Bug #79027 for CGI: PATH_INFO is not removed if it contains a double slash

Thu Aug 16 19:32:04 2012 lpsolit [...] gmail.com - Ticket created

Subject:	PATH_INFO is not removed if it contains a double slash
Date:	Fri, 17 Aug 2012 01:31:50 +0200
To:	bug-CGI.pm [...] rt.cpan.org
From:	"Frédéric Buclin" <lpsolit [...] gmail.com>

I use the following code to remove PATH_INFO if present: if ($self->path_info) { print $self->redirect($self->url(-path => 0, -query => 1)); } When the URL is https://localhost/bugzilla/index.cgi/plop.cgi/tudu//id=98/klkjlk $self->path_info returns /plop.cgi/tudu//id=98/klkjlk as expected. So I could expect $self->url(-path => 0, -query => 1) to return https://localhost/bugzilla/index.cgi only, but in fact it returns the full URL again. This makes the web application to enter an infinite loop. If I replace the double // by a single one, then CGI redirects the user to the expected URL. As CGI is aware of what PATH_INFO is, it should be able to correctly remove this part from the URL and avoid the infinite loop mentioned above.

Thu Aug 16 19:41:33 2012 lpsolit [...] gmail.com - Correspondence added

Subject:	Re: [rt.cpan.org #79027] AutoReply: PATH_INFO is not removed if it contains a double slash
Date:	Fri, 17 Aug 2012 01:41:22 +0200
To:	bug-CGI.pm [...] rt.cpan.org
From:	"Frédéric Buclin" <lpsolit [...] gmail.com>

Note that this problem is reproducible with Apache 2.2.22, but not with IIS 7.5 where the double // is automatically(?) converted into a single one, and so the redirect works correctly.

Thu Aug 16 20:08:23 2012 lpsolit [...] gmail.com - Correspondence added

Subject:	Re: [rt.cpan.org #79027] AutoReply: PATH_INFO is not removed if it contains a double slash
Date:	Fri, 17 Aug 2012 02:08:09 +0200
To:	bug-CGI.pm [...] rt.cpan.org
From:	"Frédéric Buclin" <lpsolit [...] gmail.com>

OK, I found what's wrong in CGI.pm (3.59, but I'm pretty sure 3.60 is affected too). In the url() subroutine, $self->path_info and $ENV{PATH_INFO} do not return the same string: $self->path_info returns the correct string, with the double //, while $ENV{PATH_INFO} returns the incorrect string, with the double // replaced by a single one. And so this code no longer does its job (line 2813 in CGI.pm 3.59): $uri =~ s/\Q$ENV{PATH_INFO}\E$// if defined $ENV{PATH_INFO}; If you replace this line by: $uri =~ s/\Q$path\E$// if defined $path; then everything works as expected. As you already defined $path at the top of url(), you should use it anyway. While you are on it (and unrelated to this issue), you have a useless $rewrite_in_use variable in the url() subroutine too. ;) I hope you can apply the change above asap. :)

Thu Aug 16 20:17:46 2012 lpsolit [...] gmail.com - Correspondence added

Subject:	Re: [rt.cpan.org #79027] AutoReply: PATH_INFO is not removed if it contains a double slash
Date:	Fri, 17 Aug 2012 02:17:33 +0200
To:	bug-CGI.pm [...] rt.cpan.org
From:	"Frédéric Buclin" <lpsolit [...] gmail.com>

I see that CGI 3.40 had the correct code, and it has been changed in 3.41 despite the goal was to fix the query string, not path_info: http://search.cpan.org/diff?from=CGI.pm-3.40&to=CGI.pm-3.41&w=1

Wed Aug 22 09:26:21 2012 mark [...] summersault.com - Correspondence added

Subject:	Re: [rt.cpan.org #79027] PATH_INFO is not removed if it contains a double slash
Date:	Wed, 22 Aug 2012 09:25:50 -0400
To:	bug-cgi.pm [...] rt.cpan.org
From:	Mark Stosberg <mark [...] summersault.com>

Thanks for the report. Please submit a "Test::More" style test for the test case, and also a patch if you are able. Mark

Wed Aug 22 09:26:23 2012 The RT System itself - Status changed from 'new' to 'open'

Thu May 22 08:14:14 2014 LEEJO [...] cpan.org - Correspondence added

This issue has been copied to: https://github.com/leejo/CGI.pm/issues/99 please take all future correspondence there. This ticket will remain open but please do not reply here. This ticket will be closed when the github issue is dealt with.

Fri May 23 14:28:10 2014 The RT System itself - Queue changed from CGI.pm to CGI

Sat Sep 20 10:40:14 2014 LEEJO [...] cpan.org - Correspondence added

Rejecting. This is a backward compatibility hack, as per the comments in the module: 2966 # This function returns a potentially modified version of SCRIPT_NAME 2967 # and PATH_INFO. Some HTTP servers do sanitise the paths in those 2968 # variables. It is the case of at least Apache 2. If for instance the 2969 # user requests: /path/./to/script.cgi/x//y/z/../x?y, Apache will set: 2970 # REQUEST_URI=/path/./to/script.cgi/x//y/z/../x?y 2971 # SCRIPT_NAME=/path/to/env.cgi 2972 # PATH_INFO=/x/y/x 2973 # 2974 # This is all fine except that some bogus CGI scripts expect 2975 # PATH_INFO=/http://foo when the user requests 2976 # http://xxx/script.cgi/http://foo 2977 # 2978 # Old versions of this module used to accomodate with those scripts, so 2979 # this is why we do this here to keep those scripts backward compatible. 2980 # Basically, we accomodate with those scripts but within limits, that is 2981 # we only try to preserve the number of / that were provided by the user 2982 # if $REQUEST_URI and "$SCRIPT_NAME$PATH_INFO" only differ by the number 2983 # of consecutive /. 2984 # 2985 # So for instance, in: http://foo/x//y/script.cgi/a//b, we'll return a 2986 # script_name of /x//y/script.cgi and a path_info of /a//b, but in: 2987 # http://foo/./x//z/script.cgi/a/../b//c, we'll return the versions 2988 # possibly sanitised by the HTTP server, so in the case of Apache 2: 2989 # script_name == /foo/x/z/script.cgi and path_info == /b/c. 2990 # 2991 # Future versions of this module may no longer do that, so one should 2992 # avoid relying on the browser, proxy, server, and CGI.pm preserving the 2993 # number of consecutive slashes as no guarantee can be made there. If you can supply a automated test along with patch i will consider apply it. Otherwise i'm considering this a "won't fix".

Sat Sep 20 10:40:20 2014 LEEJO [...] cpan.org - Status changed from 'open' to 'rejected'

Bug #79027 for CGI: PATH_INFO is not removed if it contains a double slash

Preferred bug tracker