summaryrefslogtreecommitdiff
path: root/lib
diff options
context:
space:
mode:
Diffstat (limited to 'lib')
-rw-r--r--lib/CGI.pm4
-rw-r--r--lib/CGI/Changes1169
-rw-r--r--lib/CGI/Cookie.pm4
3 files changed, 1173 insertions, 4 deletions
diff --git a/lib/CGI.pm b/lib/CGI.pm
index 94c4e65990..08adf4fae6 100644
--- a/lib/CGI.pm
+++ b/lib/CGI.pm
@@ -18,8 +18,8 @@ use Carp 'croak';
# The most recent version and complete docs are available at:
# http://stein.cshl.org/WWW/software/CGI/
-$CGI::revision = '$Id: CGI.pm,v 1.177 2005/03/09 21:04:48 lstein Exp $';
-$CGI::VERSION=3.06;
+$CGI::revision = '$Id: CGI.pm,v 1.178 2005/03/14 16:30:20 lstein Exp $';
+$CGI::VERSION=3.07;
# HARD-CODED LOCATION FOR FILE UPLOAD TEMPORARY FILES.
# UNCOMMENT THIS ONLY IF YOU KNOW WHAT YOU'RE DOING.
diff --git a/lib/CGI/Changes b/lib/CGI/Changes
new file mode 100644
index 0000000000..7a6baf802e
--- /dev/null
+++ b/lib/CGI/Changes
@@ -0,0 +1,1169 @@
+ Version 3.07
+ 1. Fixed typo in mod_perl detection.
+
+ Version 3.06
+
+ 1. Fixed bare call to script() in start_html
+ 2. Moved Fh::DESTROY out of autoloaded functions so as to avoid
+ clobbering $@ when CGI functions are executed in an eval{}
+ context.
+ 3. mod_perl 2.0 version detection patch in CGI::Cookie provided by
+ Allen Day.
+ 4. autoEscape() flag is now respected when generating extra
+ attributes.
+ 5. Tests for *tag start/end generation from Shlomi Fish.
+ 6. Support for can() method provided by Ron Savage.
+ 7. Fix for lang='' when outputting XHTML.
+ 8. Added support for chunked transfer encoding, as suggested by
+ Hakan Ardo
+ 9. Fixed clobbering of row and column headers in tableized radio
+ and checkbox groups, as reported by Nicolas Thierry-Mieg.
+ 10. <Label> tags are now associated with form elements, as suggested
+ by accessibility guidelines.
+ 11. The <?xml> directive produced by start_html is now turned off by
+ default and the charset is specified in a <meta> directive. Apparently
+ IE6 (and maybe some versions of Opera) were getting confused by this.
+ 12. Support for tab indexes.
+ 13. Retired the HTML docs. The POD docs are now primary documentation.
+ 14. CGI::Carp now correctly detects and handles Apache::Dispatch.
+ 15. CGI::Util::utf8_chr now correctly sets the UTF8 flag on 5.006 or
+ higher perls (fix courtesy Slaven Rezic).
+
+
+ Version 3.05
+
+ 1. Fixed uninitialized variable warning on start_form() when running
+ from command line.
+ 2. Fixed CGI::_set_attributes so that attributes with a - are handled
+ correctly.
+ 3. Fixed CGI::Carp::die() so as to avoid problems from _longmess()
+ clobbering @_.
+ 4. If HTTP_X_FORWARDED_HOST is defined (i.e. running under a proxy),
+ the various functions that return HOST will use that instead.
+ 5. Fix for undefined utf8() call in CGI::Util.
+ 6. Changed the call to warningsToBrowser() in
+ CGI::Carp::fatalsToBrowser to call only after HTTP header is sent
+ (thanks to Didier Lebrun for noticing).
+ 7. Patches from Dan Harkless to make CGI.pm validatable against HTML
+ 3.2.
+ 8. Fixed an extraneous "foo=bar" appearing when extra style
+ parameters passed to start_html;
+ 9. Fixed cross-site scripting bug in startform() pointed out by Dan
+ Harkless.
+ 10. Fixed documentation to discuss list context behavior of
+ form-element generators explicitly.
+ 11. Fixed incorrect results from end_form() when called in OO manner.
+ 12. Fixed query string stripping in order to handle URLs containing
+ escaped newlines.
+ 13. During server push, set NPH to 0 rather than 1. This is supposed
+ to fix problems with Apache.
+ 14. Fixed incorrect processing of multipart form fields that contain
+ embedded quotes. There's still the issue of how to handle ones
+ that contain embedded semicolons, but no one has complained (yet).
+ 15. Fixed documentation bug in -style argument to start_html()
+ 16. Added -status argument to redirect().
+
+ Version 3.04
+
+ 1. Fixed the problem with mod_perl crashing when "defaults" button
+ pressed.
