Hello community, here is the log from the commit of package perl-CGI for openSUSE:Factory checked in at 2019-05-03 22:27:46 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/perl-CGI (Old) and /work/SRC/openSUSE:Factory/.perl-CGI.new.5148 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "perl-CGI" Fri May 3 22:27:46 2019 rev:12 rq:700229 version:4.43 Changes: -------- --- /work/SRC/openSUSE:Factory/perl-CGI/perl-CGI.changes 2019-03-28 22:44:52.723090854 +0100 +++ /work/SRC/openSUSE:Factory/.perl-CGI.new.5148/perl-CGI.changes 2019-05-03 22:27:51.984355388 +0200 @@ -1,0 +2,11 @@ +Thu May 2 05:03:14 UTC 2019 - Stephan Kulow <[email protected]> + +- updated to 4.43 + see /usr/share/doc/packages/perl-CGI/Changes + + 4.43 2019-05-01 + + [ FIX / TESTING ] + - support unquoted multipart/form-data name values (GH #234) + +------------------------------------------------------------------- Old: ---- CGI-4.42.tar.gz New: ---- CGI-4.43.tar.gz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ perl-CGI.spec ++++++ --- /var/tmp/diff_new_pack.kUugy2/_old 2019-05-03 22:27:52.556355199 +0200 +++ /var/tmp/diff_new_pack.kUugy2/_new 2019-05-03 22:27:52.556355199 +0200 @@ -17,7 +17,7 @@ Name: perl-CGI -Version: 4.42 +Version: 4.43 Release: 0 %define cpan_name CGI Summary: Handle Common Gateway Interface requests and responses ++++++ CGI-4.42.tar.gz -> CGI-4.43.tar.gz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/CGI-4.42/Changes new/CGI-4.43/Changes --- old/CGI-4.42/Changes 2019-03-26 17:27:01.000000000 +0100 +++ new/CGI-4.43/Changes 2019-05-01 09:58:26.000000000 +0200 @@ -1,3 +1,8 @@ +4.43 2019-05-01 + + [ FIX / TESTING ] + - support unquoted multipart/form-data name values (GH #234) + 4.42 2019-03-26 [ DOCUMENTATION ] diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/CGI-4.42/MANIFEST new/CGI-4.43/MANIFEST --- old/CGI-4.42/MANIFEST 2019-03-26 17:29:14.000000000 +0100 +++ new/CGI-4.43/MANIFEST 2019-05-01 16:27:11.000000000 +0200 @@ -82,6 +82,8 @@ t/upload.t t/uploadInfo.t t/upload_post_text.txt +t/upload_post_quoted_unquoted.txt +t/upload_quoted_unquoted.t t/url.t t/user_agent.t t/utf8.t diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/CGI-4.42/META.json new/CGI-4.43/META.json --- old/CGI-4.42/META.json 2019-03-26 17:29:14.000000000 +0100 +++ new/CGI-4.43/META.json 2019-05-01 16:27:11.000000000 +0200 @@ -79,6 +79,6 @@ "web" : "https://github.com/leejo/CGI.pm"; } }, - "version" : "4.42", + "version" : "4.43", "x_serialization_backend" : "JSON::PP version 2.97001" } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/CGI-4.42/META.yml new/CGI-4.43/META.yml --- old/CGI-4.42/META.yml 2019-03-26 17:29:14.000000000 +0100 +++ new/CGI-4.43/META.yml 2019-05-01 16:27:10.000000000 +0200 @@ -48,5 +48,5 @@ homepage: https://metacpan.org/module/CGI license: http://dev.perl.org/licenses/ repository: https://github.com/leejo/CGI.pm -version: '4.42' +version: '4.43' x_serialization_backend: 'CPAN::Meta::YAML version 0.018' diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/CGI-4.42/lib/CGI/Carp.pm new/CGI-4.43/lib/CGI/Carp.pm --- old/CGI-4.42/lib/CGI/Carp.pm 2019-03-26 17:26:14.000000000 +0100 +++ new/CGI-4.43/lib/CGI/Carp.pm 2019-05-01 09:58:26.000000000 +0200 @@ -327,7 +327,7 @@ $main::SIG{__WARN__}=\&CGI::Carp::warn; -$CGI::Carp::VERSION = '4.42'; +$CGI::Carp::VERSION = '4.43'; $CGI::Carp::CUSTOM_MSG = undef; $CGI::Carp::DIE_HANDLER = undef; $CGI::Carp::TO_BROWSER = 1; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/CGI-4.42/lib/CGI/Cookie.pm