Your message dated Thu, 20 Aug 2009 11:34:01 +0000
with message-id <[email protected]>
and subject line Bug#493965: fixed in perl 5.10.1~rc2-1
has caused the Debian Bug report #493965,
regarding CGI.pm: script_name() include the GET query if it contains //
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
493965: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=493965
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: perl-modules
Version: 5.10.0-11.1
Severity: normal
Tags: patch
Note: this bug has already been reported upstreams and I've
submitted my patch there as well.
http://rt.cpan.org/Public/Bug/Display.html?id=17441
There are a number of issues with the way the CGI.pm constructs
script_name() to work-around an alledged bug in Apache.
If /path/to/script.cgi?x=//
is requested, script_name() returns /path/to/script.cgi?x=//
instead of /path/to/script.cgi. That is known to break
gnatsweb.pl at least.
If /path/to/script.cgi/script.cgi is requested, script_name()
returns /path/to instead of /path/to/script.cgi
The bug was introduced in CGI.pm 3.11.
I'm attaching a patch. In my opinion, the patch still isn't the
right thing to do as I don't think Apache behavior is a bug, but
because we may not want to break scripts that wrongly relied on
dupplicated "/" to be preserved, it tries to accomodate with
them.
The patch includes a comment that tries to clarify why we do
that which I reproduce here:
# This function returns a potentially modified version of SCRIPT_NAME
# and PATH_INFO. Some HTTP servers do sanitise the paths in those
# variables. It is the case of at least Apache 2. If for instance the
# user requests: /path/./to/script.cgi/x//y/z/../x?y, Apache will set:
# REQUEST_URI=/path/./to/script.cgi/x//y/z/../x?y
# SCRIPT_NAME=/path/to/env.cgi
# PATH_INFO=/x/y/x
#
# This is all fine except that some bogus CGI scripts expect
# PATH_INFO=/http://foo when the user requests
# http://xxx/script.cgi/http://foo
#
# Old versions of this module used to accomodate with those scripts, so
# this is why we do this here to keep those scripts backward compatible.
# Basically, we accomodate with those scripts but within limits, that is
# we only try to preserve the number of / that were provided by the user
# if $REQUEST_URI and "$SCRIPT_NAME$PATH_INFO" only differ by the number
# of consecutive /.
#
# So for instance, in: http://foo/x//y/script.cgi/a//b, we'll return a
# script_name of /x//y/script.cgi and a path_info of /a//b, but in:
# http://foo/./x//z/script.cgi/a/../b//c, we'll return the versions
# possibly sanitised by the HTTP server, so in the case of Apache 2:
# script_name == /foo/x/z/script.cgi and path_info == /b/c.
#
# Future versions of this module may no longer do that, so one should
# avoid relying on the browser, proxy, server, and CGI.pm preserving the
# number of consecutive slashes as no guarantee can be made there.
-- System Information:
Debian Release: lenny/sid
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: i386 (i686)
Kernel: Linux 2.6.26 (PREEMPT)
Locale: LANG=en_GB.ISO-8859-15, LC_CTYPE=en_US.ISO-8859-15 (charmap=ISO-8859-15)
Shell: /bin/sh linked to /bin/bash
Versions of packages perl-modules depends on:
ii perl 5.10.0-11.1 Larry Wall's Practical Extraction
perl-modules recommends no packages.
perl-modules suggests no packages.
-- debconf-show failed
--- CGI.pm.orig 2008-07-29 16:00:05.000000000 +0100
+++ CGI.pm 2008-08-06 08:31:04.000000000 +0100
@@ -2849,30 +2849,58 @@
}
END_OF_FUNC
-# WE USE THIS TO COMPENSATE FOR A BUG IN APACHE 2 PRESENT AT LEAST UP THROUGH
2.0.54
+# This function returns a potentially modified version of SCRIPT_NAME
+# and PATH_INFO. Some HTTP servers do sanitise the paths in those
+# variables. It is the case of at least Apache 2. If for instance the
+# user requests: /path/./to/script.cgi/x//y/z/../x?y, Apache will set:
+# REQUEST_URI=/path/./to/script.cgi/x//y/z/../x?y
+# SCRIPT_NAME=/path/to/env.cgi
+# PATH_INFO=/x/y/x
+#
+# This is all fine except that some bogus CGI scripts expect
+# PATH_INFO=/http://foo when the user requests
+# http://xxx/script.cgi/http://foo
+#
+# Old versions of this module used to accomodate with those scripts, so
+# this is why we do this here to keep those scripts backward compatible.
+# Basically, we accomodate with those scripts but within limits, that is
+# we only try to preserve the number of / that were provided by the user
+# if $REQUEST_URI and "$SCRIPT_NAME$PATH_INFO" only differ by the number
+# of consecutive /.
