[Catalyst-commits] r12079 - in Catalyst-Runtime/5.80/branches/fix_path_info_decoding: . lib/Catalyst/Engine

Mon Nov 30 18:26:34 GMT 2009

Author: t0m
Date: 2009-11-30 18:26:34 +0000 (Mon, 30 Nov 2009)
New Revision: 12079

Modified:
   Catalyst-Runtime/5.80/branches/fix_path_info_decoding/Changes
   Catalyst-Runtime/5.80/branches/fix_path_info_decoding/lib/Catalyst/Engine/CGI.pm
Log:
Commit miyagawa's fix for PATH_INFO decoding. I think that this also implies changes / fixes in the fcgi _fix_env stuff

Modified: Catalyst-Runtime/5.80/branches/fix_path_info_decoding/Changes
===================================================================

--- Catalyst-Runtime/5.80/branches/fix_path_info_decoding/Changes	2009-11-30 18:25:57 UTC (rev 12078)
+++ Catalyst-Runtime/5.80/branches/fix_path_info_decoding/Changes	2009-11-30 18:26:34 UTC (rev 12079)
@@ -7,6 +7,10 @@
      produce the same output either way, but bytes::length returns too big
      values for upgraded strings containing characters >127
    - Fix t/live_fork.t with bleadperl (RT#52100)
+   - Set $ENV{PATH_INFO} from $ENV{REQUEST_URI} combined with
+     $ENV{SCRIPT_NAME} if possible. This is many web servers always fully
+     decode PATH_INFO including URI reserved characters. This allows us to
+     tell foo%2cbar from foo%252cbar.. RT#50082
 
   Refactoring / cleanups:
    - NoTabs and Pod tests moved to t/author so that they're not run

Modified: Catalyst-Runtime/5.80/branches/fix_path_info_decoding/lib/Catalyst/Engine/CGI.pm
===================================================================
--- Catalyst-Runtime/5.80/branches/fix_path_info_decoding/lib/Catalyst/Engine/CGI.pm	2009-11-30 18:25:57 UTC (rev 12078)
+++ Catalyst-Runtime/5.80/branches/fix_path_info_decoding/lib/Catalyst/Engine/CGI.pm	2009-11-30 18:26:34 UTC (rev 12079)
@@ -115,13 +115,16 @@
     my $scheme = $c->request->secure ? 'https' : 'http';
     my $host      = $ENV{HTTP_HOST}   || $ENV{SERVER_NAME};
     my $port      = $ENV{SERVER_PORT} || 80;
+    my $script_name = $ENV{SCRIPT_NAME};
+    $script_name =~ s/([^$URI::uric])/$URI::Escape::escapes{$1}/go if $script_name;
+
     my $base_path;
     if ( exists $ENV{REDIRECT_URL} ) {
         $base_path = $ENV{REDIRECT_URL};
         $base_path =~ s/$ENV{PATH_INFO}$//;
     }
     else {
-        $base_path = $ENV{SCRIPT_NAME} || '/';
+        $base_path = $script_name || '/';
     }
 
     # If we are running as a backend proxy, get the true hostname
@@ -143,8 +146,22 @@
         }
     }
 
+    # RFC 3875: "Unlike a URI path, the PATH_INFO is not URL-encoded,
+    # and cannot contain path-segment parameters." This means PATH_INFO
+    # is always decoded, and the script can't distinguish / vs %2F.
+    # See https://issues.apache.org/bugzilla/show_bug.cgi?id=35256
+    # Here we try to resurrect the original encoded URI from REQUEST_URI.
+    my $path_info   = $ENV{PATH_INFO};
+    if (my $req_uri = $ENV{REQUEST_URI}) {
+        if (defined $script_name) {
+            $req_uri =~ s/^\Q$script_name\E//;
+        }
+        $req_uri =~ s/\?.*$//;
+        $path_info = $req_uri if $req_uri;
+    }
+
     # set the request URI
-    my $path = $base_path . ( $ENV{PATH_INFO} || '' );
+    my $path = $base_path . ( $path_info || '' );
     $path =~ s{^/+}{};
 
     # Using URI directly is way too slow, so we construct the URLs manually


