[cgiapp] Sessions leaking with FastCGI

Richard Jones ra.jones at dpw.clara.co.uk
Thu Jul 28 11:34:04 EDT 2011 

On 26/07/2011 01:34, Victor Bruno wrote:
> Found this in the change logs for CGI that mentions the fix:
>
> Version 3.44, Jul 30, 2009
>
> ...
>
>    3. Fixed issue in mod_perl&  fastCGI environment of cookies returned from
>
>       CGI->cookie() leaking from one session to another.

In the docs for the current version (3.55) it also says this:

>   [THINGS THAT MAY BREAK YOUR CODE]
>     url() was fixed to return "PATH_INFO" when it is explicitly requested
>     with either the path=>1 or path_info=>1 flag.
>
>     If your code is running under mod_rewrite (or compatible) and you are calling self_url() or
>     you are calling url() and passing path_info=>1, These methods will actually be
>     returning PATH_INFO now, as you have explicitly requested, or has self_url()
>     has requested on your behalf.
>
>     The PATH_INFO has been omitted in such URLs since the issue was introduced
>     in the 3.12 release in December, 2005.
>
>     This bug is so old your application may have come to depend on it or
>     workaround it. Check for application before upgrading to this release.
>
>     Examples of affected method calls:
>
>      $q->url(-absolute => 1, -query => 1, -path_info => 1 )
>      $q->url(-path=>1)
>      $q->url(-full=>1,-path=>1)
>      $q->url(-rewrite=>1,-path=>1)
>      $q->self_url();

I interpret that as path_info is now working correctly when called, 
whereas between version 3.12 and 3.54 it didn't. I may need to upgrade 
to 3.55 to fix the leaking sessions issue as I use fastcgi for my app, 
but I don't want to break it as it uses self_url and path_info quite a 
lot. But on my devel, test and prod servers I have CGI versions 3.37, 
3.42 and 3.43 and have always seen the expected path_info eg 
/foo/bar?name=fred

Anyone know what was supposed to be broken pre-3.55 and why I appear to 
have been able to use pre-3.55 versions OK?
-- 
Richard Jones


---
avast! Antivirus: Outbound message clean.
Virus Database (VPS): 110728-0, 28/07/2011
Tested on: 28/07/2011 16:34:05
avast! - copyright (c) 1988-2011 AVAST Software.
http://www.avast.com

More information about the cgiapp mailing list