+
+ Version 3.03
+
+ 1. Fix upload hook functionality
+ 2. Workaround for CGI->unescape_html()
+ 3. Bumped version numbers in CGI::Fast and CGI::Util for 5.8.3-tobe
+
+ Version 3.02
+
+ 1. Bring in Apache::Response just in case.
+ 2. File upload on EBCDIC systems now works.
+
+ Version 3.01
+
+ 1. No fix yet for upload failures when running on EBCDIC server.
+ 2. Fixed uninitialized glob warnings that appeared when file
+ uploading under perl 5.8.2.
+ 3. Added patch from Schlomi Fish to allow debugging of PATH_INFO from
+ command line.
+ 4. Added patch from Steve Hay to correctly unlink tmp files under
+ mod_perl/windows
+ 5. Added upload_hook functionality from Jamie LeTaul
+ 6. Workarounds for mod_perl 2 IO issues. Check that file upload and
+ state saving still working.
+ 7. Added code for underreads.
+ 8. Fixed misleading description of redirect() and relative URLs in
+ the POD docs.
+ 9. Workaround for weird interaction of CGI::Carp with Safe module
+ reported by William McKee.
+ 10. Added patches from Ilmari Karonen to improve behavior of
+ CGI::Carp.
+ 11. Fixed documentation error in -style argument.
+ 12. Added virtual_port() method for finding out what port server is
+ listening on in a virtual-host aware fashion.
+
+ Version 3.00
+
+ 1. Patch from Randal Schwartz to fix bug introduced by cross-site
+ scripting vulnerability "fix."
+ 2. Patch from JFreeman to replace UTF-8 escape constant of 0xfe with
+ 0xfc. Hope this is right!
+
+ Version 2.99
+
+ 1. Patch from Steve Hay to fix extra Content-type: appearing on
+ browser screen when FatalsToBrowser invoked.
+ 2. Patch from Ewann Corvellec to fix cross-site scripting
+ vulnerability.
+ 3. Fixed tmpdir routine for file uploading to solve problem that
+ occurs under mod_perl when tmpdir is writable at startup time, but
+ not at session time.
+
+ Version 2.98
+
+ 1. Fixed crash in Dump() function.
+
+ Version 2.97
+
+ 1. Sigh. Uploaded wrong 2.96 to CPAN.
+
+ Version 2.96
+
+ 1. More bugfixes to the -style argument.
+
+ Version 2.95
+
+ 1. Fixed bugs in start_html(-style=>...) support introduced in 2.94.
+
+ Version 2.94
+
+ 1. Removed warning from reset() method.
+ 2. Moved
+
+ and tags into the :html3 group. Hope this removes undefined CGI::Area
+ errors.
+
+ Changed CGI::Carp to play with mod_perl2 and to (hopefully) restore
+ reporting of compile-time errors.
+
+ Fixed potential deadlock between web server and CGI.pm when aborting
+ a read due to POST_MAX (reported by Antti Lankila).
+
+ Fixed issue with tag-generating function not incorporating content
+ when first variable undef.
+
+ Fixed cross-site scripting bug reported by obscure.
+
+ Fixed Dump() function to return correctly formed XHTML - bug
+ reported by Ralph Siemsen.
+
+ Version 2.93
+
+ 1. Fixed embarassing bug in mp1 support.
+
+ Version 2.92
+
+ 1. Fix to be P3P compliant submitted from MPREWITT.
+ 2. Added CGI->r() API for mod_perl1/mod_perl2.
+ 3. Fixed bug in redirect() that was corrupting cookies.
+ 4. Minor fix to behavior of reset() button to make it consistent with
+ submit() button (first time this has been changed in 9 years).
+ 5. Patch from Dan Kogai to handle UTF-8 correctly in 5.8 and higher.
+ 6. Patch from Steve Hay to make CGI::Carp's error messages appear on
+ MSIE browsers.
+ 7. Added Yair Lenga's patch for non-urlencoded postings.
+ 8. Added Stas Bekman's patches for mod_perl 2 compatibility.
+ 9. Fixed uninitialized escape behavior submitted by William Campbell.
+ 10. Fixed tied behavior so that you can pass arguments to tie()
+ 11. Fixed incorrect generation of URLs when the path_info contains +
+ and other odd characters.
+ 12. Fixed redirect(-cookies=>$cookie) problem.
+ 13. Fixed tag generation bug that affects -javascript passed to
+ start_html().
+
+ Version 2.91
+
+ 1. Attribute generation now correctly respects the value of
+ autoEscape().
+ 2. Fixed endofrm() syntax error introduced by Ben Edgington's patch.
+
+ Version 2.90
+
+ 1. Fixed bug in redirect header handling.
