Skip Menu |

Preferred bug tracker

Please visit the preferred bug tracker to report your issue.

This queue is for tickets about the CGI CPAN distribution.

Report information
The Basics
Id: 53733
Status: resolved
Priority: 0/
Queue: CGI
People
Owner: MARKSTOS [...] cpan.org
Requestors: degatcpan [...] ntlworld.com
klchu [...] lbl.gov
Cc:
AdminCc:
Bug Information
Severity: (no value)
Broken in: (no value)
Fixed in: (no value)

History Show all quoted text
  Fri Jan 15 17:11:07 2010 klchu [...] lbl.gov - Ticket created
Subject: CGI plus sign character taint problem
Date: Fri, 15 Jan 2010 14:10:41 -0800
To: bug-CGI.pm [...] rt.cpan.org
From: ken <klchu [...] lbl.gov>
CGI.pm-3.48 perl: This is perl, v5.10.0 built for x86_64-linux-gnu-thread-multi OS: Linux ubuntu - 2.6.27-16-generic x86_64 GNU/Linux It can be reproducible in Linux 2.6.22.18-1 x86_64 GNU/Linux Error message: Insecure dependency in require while running with -T switch at /usr/local/share/perl/5.10.0/CGI.pm line 532 In a sample html form with text input enter a single plus sign '+' without quotes. You get the above error. No other characters gives this error. You can put 2 or more plus sign its fine or a plus sign with a space its fine too, '+ ' without quotes. Ken
  Fri Jan 15 17:14:28 2010 mark [...] summersault.com - Correspondence added
Subject: Re: [rt.cpan.org #53733] CGI plus sign character taint problem
Date: Fri, 15 Jan 2010 17:14:12 -0500
To: bug-CGI.pm [...] rt.cpan.org
From: Mark Stosberg <mark [...] summersault.com>
Show quoted text
> CGI.pm-3.48 > perl: > This is perl, v5.10.0 built for x86_64-linux-gnu-thread-multi > OS: > Linux ubuntu - 2.6.27-16-generic x86_64 GNU/Linux > It can be reproducible in > Linux 2.6.22.18-1 x86_64 GNU/Linux > > > Error message: > Insecure dependency in require while running with -T switch at > /usr/local/share/perl/5.10.0/CGI.pm line 532 > > In a sample html form with text input enter a single plus sign '+' > without quotes. > You get the above error. No other characters gives this error. > You can put 2 or more plus sign its fine or a plus sign with a space its > fine too, '+ ' without quotes.
Thanks for the report, Ken. Would you be able to provide a more complete example to review? Mark
  Fri Jan 15 17:14:29 2010 The RT System itself - Status changed from 'new' to 'open'
  Fri Jan 15 17:51:09 2010 klchu [...] lbl.gov - Correspondence added
Subject: Re: [rt.cpan.org #53733] CGI plus sign character taint problem
Date: Fri, 15 Jan 2010 14:50:45 -0800
To: bug-CGI.pm [...] rt.cpan.org
From: ken <klchu [...] lbl.gov>
Mark, Here is url to my test code http://merced.jgi-psf.org/cgi-bin/perltest/test.cgi test.cgi: #!/bin/sh PATH="" export PATH /jgi/tools/perl5/5.10.1/bin/perl -I`pwd` -T test.pl test.pl: use strict; use CGI qw( :standard ); use CGI::Session; use Data::Dumper; $| = 1; my $cgi = new CGI; print header( -type => "text/html" ); print qq{ <html> <form method="post" action="test.cgi" name="searchForm"> <input type="text" maxlength="20" name="search" /> <input type="submit" name="test" value="Submit" /> </form> </html> }; my $searchTerm = param("search"); if($searchTerm ne "") { print "<p>"; print "Search term: $searchTerm\n" } exit(0); Ken mark@summersault.com via RT wrote: Show quoted text
> <URL: http://rt.cpan.org/Ticket/Display.html?id=53733 > > >
>> CGI.pm-3.48 >> perl: >> This is perl, v5.10.0 built for x86_64-linux-gnu-thread-multi >> OS: >> Linux ubuntu - 2.6.27-16-generic x86_64 GNU/Linux >> It can be reproducible in >> Linux 2.6.22.18-1 x86_64 GNU/Linux >> >> >> Error message: >> Insecure dependency in require while running with -T switch at >> /usr/local/share/perl/5.10.0/CGI.pm line 532 >> >> In a sample html form with text input enter a single plus sign '+' >> without quotes. >> You get the above error. No other characters gives this error. >> You can put 2 or more plus sign its fine or a plus sign with a space its >> fine too, '+ ' without quotes. >>
> > Thanks for the report, Ken. > > Would you be able to provide a more complete example to review? > > Mark > >
  Sat Jan 16 12:43:32 2010 yanick [...] babyl.dyndns.org - Correspondence added
Subject: Re: [rt.cpan.org #53733] CGI plus sign character taint problem
Date: Sat, 16 Jan 2010 12:43:19 -0500
To: bug-CGI.pm [...] rt.cpan.org
From: Yanick Champoux <yanick [...] babyl.dyndns.org>
Hmm... I've tried to reproduce the bug locally, and so far I had no luck. I'm using CGI v3.48, and apache2.
  Sat Jan 16 21:40:49 2010 klchu [...] lbl.gov - Correspondence added
Subject: Re: [rt.cpan.org #53733] CGI plus sign character taint problem
Date: Sat, 16 Jan 2010 18:40:20 -0800
To: bug-CGI.pm [...] rt.cpan.org
From: Ken Chu <KLChu [...] lbl.gov>
Apparently it might be a perl 5.10.x bug It completely works fine with perl 5.8.x http://www.perlmonks.org/?node_id=753912 Ken On 1/16/2010 9:43 AM, yanick@babyl.dyndns.org via RT wrote: Show quoted text
