Package: libcgi-perl
Version: 2.76-24
Severity: normal
If the path info part of a URL happens to be a malformed regex, calling
path_info will crash with a regex error.
The following test case illustrates the problem:
$ env REQUEST_METHOD=GET \
REQUEST_URI='/foo.cgi/(bar' \
PATH_INFO='/(bar' \
SCRIPT_NAME='/foo.cgi' \
perl -e 'use CGI; $q = CGI::new; $a = $q->path_info; print "$a\n"'
Unmatched ( in regex; marked by <-- HERE in m//( <-- HERE bar$/ at (eval 4)
line 7.
[The above example corresponds to an actual URL of, e.g.,
http://www.example.org/foo.cgi/(bar ]
path_info should not crash on arguably valid input like this. Whether the input
looks like a regex should have no effect.
-- System Information:
Debian Release: 4.0
APT prefers unstable
APT policy: (500, 'unstable'), (500, 'stable')
Architecture: i386 (i686)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.4.28-ow1
Locale: LANG=zh_TW.Big5, LC_CTYPE=zh_TW.Big5 (charmap=BIG5)
Versions of packages libcgi-perl depends on:
ii liburi-perl 1.35-2 Manipulates and accesses URI strin
ii libwww-perl 5.805-1 WWW client/server library for Perl
ii perl 5.8.8-7 Larry Wall's Practical Extraction
libcgi-perl recommends no packages.
-- no debconf information
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
