Bug 472571

Summary: CGI::escape is broken
Product: [Fedora] Fedora Reporter: Need Real Name <mal>
Component: perlAssignee: Stepan Kasal <kasal>
Status: CLOSED NEXTRELEASE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: medium    
Version: 9CC: kasal, mmaslano, rc040203, robin.norwood, tcallawa
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: 5.10.0-68.fc10 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2009-04-22 01:09:08 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Need Real Name 2008-11-21 20:04:29 UTC 
Recent changes in CGI.pm 
for example in 
'$Id: CGI.pm,v 1.254 2008/06/25 14:52:19 lstein Exp $'

Broke escape/unescape
The escape is often used for escaping binary data.
The problem is that new CGI.pm unicode handles adds logic which is 
no standard complient.

CGI:unescape(CGI:escape($in)) do not produce the same value of $in.

In CGI.pm form perl 5.8.8 there was no such problem.
With new broken CGI.pm there is now no clean way to encode/decode
binary data (such as images)


--------------
use CGI;

my $t="Crêpe Café";

my $te=CGI::escape($t);
my $t2=CGI::unescape($te);
my $cgi_params=new CGI("text=$te");
my $p=$cgi_params->param('text');

print{*STDERR} "T=$t LEN=",length($t),"\n";
print{*STDERR} "T2=$t LEN=",length($t2),"\n";
print{*STDERR} "P=$p LEN=",length($p),"\n";
------------
$perl -w p1
T=Crêpe Café LEN=12
T2=Crêpe Café LEN=16
P=Crêpe Café LEN=16
-------------

The length differs. Stupid new paddings broke code.
There was no such problem in say
'$Id: CGI.pm,v 1.251 2008/04/23 13:08:23 lstein Exp $'
Comment 1 Marcela Mašláňová 2008-12-04 11:53:18 UTC 
This was reported to upstream http://rt.cpan.org/Public/Bug/Display.html?id=34528

perl-5.8.8 with the latest CGI is working. The problem could be caused by change in packing UTF-8 strings.
Comment 2 Stepan Kasal 2009-04-07 11:40:41 UTC 
First the above example is poorly written; before using utf-8 in the source, you should declare it:
use utf8;
my $t="Crêpe Café";

That way $t would become a Unicode string, with LEN=10 (counted in characters, not in bytes).  (CGI::escape does handle Unicode strings correctly.)

That said, I would like to return to the above case.  It does demonstrate a bug, indeed.  The string is a byte string (or Latin-1 string), consisting of ten one-byte characters.  And CGI::escape should do the %XX escaping byte-by-byte on these, for several reasons, backward compatibility with perl-5.8.x among them.

This bug is fixed in perl-5.10.0-66.  Moreover the patch has been submitted upstream (see the link in comment #1) and is planned for CGI.pm-3.43.
Comment 3 Fedora Update System 2009-04-07 15:50:35 UTC 
perl-5.10.0-66.fc10 has been pushed to the Fedora 10 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update perl'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F10/FEDORA-2009-2992
Comment 4 Fedora Update System 2009-04-09 16:17:37 UTC 
perl-5.10.0-67.fc10 has been pushed to the Fedora 10 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update perl'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F10/FEDORA-2009-2992
Comment 5 Fedora Update System 2009-04-15 17:59:27 UTC 
perl-5.10.0-68.fc10 has been pushed to the Fedora 10 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update perl'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F10/FEDORA-2009-2992
Comment 6 Fedora Update System 2009-04-22 00:54:49 UTC 
perl-5.10.0-68.fc9 has been pushed to the Fedora 9 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 7 Fedora Update System 2009-04-22 01:08:26 UTC 
perl-5.10.0-68.fc10 has been pushed to the Fedora 10 stable repository.  If problems still persist, please make note of it in this bug report.