Skip Menu |

Preferred bug tracker

Please visit the preferred bug tracker to report your issue.

This queue is for tickets about the CGI CPAN distribution.

Report information
The Basics
Id: 60813
Status: resolved
Priority: 0/
Queue: CGI
People
Owner: MARKSTOS [...] cpan.org
Requestors: hanenkamp [...] cpan.org
Cc:
AdminCc:
Bug Information
Severity: Normal
Broken in: (no value)
Fixed in: (no value)

History Show all quoted text
  Fri Aug 27 16:36:49 2010 hanenkamp [...] cpan.org - Ticket created
Subject: query_string includes POSTDATA when recreating the query string
If you receive a POST that is not URL encoded or a multipart form and then call query_string(). It will create a query string containing: POSTDATA=... Weak sauce. It is my opinion that the query_string ought to be generated using url_param() rather than param() or at least a notice be stated in the documentation that query_string() might do strange things on anything other than a GET. The workaround is something like: my @pairs; for my $key ($q->url_param) { my @values = $q->url_param($key); push @pairs, join '=', uri_escape($key), uri_escape($_) for @values; } my $query_string = join ';', @pairs; # or '&' if you prefer Or something similar using URI->new->query_form.
  Sat Nov 20 17:44:21 2010 MARKSTOS [...] cpan.org - Taken
  Sat Nov 20 17:49:38 2010 MARKSTOS [...] cpan.org - Correspondence added
RT-Send-CC: yanick-cpan [...] babyl.dyndns.org
On Fri Aug 27 16:36:49 2010, HANENKAMP wrote: Show quoted text
> If you receive a POST that is not URL encoded or a multipart form and > then call query_string(). > It will create a query string containing: > > POSTDATA=... > > Weak sauce. > > It is my opinion that the query_string ought to be generated using > url_param() rather than > param() or at least a notice be stated in the documentation that > query_string() might do > strange things on anything other than a GET. > > The workaround is something like: > > my @pairs; > for my $key ($q->url_param) { > my @values = $q->url_param($key); > push @pairs, join '=', uri_escape($key), uri_escape($_) for > @values; > } > my $query_string = join ';', @pairs; # or '&' if you prefer > > Or something similar using URI->new->query_form.
I agree the current behavior seems buggy. POST requests are not intended to redirected, and translating arbitrary input, like file uploads, into a query string is not reasonable. I like the idea of using url_param() as proposed, but it will surely break some applications that translated simple POST requests into a query_string() without running into this bug. Yanick, what do you think?
  Sat Nov 20 17:49:38 2010 The RT System itself - Status changed from 'new' to 'open'
  Fri Nov 11 22:36:46 2011 MARKSTOS [...] cpan.org - Correspondence added
Thanks for the feedback. This is resolved in 3.58 by clarifying the documentation. I'm concerned if we change the code at this point we'd only discover that it breaks more things than it fixes. Subclassing CGI.pm is one alternative for your own use.
  Fri Nov 11 22:36:47 2011 MARKSTOS [...] cpan.org - Status changed from 'open' to 'resolved'
  Fri May 23 14:29:36 2014 The RT System itself - Queue changed from CGI.pm to CGI