10 13:59:54 2009 lincoln.stein [...] gmail.com - Correspondence added
CC: lds [...] cpan.org, yanick%2Bcpan [...] babyl.dyndns.org, pi [...] complx.lf.net, pi [...] opsec.eu
Subject: Re: [rt.cpan.org #51109] Infinite-length reads with Content-Length: 0 (a second look)
Date: Thu, 10 Dec 2009 13:59:37 -0500
To: bug-CGI.pm [...] rt.cpan.org
From: Lincoln Stein <lincoln.stein [...] gmail.com>
Here's the Kurt Jaeger who submitted the original PUT patch. Sorry I didn't catch that it breaks RFC behavior: Kurt Jaeger <pi@opsec.eu> Lincoln On Wed, Dec 9, 2009 at 10:20 PM, MARKSTOS via RT <bug-CGI.pm@rt.cpan.org>wrote: Show quoted text
> <URL: https://rt.cpan.org/Ticket/Display.html?id=51109 > > > I have looked again at this, it appears that the related change between > 3.43 and 3.44 strayed from the RFC: > > The patch was described as: > "Patch from Kurt Jaeger to allow HTTP PUT even if the content length is > unknown." > > And can be seen here: > http://search.cpan.org/diff?from=CGI.pm-3.43&to=CGI.pm-3.44 > > The new behavior seems to be in conflict with the CGI RFC, particularly > section 4.1.2: > > " The server MUST set [Content-Length] if and only if the request is > accompanied by a message-body entity." > http://www.ietf.org/rfc/rfc3875 > > So the behavior to read from STDIN when content-length is missing > appears to be wrong. > > The same change in the 3.44 release also caused a second bug: > > #52469: PUT method with empty body seems to freeze CGI->new() > http://rt.cpan.org/Public/Bug/Display.html?id=52469 > > So, rather than accepting the patch as it is proposed, I now recommend > that we back-out the related update in 3.44. > > There appear to be several "Kurt Jaegers" in the world. I'm copying one > of them who is hopefully the right one and can provide some more context > about the original patch. > > Mark >
-- Lincoln D. Stein Director, Informatics and Biocomputing Platform Ontario Institute for Cancer Research 101 College St., Suite 800 Toronto, ON, Canada M5G0A3 416 673-8514 Assistant: Renata Musa <Renata.Musa@oicr.on.ca>
  Thu Dec 10 16:47:13 2009 pi [...] opsec.eu - Correspondence added
CC: bug-CGI.pm [...] rt.cpan.org, lds [...] cpan.org, yanick%2Bcpan [...] babyl.dyndns.org, pi [...] complx.lf.net
Subject: Re: [rt.cpan.org #51109] Infinite-length reads with Content-Length: 0 (a second look)
Date: Thu, 10 Dec 2009 22:46:54 +0100
To: Lincoln Stein <lincoln.stein [...] gmail.com>
From: Kurt Jaeger <pi [...] opsec.eu>
Hi! Show quoted text
> Here's the Kurt Jaeger who submitted the original PUT patch. Sorry I didn't > catch that it breaks RFC behavior:
That's me, the same guy (old and new mail address). I was not aware that it breaks RFC specs. But then it works with my scanner. I'll get in touch with the manufacturer... P.S.: I'm not yet ready to cite the IETF mantra "be liberal in what you accept", but I'm close 8-))) -- pi@opsec.eu +49 171 3101372 11 years to go !
  Fri Feb 05 22:24:11 2010 MARKSTOS [...] cpan.org - Correspondence added
I believe this fix was released today with the 3.49 release of CGI.pm
  Fri Feb 05 22:24:13 2010 MARKSTOS [...] cpan.org - Status changed from 'open' to 'resolved'
  Fri May 23 14:29:34 2014 The RT System itself - Queue changed from CGI.pm to CGI