new/CGI-4.43/lib/CGI/Cookie.pm --- old/CGI-4.42/lib/CGI/Cookie.pm 2019-03-26 17:26:19.000000000 +0100 +++ new/CGI-4.43/lib/CGI/Cookie.pm 2019-05-01 09:58:26.000000000 +0200 @@ -5,7 +5,7 @@ use if $] >= 5.019, 'deprecate'; -our $VERSION='4.42'; +our $VERSION='4.43'; use CGI::Util qw(rearrange unescape escape); use overload '""' => \&as_string, 'cmp' => \&compare, 'fallback' => 1; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/CGI-4.42/lib/CGI/File/Temp.pm new/CGI-4.43/lib/CGI/File/Temp.pm --- old/CGI-4.42/lib/CGI/File/Temp.pm 2019-03-26 17:26:11.000000000 +0100 +++ new/CGI-4.43/lib/CGI/File/Temp.pm 2019-05-01 09:58:26.000000000 +0200 @@ -3,7 +3,7 @@ # you use it directly and your code breaks horribly. package CGI::File::Temp; -$CGI::File::Temp::VERSION = '4.42'; +$CGI::File::Temp::VERSION = '4.43'; use parent File::Temp; use parent Fh; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/CGI-4.42/lib/CGI/Pretty.pm new/CGI-4.43/lib/CGI/Pretty.pm --- old/CGI-4.42/lib/CGI/Pretty.pm 2019-03-26 17:26:22.000000000 +0100 +++ new/CGI-4.43/lib/CGI/Pretty.pm 2019-05-01 09:58:26.000000000 +0200 @@ -6,7 +6,7 @@ use if $] >= 5.019, 'deprecate'; use CGI (); -$CGI::Pretty::VERSION = '4.42'; +$CGI::Pretty::VERSION = '4.43'; $CGI::DefaultClass = __PACKAGE__; @CGI::Pretty::ISA = qw( CGI ); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/CGI-4.42/lib/CGI/Push.pm new/CGI-4.43/lib/CGI/Push.pm --- old/CGI-4.42/lib/CGI/Push.pm 2019-03-26 17:26:24.000000000 +0100 +++ new/CGI-4.43/lib/CGI/Push.pm 2019-05-01 09:58:26.000000000 +0200 @@ -6,7 +6,7 @@ use warnings; #/; -$CGI::Push::VERSION='4.42'; +$CGI::Push::VERSION='4.43'; use CGI; use CGI::Util 'rearrange'; @ISA = ('CGI'); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/CGI-4.42/lib/CGI/Util.pm new/CGI-4.43/lib/CGI/Util.pm --- old/CGI-4.42/lib/CGI/Util.pm 2019-03-26 17:26:17.000000000 +0100 +++ new/CGI-4.43/lib/CGI/Util.pm 2019-05-01 09:58:26.000000000 +0200 @@ -6,7 +6,7 @@ our @EXPORT_OK = qw(rearrange rearrange_header make_attributes unescape escape expires ebcdic2ascii ascii2ebcdic); -our $VERSION = '4.42'; +our $VERSION = '4.43'; our $_EBCDIC = "\t" ne "\011"; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/CGI-4.42/lib/CGI.pm new/CGI-4.43/lib/CGI.pm --- old/CGI-4.42/lib/CGI.pm 2019-03-26 17:26:32.000000000 +0100 +++ new/CGI-4.43/lib/CGI.pm 2019-05-01 09:58:26.000000000 +0200 @@ -8,7 +8,7 @@ use warnings; #/; -$CGI::VERSION='4.42'; +$CGI::VERSION='4.43'; use CGI::Util qw(rearrange rearrange_header make_attributes unescape escape expires ebcdic2ascii ascii2ebcdic); @@ -3343,7 +3343,7 @@ $header{'Content-Disposition'} ||= ''; # quench uninit variable warning - my($param)= $header{'Content-Disposition'}=~/[\s;]name="([^"]*)"/; + my $param = _mp_value_parse( $header{'Content-Disposition'},'name' ); $param .= $TAINTED; # See RFC 1867, 2183, 2045 @@ -3450,6 +3450,28 @@ } } +sub _mp_value_parse { + my ( $string,$field ) = @_; + + my $is_quoted = $string =~/[\s;]$field="/ ? 1 : 0; + my $param; + + if ( $is_quoted ) { + # a quoted token cannot contain anything but an unescaped quote + ($param) = $string =~/[\s;]$field="((?:\\"|[^"])*)"/; + } else { + # a plain token cannot contain any reserved characters + # https://tools.ietf.org/html/rfc2616#section-2.2 + # separators = "(" | ")" | "<" | ">" | "@" + # | "," | ";" | ":" | "\" | <"> + # | "/" | "[" | "]" | "?" | "=" + # | "{" | "}" | SP | HT + ($param) = $string =~/[\s;]$field=([^\(\)<>\@,;:\\"\/\[\]\?