Hi, If I have a PerlRun script, e.g., http://localhost/test/script, and call it using a URL with special symbols like '(' in path_info, PerlRun fails with server error. For example, calling http://localhost/test/script/( produces this error:
[Thu Mar 22 10:24:57 2007] [error] Unmatched ( in regex; marked by <-- HERE in m//( <-- HERE $/ at /usr/local/lib/perl5/site_perl/5.8.8/mach/Apache/PerlRun.pm line 171. The problem is due to unescaped variable interpolation in regular expression $uri =~ /$path_info$/ in sub namespace_from: my $path_info = $r->path_info; my $script_name = $path_info && $uri =~ /$path_info$/ ? substr($uri, 0, length($uri)-length($path_info)) : $uri; I think the same problem is also present in mod_perl2, but I do not have it installed and cannot verify if it is actually broken. The suspicious code is in ModPerl::RegistryCooker, sub namespace_from_uri: my $path_info = $self->{REQ}->path_info; my $script_name = $path_info && $self->{URI} =~ /$path_info$/ ? substr($self->{URI}, 0, length($self->{URI}) - length($path_info)) : $self->{URI}; I do not think this is security problem because regular expression will not execute (?{ arbitrary code here }) unless "use re 'eval'" is in effect, but this is a problem that has to be fixed anyway. -- Alex