+ 2. Added P3P option to header().
+ 3. Patches from Alexey Mahotkin to make CGI::Carp work correctly with
+ object-oriented exceptions.
+ 4. Removed inaccurate description of how to set multiple cookies from
+ CGI::Cookie pod file.
+ 5. Patch from Kevin Mahony to prevent running out of filehandles when
+ uploading lots of files.
+ 6. Documentation enhancement from Mark Fisher to note that the
+ import_names() method transforms the parameter names into valid
+ Perl names.
+ 7. Patch from Dan Harkless to suppress lang attribute in <html> tag
+ if specified as a null string.
+ 8. Patch from Ben Edgington to fix broken XHTML-transitional 1.0
+ validation on endform().
+ 9. Custom html header fix from Steffen Beyer (first letter correctly
+ upcased now)
+ 10. Added a -verbatim option to stylesheet generation from Michael
+ Dickson
+ 11. Faster delete() method from Neelam Gupta
+ 12. Fixed broken Cygwin support.
+ 13. Added empty charset support from Bradley Baetz
+ 14. Patches from Doug Perham and Kevin Mahoney to fix file upload
+ failures when uploaded file is a multiple of 4096.
+
+ Version 2.89
+
+ 1. Fixed behavior of ACTION tag when POSTING to a URL that has a
+ query string.
+ 2. Added Patch from Michael Rommel to handle multipart/mixed uploads
+ from Opera
+
+ Version 2.88
+
+ 1. Fixed problem with uploads being refused under Perl 5.8 when under
+ Taint mode.
+ 2. Fixed uninitialized variable warnings under Perl 5.8.
+ 3. Fixed CGI::Pretty regression test failures.
+
+ Version 2.87
+
+ 1. Security hole patched: when processing multipart/form-data
+ postings, most arguments were being untainted silently. Returned
+ arguments are now tainted correctly. This may cause some scripts
+ to fail that used to work (thanks to Nick Cleaton for pointing
+ this out and persisting until it was fixed).
+ 2. Update for mod_perl 2.0.
+ 3. Pragmas such as -no_xhtml are now respected in mod_perl
+ environment.
+
+ Version 2.86
+
+ 1. Fixes for broken CGI::Cookie expiration dates introduced in 2.84.
+
+ Version 2.85
+
+ 1. Fix for broken autoEscape function introduced in 2.84.
+
+ Version 2.84
+
+ 1. Fix for failed file uploads on Cygwin platforms.
+ 2. HTML escaping code now replaced 0x8b and 0x9b with unicode
+ references < and *#8250;
+
+ Version 2.83
+
+ 1. Fixed autoEscape() documentation inconsistencies.
+ 2. Patch from Ville Skyttä to fix a number of XHTML inconsistencies.
+ 3. Added Max-Age to list of CGI::Cookie headers.
+
+ Version 2.82
+
+ 1. Patch from Rudolf Troller to add attribute setting and option
+ groups to form fields.
+ 2. Patch from Simon Perreault for silent crashes when using CGI::Carp
+ under mod_perl.
+ 3. Patch from Scott Gifford allows you to set the program name for
+ CGI::Carp.
+
+ Version 2.81
+
+ 1. Removed extraneous slash from end of stylesheet tags generated by
+ start_html in non-XHTML mode.
+ 2. Changed behavior of CGI::Carp with respect to eval{} contexts so
+ that output behaves properly in mod_perl environments.
+ 3. Fixed default DTD so that it validates with W3C validator.
+
+ Version 2.80
+
+ 1. Fixed broken messages in CGI::Carp.
+ 2. Changed checked="1" to checked="checked" for real XHTML
+ compatibility.
+ 3. Resurrected REQUEST_URI code so that url() works correctly with
+ multiviews.
+
+ Version 2.79
+
+ 1. Changes to CGI::Carp to avoid "subroutine redefined" error
+ messages.
+ 2. Default DTD is now XHTML 1.0 Transitional
+ 3. Patches to support all HTML4 tags.
+
+ Version 2.78
+
+ 1. Added ability to change encoding in <?xml> assertion.
+ 2. Fixed the old escapeHTML('CGI') ne "CGI" bug
+ 3. In accordance with XHTML requirements, there are no longer any
+ minimized attributes, such as "checked".
+ 4. Patched bug which caused file uploads of exactly 4096 bytes to be
+ truncated to 4094 (thanks to Kevin Mahony)
+ 5. New tests and fixes to CGI::Pretty (thanks to Michael Schwern).
+
+ Version 2.77
+
+ 1. No new features, but released in order to fix an apparent CPAN
+ bug.
+
+ Version 2.76
+
+ 1. New esc.t regression test for EBCDIC translations courtesy Peter
+ Prymmer.