> <URL: http://rt.cpan.org/Ticket/Display.html?id=53733> > > Hmm... I've tried to reproduce the bug locally, and so far I had no luck. > > I'm using CGI v3.48, and apache2. > >
  Tue Sep 13 13:29:48 2011 degatcpan [...] ntlworld.com - Ticket #70935: Ticket created
Subject: Spurious "Insecure dependency" error
Minimal code that produces the error - #!/usr/bin/perl -T use CGI; my $cgi = new CGI; print $cgi->header( -charset => 'utf-8' ), $cgi->start_html(), $cgi->start_form( -name => 'form' ), $cgi->table( $cgi->Tr( $cgi->td( # remove this radio group, and using the + or - symbol below does not cause an error $cgi->radio_group( -name => 'test radio', -values => [0..1], -labels => { 0 => 0, 1 => 1 }, -default => 0 ), ), $cgi->td( $cgi->submit( -name => 'test +', -value => '+', # causes 'Insecure dependency in require while running with -T switch' error, (as does '-') ), ), ), ), $cgi->end_form, $cgi->end_html;
  Tue Sep 13 13:49:20 2011 mark [...] summersault.com - Ticket #70935: Correspondence added
Subject: Re: [rt.cpan.org #70935] Spurious "Insecure dependency" error
Date: Tue, 13 Sep 2011 13:49:09 -0400
To: bug-CGI [...] rt.cpan.org
From: Mark Stosberg <mark [...] summersault.com>
Thanks for the report, do you have an idea of how to fix it? Mark
  Tue Sep 13 13:49:21 2011 The RT System itself - Ticket #70935: Status changed from 'new' to 'open'
  Tue Sep 13 16:13:56 2011 degatcpan [...] ntlworld.com - Ticket #70935: Correspondence added
On Tue Sep 13 13:49:20 2011, mark@summersault.com wrote: Show quoted text
> > Thanks for the report, do you have an idea of how to fix it? > > Mark
No, the only progress I have made is that you can run the example code from the command line, eg perl -T test.pl "test +=-" and that will produce the error (although strangely "test +=+" does not) Also I updated to version 3.55, which still produces the error. Problem line(s) from 533 of CGI.pm for my $fh (grep {defined(fileno($_))} @$val) { seek($fh,0,0); # reset the filehandle. } When '-' is in the @$val array, the error is generated. If you remove the radio group code in the example, the code above does not get executed, so no error is generated. I do not think I will get further in finding a solution. dan
  Tue Sep 13 16:30:28 2011 mark [...] summersault.com - Ticket #70935: Correspondence added
Subject: Re: [rt.cpan.org #70935] Spurious "Insecure dependency" error
Date: Tue, 13 Sep 2011 16:30:19 -0400
To: bug-CGI [...] rt.cpan.org
From: Mark Stosberg <mark [...] summersault.com>
Thanks for looking, Dan. You could also try asking on perlmonks.org or Stack Overflow about this. Otherwise, someone will eventually find this ticket here and work on it. Mark
  Wed Sep 14 11:47:35 2011 degatcpan [...] ntlworld.com - Ticket #70935: Correspondence added
Perlmonks helpfully provided the attached patch (the error is caused by a bug in Perl.) There is an idea to add the following to the patch, although further testing is said to be required. @@ -820,7 +820,7 @@ # put a filehandle into binary mode (DOS) sub binmode { - return unless defined($_[1]) && defined fileno($_[1]); + return unless defined($_[1]) && ref ($_[1]) && defined fileno($_[1]); CORE::binmode($_[1]); } (I need to use the --ignore-whitespace option to patch to get it to stick.)
Subject: cgi.patch
--- C:\perl\5.14.1\lib\CGI.pm 2011-06-03 08:36:31.000000000 -0700 +++ CGI.pm 2011-09-14 07:49:32.031250000 -0700 @@ -513,7 +513,7 @@ my $val = $QUERY_PARAM{$name}; # always an arrayref; $self->param('-name'=>$name,'-value'=> $val); if (defined $val and ref $val eq 'ARRAY') { - for my $fh (grep {defined(fileno($_))} @$val) { + for my $fh (grep {ref($_) and defined(fileno($_))} @$val) { seek($fh,0,0); # reset the filehandle. }
  Wed Sep 14 11:56:58 2011 mark [...] summersault.com - Ticket #70935: Correspondence added
Subject: Re: [rt.cpan.org #70935] Spurious "Insecure dependency" error
Date: Wed, 14 Sep 2011 11:56:49 -0400
To: bug-CGI [...] rt.cpan.org
From: Mark Stosberg <mark [...] summersault.com>
Excellent. Thanks. I'll credit you when it appears in a release. Mark
  Wed Aug 15 22:50:04 2012 MARKSTOS [...] cpan.org - Ticket #70935: Taken
  Wed Aug 15 22:50:16 2012 MARKSTOS [...] cpan.org - Ticket #70935: Merged into ticket #53733
  Wed Aug 15 22:50:16 2012 MARKSTOS [...] cpan.org - Merged into ticket #53733
  Wed Aug 15 22:50:51 2012 MARKSTOS [...] cpan.org - Taken
  Wed Aug 15 22:51:10 2012 MARKSTOS [...] cpan.org - Correspondence added
See also: http://www.perlmonks.org/?node=925909
  Wed Aug 15 23:15:36 2012 MARKSTOS [...] cpan.org - Correspondence added
Thanks. I'm releasing the proposed fix today.
  Wed Aug 15 23:15:59 2012 MARKSTOS [...] cpan.org - Status changed from 'open' to 'resolved'
  Fri May 23 14:29:34 2014 The RT System itself - Queue changed from CGI.pm to CGI