+#
+# So for instance, in: http://foo/x//y/script.cgi/a//b, we'll return a
+# script_name of /x//y/script.cgi and a path_info of /a//b, but in:
+# http://foo/./x//z/script.cgi/a/../b//c, we'll return the versions
+# possibly sanitised by the HTTP server, so in the case of Apache 2:
+# script_name == /foo/x/z/script.cgi and path_info == /b/c.
+#
+# Future versions of this module may no longer do that, so one should
+# avoid relying on the browser, proxy, server, and CGI.pm preserving the
+# number of consecutive slashes as no guarantee can be made there.
'_name_and_path_from_env' => <<'END_OF_FUNC',
sub _name_and_path_from_env {
- my $self = shift;
- my $raw_script_name = $ENV{SCRIPT_NAME} || '';
- my $raw_path_info = $ENV{PATH_INFO} || '';
- my $uri = unescape($self->request_uri) || '';
-
- my $protected = quotemeta($raw_path_info);
- $raw_script_name =~ s/$protected$//;
-
- my @uri_double_slashes = $uri =~ m^(/{2,}?)^g;
- my @path_double_slashes = "$raw_script_name $raw_path_info" =~ m^(/{2,}?)^g;
-
- my $apache_bug = @uri_double_slashes != @path_double_slashes;
- return ($raw_script_name,$raw_path_info) unless $apache_bug;
-
- my $path_info_search = quotemeta($raw_path_info);
- $path_info_search =~ s!/!/+!g;
- if ($uri =~ m/^(.+)($path_info_search)/) {
- return ($1,$2);
- } else {
- return ($raw_script_name,$raw_path_info);
- }
+ my $self = shift;
+ my $script_name = $ENV{SCRIPT_NAME} || '';
+ my $path_info = $ENV{PATH_INFO} || '';
+ my $uri = $self->request_uri || '';
+
+ $uri =~ s/\?.*//s;
+ $uri = unescape($uri);
+
+ if ($uri ne "$script_name$path_info") {
+ my $script_name_pattern = quotemeta($script_name);
+ my $path_info_pattern = quotemeta($path_info);
+ $script_name_pattern =~ s{(?:\\/)+}{/+}g;
+ $path_info_pattern =~ s{(?:\\/)+}{/+}g;
+
+ if ($uri =~ /^($script_name_pattern)($path_info_pattern)$/s) {
+ # REQUEST_URI and SCRIPT_NAME . PATH_INFO only differ by the
+ # numer of consecutive slashes, so we can extract the info from
+ # REQUEST_URI:
+ ($script_name, $path_info) = ($1, $2);
+ }
+ }
+ return ($script_name,$path_info);
}
END_OF_FUNC
--- End Message ---
--- Begin Message ---
Source: perl
Source-Version: 5.10.1~rc2-1
We believe that the bug you reported is fixed in the latest version of
perl, which is due to be installed in the Debian FTP archive:
libcgi-fast-perl_5.10.1~rc2-1_all.deb
to pool/main/p/perl/libcgi-fast-perl_5.10.1~rc2-1_all.deb
perl-doc_5.10.1~rc2-1_all.deb
to pool/main/p/perl/perl-doc_5.10.1~rc2-1_all.deb
perl-modules_5.10.1~rc2-1_all.deb
to pool/main/p/perl/perl-modules_5.10.1~rc2-1_all.deb
perl_5.10.1~rc2-1.diff.gz
to pool/main/p/perl/perl_5.10.1~rc2-1.diff.gz
perl_5.10.1~rc2-1.dsc
to pool/main/p/perl/perl_5.10.1~rc2-1.dsc
perl_5.10.1~rc2.orig.tar.gz
to pool/main/p/perl/perl_5.10.1~rc2.orig.tar.gz
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Niko Tyni <[email protected]> (supplier of updated perl package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Wed, 19 Aug 2009 23:39:54 +0300
Source: perl
Binary: perl-base libcgi-fast-perl perl-doc perl-modules perl-debug perl-suid
libperl5.10 libperl-dev perl
Architecture: all source
Version: 5.10.1~rc2-1
Distribution: experimental
Urgency: low
Maintainer: Brendan O'Dea <[email protected]>
Changed-By: Niko Tyni <[email protected]>
Closes: 318579 351373 402046 457326 479638 483144 493965 508183 508696 511589
516129 527023 527039 531770 533380 538005
Description:
libcgi-fast-perl - CGI::Fast Perl module
libperl5.10 - Shared Perl library
libperl-dev - Perl library: development files
perl-base - minimal Perl system
perl-debug - Debug-enabled Perl interpreter
perl-doc - Perl documentation
perl - Larry Wall's Practical Extraction and Report Language
perl-modules - Core Perl modules
perl-suid - Runs setuid Perl scripts
Changes:
perl (5.10.1~rc2-1) experimental; urgency=low
.
* New upstream release candidate.