=\{\} \015\n\t]*)/; + } + + return $param; +} + ##### # subroutine: read_multipart_related # diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/CGI-4.42/lib/Fh.pm new/CGI-4.43/lib/Fh.pm --- old/CGI-4.42/lib/Fh.pm 2019-03-26 17:26:09.000000000 +0100 +++ new/CGI-4.43/lib/Fh.pm 2019-05-01 09:58:26.000000000 +0200 @@ -5,6 +5,6 @@ use strict; use warnings; -$Fh::VERSION = '4.42'; +$Fh::VERSION = '4.43'; 1; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/CGI-4.42/t/upload_post_quoted_unquoted.txt new/CGI-4.43/t/upload_post_quoted_unquoted.txt --- old/CGI-4.42/t/upload_post_quoted_unquoted.txt 1970-01-01 01:00:00.000000000 +0100 +++ new/CGI-4.43/t/upload_post_quoted_unquoted.txt 2019-05-01 09:58:26.000000000 +0200 @@ -0,0 +1,27 @@ +------MyGreatBoundary +Content-Type: text/plain; charset=utf-8 +Content-Disposition: form-data; name=code + +4019300163786 +------MyGreatBoundary +Content-Type: text/plain; charset=utf-8 +Content-Disposition: form-data; name="word" + +squeaky +------MyGreatBoundary +Content-Type: text/plain; charset=utf-8 +Content-Disposition: form-data; name="why do \"this\"" + +because +------MyGreatBoundary +Content-Type: text/plain; charset=utf-8 +Content-Disposition: form-data; name="hate ()<>@,;:[]?={} /\"" + +really hateful +------MyGreatBoundary +Content-Type: text/plain; charset=utf-8 +Content-Disposition: form-data; name=éttu + +oui +------MyGreatBoundary-- + diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/CGI-4.42/t/upload_quoted_unquoted.t new/CGI-4.43/t/upload_quoted_unquoted.t --- old/CGI-4.42/t/upload_quoted_unquoted.t 1970-01-01 01:00:00.000000000 +0100 +++ new/CGI-4.43/t/upload_quoted_unquoted.t 2019-05-01 09:58:26.000000000 +0200 @@ -0,0 +1,78 @@ +#!/usr/local/bin/perl -w + +use strict; +use Test::More 'no_plan'; +use CGI qw/ :cgi /; +use utf8; + +my %myenv; + +BEGIN { + %myenv = ( + 'SCRIPT_NAME' => '/test.cgi', + 'SERVER_NAME' => 'perl.org', + 'HTTP_CONNECTION' => 'TE, close', + 'REQUEST_METHOD' => 'POST', + 'SCRIPT_URI' => 'http://www.perl.org/test.cgi', + 'CONTENT_LENGTH' => 3285, + 'SCRIPT_FILENAME' => '/home/usr/test.cgi', + 'SERVER_SOFTWARE' => 'Apache/1.3.27 (Unix) ', + 'HTTP_TE' => 'deflate,gzip;q=0.3', + 'QUERY_STRING' => '', + 'REMOTE_PORT' => '1855', + 'HTTP_USER_AGENT' => 'Mozilla/5.0 (compatible; Konqueror/2.1.1; X11)', + 'SERVER_PORT' => '80', + 'REMOTE_ADDR' => '127.0.0.1', + 'CONTENT_TYPE' => 'multipart/form-data; boundary="----MyGreatBoundary', + 'SERVER_PROTOCOL' => 'HTTP/1.1', + 'PATH' => '/usr/local/bin:/usr/bin:/bin', + 'REQUEST_URI' => '/test.cgi', + 'GATEWAY_INTERFACE' => 'CGI/1.1', + 'SCRIPT_URL' => '/test.cgi', + 'SERVER_ADDR' => '127.0.0.1', + 'DOCUMENT_ROOT' => '/home/develop', + 'HTTP_HOST' => 'www.perl.org' + ); + + for my $key (keys %myenv) { + $ENV{$key} = $myenv{$key}; + } +} + +END { + for my $key (keys %myenv) { + delete $ENV{$key}; + } +} + +my $q; + +{ + local *STDIN; + open STDIN, '<t/upload_post_quoted_unquoted.txt' + or die 'missing test file t/upload_post_quoted_unquoted.txt'; + binmode STDIN; + $q = CGI->new; +} + +note explain $q; + +# simple names +is( $q->param('code'),'4019300163786','code' ); +is( $q->param('word'),'squeaky','word' ); + +TODO: { + # may need to MIME encode the name value in this case + local $TODO = "->param borked with non-ascii?"; + is( $q->param('éttu'),'oui','éttu' ); +}; + +# hateful names +is( $q->param('why do \"this\"'),'because','quoted with quote' ); +is( + $q->param("hate ()<>@,;:[]?={}\t/\\\""), + 'really hateful', + 'reserved chars', +); + +# vim: nospell
