Bug 472571 - CGI::escape is broken
CGI::escape is broken
Status: CLOSED NEXTRELEASE
Product: Fedora
Classification: Fedora
Component: perl (Show other bugs)
9
All Linux
medium Severity medium
: ---
: ---
Assigned To: Stepan Kasal
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2008-11-21 15:04 EST by Need Real Name
Modified: 2009-04-21 21:09 EDT (History)
5 users (show)

See Also:
Fixed In Version: 5.10.0-68.fc10
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-04-21 21:09:08 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Need Real Name 2008-11-21 15:04:29 EST
Recent changes in CGI.pm 
for example in 
'$Id: CGI.pm,v 1.254 2008/06/25 14:52:19 lstein Exp $'

Broke escape/unescape
The escape is often used for escaping binary data.
The problem is that new CGI.pm unicode handles adds logic which is 
no standard complient.

CGI:unescape(CGI:escape($in)) do not produce the same value of $in.

In CGI.pm form perl 5.8.8 there was no such problem.
With new broken CGI.pm there is now no clean way to encode/decode
binary data (such as images)


--------------
use CGI;

my $t="Crêpe Café";

my $te=CGI::escape($t);
my $t2=CGI::unescape($te);
my $cgi_params=new CGI("text=$te");
my $p=$cgi_params->param('text');

print{*STDERR} "T=$t LEN=",length($t),"\n";
print{*STDERR} "T2=$t LEN=",length($t2),"\n";
print{*STDERR} "P=$p LEN=",length($p),"\n";
------------
$perl -w p1
T=Crêpe Café LEN=12
T2=Crêpe Café LEN=16
P=Crêpe Café LEN=16
-------------

The length differs. Stupid new paddings broke code.
There was no such problem in say
'$Id: CGI.pm,v 1.251 2008/04/23 13:08:23 lstein Exp $'
Comment 1 Marcela Mašláňová 2008-12-04 06:53:18 EST
This was reported to upstream http://rt.cpan.org/Public/Bug/Display.html?id=34528

perl-5.8.8 with the latest CGI is working. The problem could be caused by change in packing UTF-8 strings.
Comment 2 Stepan Kasal 2009-04-07 07:40:41 EDT
First the above example is poorly written; before using utf-8 in the source, you should declare it:
use utf8;
my $t="Crêpe Café";

That way $t would become a Unicode string, with LEN=10 (counted in characters, not in bytes).  (CGI::escape does handle Unicode strings correctly.)

That said, I would like to return to the above case.  It does demonstrate a bug, indeed.  The string is a byte string (or Latin-1 string), consisting of ten one-byte characters.  And CGI::escape should do the %XX escaping byte-by-byte on these, for several reasons, backward compatibility with perl-5.8.x among them.

This bug is fixed in perl-5.10.0-66.  Moreover the patch has been submitted upstream (see the link in comment #1) and is planned for CGI.pm-3.43.
Comment 3 Fedora Update System 2009-04-07 11:50:35 EDT
perl-5.10.0-66.fc10 has been pushed to the Fedora 10 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update perl'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F10/FEDORA-2009-2992
Comment 4 Fedora Update System 2009-04-09 12:17:37 EDT
perl-5.10.0-67.fc10 has been pushed to the Fedora 10 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update perl'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F10/FEDORA-2009-2992
Comment 5 Fedora Update System 2009-04-15 13:59:27 EDT
perl-5.10.0-68.fc10 has been pushed to the Fedora 10 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update perl'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F10/FEDORA-2009-2992
Comment 6 Fedora Update System 2009-04-21 20:54:49 EDT
perl-5.10.0-68.fc9 has been pushed to the Fedora 9 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 7 Fedora Update System 2009-04-21 21:08:26 EDT
perl-5.10.0-68.fc10 has been pushed to the Fedora 10 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.