Package: perl-modules
Severity: important
Tags: patch
Context :
url() method when REQUEST_URI contains
some variables with newline.
The unescape call show newline character .
and the dot in the regex can match for it .
see the line :
$script_name =~ s/\?.+$// ;
Sot when var in the query string contains newline
the script_name can not be stripped .
--- /usr/share/perl/5.8.4/CGI.pm 2005-01-10 17:45:12.000000000 +0100
+++ /usr/share/perl/5.8.4/CGI.pm.orig 2004-12-11 14:17:53.000000000 +0100
@@ -2528,41 +2528,41 @@
#### Method: url
# Like self_url, but doesn't return the query string part of
# the URL.
####
'url' => <<'END_OF_FUNC',
sub url {
my($self,@p) = self_or_default(@_);
my ($relative,$absolute,$full,$path_info,$query,$base) =
rearrange(['RELATIVE','ABSOLUTE','FULL',['PATH','PATH_INFO'],['QUERY','QUERY_STRING'],'BASE'],@p);
my $url;
$full++ if $base || !($relative || $absolute);
my $path = $self->path_info;
my $script_name = $self->script_name;
# for compatibility with Apache's MultiViews
if (exists($ENV{REQUEST_URI})) {
my $index;
$script_name = unescape($ENV{REQUEST_URI});
- $script_name =~ s/\?.+$//s; # strip query string
+ $script_name =~ s/\?.+$//; # strip query string
# and path
if (exists($ENV{PATH_INFO})) {
my $encoded_path = unescape($ENV{PATH_INFO});
$script_name =~ s/\Q$encoded_path\E$//i;
}
}
if ($full) {
my $protocol = $self->protocol();
$url = "$protocol://";
my $vh = http('host');
if ($vh) {
$url .= $vh;
} else {
$url .= server_name();
my $port = $self->server_port;
$url .= ":" . $port
unless (lc($protocol) eq 'http' && $port == 80)
|| (lc($protocol) eq 'https' && $port == 443);
}
--
____________________________________________________________
/ Erwan MAS /\
| mailto:[EMAIL PROTECTED] |_/
___|________________________________________________________ |
\___________________________________________________________\__/
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