+ Archive::Tar now supports bzip2 files. (Closes: #457326)
+ Module::CoreList now includes ExtUtils::Miniperl. (Closes: #508696)
+ ExtUtils::Manifest now handles whitespace correctly. (Closes: #538005)
+ CGI.pm unwanted UTF-8 conversion in URLs is fixed. (Closes: #516129)
+ FileCache needs symbolic references, documentation updated.
(Closes: #318579)
+ perldoc.pod now references perlpod.pod. (Closes: #479638)
+ Long regular expressions work again. (Closes: #527039)
+ File::Temp::tempfile now supports TMPDIR. (Closes: #351373)
+ File::Temp now works with ACLs. (Closes: #531770)
+ IPC::Cmd now works with arrayrefs. (Closes: #533380)
+ perlpod.pod documentation fix: =encoding affects the whole document.
(Closes: #527023)
+ CPAN.pm no longer passes make arguments through to Build.
(Closes: #508183)
+ using the same lexically scoped variable in a foreach loop twice
no longer segfaults. (Closes: #511589)
+ unwanted filehandle stringification in CGI.pm is fixed. (Closes: #483144)
+ script_name() in CGI.pm is fixed. (Closes: #493965)
+ revision information removed from perlfaq whatis entries
(Closes: #402046)
* Updated the conflicts list for the various dual-lived modules.
* Added conflicts/replaces/provides for
+ libio-compress-perl
+ libcompress-raw-bzip2-perl
+ libthreads-perl
+ libthreads-shared-perl
+ libparse-cpan-meta-perl
+ libparent-perl
+ libautodie-perl
* Update the search path in the h2ph check. Thanks to Marius Vollmer.
* Build-Depend on libbz2-dev instead of using the bundled library in
ext/Compress-Raw-Bzip2.
Checksums-Sha1:
529294f8474e379fd5f225457542231f7e49552c 3468282
perl-modules_5.10.1~rc2-1_all.deb
792ac1b3f675d8ea57050902c64097667cd79374 7152692 perl-doc_5.10.1~rc2-1_all.deb
810ac8c1728404eedb2e71a4f21b14e583fefffd 14118329 perl_5.10.1~rc2.orig.tar.gz
c3a7f9144f277cbc28f01adc84e632dd98bf8f62 86067 perl_5.10.1~rc2-1.diff.gz
e0a77da07d8f1a9d7cbc4ebbf4886fcc6e23daaf 50058
libcgi-fast-perl_5.10.1~rc2-1_all.deb
ecb042fce4690f46b6fbf0a08042feaae1bb149b 1399 perl_5.10.1~rc2-1.dsc
Checksums-Sha256:
1d1744f9f1c98a9eaa58735dda9f201fb2d3750ff4dbac4c6bc00827280f6fd5 3468282
perl-modules_5.10.1~rc2-1_all.deb
404b79b17073ba952d0884009c6fc45d5ba3006771066f5ffa23deb0348cc8a6 50058
libcgi-fast-perl_5.10.1~rc2-1_all.deb
5d73bb2f9855ca98e1ccfb7fa36d2e084f6b1dc36f72e090ccba8f582a3e29b9 86067
perl_5.10.1~rc2-1.diff.gz
97365da40425f183e830c24d18e83d76969dcef49b7490f0fc6c1bd952e8bfd2 7152692
perl-doc_5.10.1~rc2-1_all.deb
cbc0166f09ee68646b535eab3eb34d240be331bb8878e0f3f7072cf6d8053ca2 14118329
perl_5.10.1~rc2.orig.tar.gz
fa6af7a63944d1a09ca89b6c0ad1dc4101e58de8857009cf06c52e43821811db 1399
perl_5.10.1~rc2-1.dsc
Files:
11a6082b10facb9894b429cc80d88bc2 7152692 doc optional
perl-doc_5.10.1~rc2-1_all.deb
70c89ca4096a8a8367a139f3e02b3c98 3468282 perl standard
perl-modules_5.10.1~rc2-1_all.deb
b6052c3126a3dbcf8186bfa035f8ef62 86067 perl standard perl_5.10.1~rc2-1.diff.gz
f232b448a123049f1044231b475bb29c 50058 perl optional
libcgi-fast-perl_5.10.1~rc2-1_all.deb
f6f0772ddf7fc5a34c49dab51bed4150 1399 perl standard perl_5.10.1~rc2-1.dsc
f8859c4b7fb7680b1e93ef9ce05b03f5 14118329 perl standard
perl_5.10.1~rc2.orig.tar.gz
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAkqNJeoACgkQiyizGWoHLTkjUQCfQVrbht/9EBTxIP/1jMHlSKSh
Hd0An0Hnr+iS9GYPj09kPeGdS5nE1Qkj
=A55s
-----END PGP SIGNATURE-----
--- End Message ---