+ 2. Patches from James Jurach to make compatible with FCGI-ProcManager
+ 3. Additional fields passed to header() (like -Content_disposition)
+ now honor initial capitalization.
+ 4. Patch from Andrew McNaughton to handle utf-8 escapes (%uXXXX
+ codes) in URLs.
+
+ Version 2.752
+
+ 1. Syntax error in the autoloaded Fh::new() subroutine.
+ 2. Better error reporting in autoloaded functions.
+
+ Version 2.751
+
+ 1. Tiny tweak to filename regular expression function on line 3355.
+
+ Version 2.75
+
+ 1. Fixed bug in server push boundary strings (CGI.pm and CGI::Push).
+ 2. Fixed bug that occurs when uploading files with funny characters
+ in the name
+ 3. Fixed non-XHTML-compliant attributes produced by textfield()
+ 4. Added EPOC support, courtesy Olaf Flebbe
+ 5. Fixed minor XHTML bugs.
+ 6. Made escape() and unescape() symmetric with respect to EBCDIC,
+ courtesy Roca, Ignasi <ignasi.roca@fujitsu.siemens.es>
+ 7. Removed uninitialized variable warning from CGI::Cookie, provided
+ by Atipat Rojnuckarin <rojnuca@yahoo.com>
+ 8. Fixed bug in CGI::Pretty that causes it to print partial end tags
+ when the $INDENT global is changed.
+ 9. Single quotes are changed to character entity ' for compatibility
+ with URLs.
+
+ Version 2.74
+
+ September 13, 2000
+ 1. Quashed one-character bug that caused CGI.pm to fail on file
+ uploads.
+
+ Version 2.73
+
+ September 12, 2000
+ 1. Added -base to the list of arguments accepted by url().
+ 2. Fixes to XHTML support.
+ 3. POST parameters no longer show up in the Location box.
+
+ Version 2.72
+
+ August 19, 2000
+ 1. Fixed the defaults button so that it works again
+ 2. Charset is now correctly saved and restored when saving to files
+ 3. url() now works correctly when given scripts with %20 and other
+ escapes in the additional path info. This undoes a patch
+ introduced in version 2.47 that I no longer understand the
+ rationale for.
+
+ Version 2.71
+
+ August 13, 2000
+ 1. Newlines in the value attributes of hidden fields and other form
+ elements are now escaped when using ISO-Latin.
+ 2. Inline script and style sections are now protected as CDATA
+ sections when XHTML mode is on (the default).
+
+ Version 2.70
+
+ August 4, 2000
+ 1. Fixed bug in scrolling_list() which omitted a space in front of
+ the "multiple" attribute.
+ 2. Squashed the "useless use of string in void context" message from
+ redirects.
+
+ Version 2.69
+
+ 1. startform() now creates default ACTION for POSTs as well as GETs.
+ This may break some browsers, but it no longer violates the HTML
+ spec.
+ 2. CGI.pm now emits XHTML by default. Disable with -no_xhtml.
+ 3. We no longer interpret &#ddd sequences in non-latin character
+ sets.
+
+ Version 2.68
+
+ 1. No longer attempts to escape characters when dealing with non
+ ISO-8861 character sets.
+ 2. checkbox() function now defaults to using -value as its label,
+ rather than -name. The current behavior is what has been
+ documented from the beginning.
+ 3. -style accepts array reference to incorporate multiple stylesheets
+ into document.
+
+ 1. Fixed two bugs that caused the -compile pragma to fail with a
+ syntax error.
+
+ Version 2.67
+
+ 1. Added XHTML support (incomplete; tags need to be lowercased).
+ 2. Fixed CGI/Carp when running under mod_perl. Probably broke in
+ other contexts.
+ 3. Fixed problems when passing multiple cookies.
+ 4. Suppress warnings from _tableize() that were appearing when using
+ -w switch with radio_group() and checkbox_group().
+ 5. Support for the header() -attachment argument, which can give
+ pages a default file name when saving to disk.
+
+ Version 2.66
+
+ 1. 2.65 changes in make_attributes() broke HTTP header functions
+ (including redirect), so made it context sensitive.
+
+ Version 2.65
+
+ 1. Fixed regression tests to skip tests that require implicit fork on
+ machines without fork().
+ 2. Changed make_attributes() to automatically escape any HTML
+ reserved characters.
+ 3. Minor documentation fix in javascript example.
+
+ Version 2.64
+
+ 1. Changes introduced in 2.63 broke param() when retrieving parameter
+ lists containing only a single argument. This is now fixed.
+ 2. self_url() now defaults to returning parameters delimited with
+ semicolon. Use the pragma -oldstyle_urls to get the old "&"
+ delimiter.
+
+ Version 2.63
+
+ 1. Fixed CGI::Push to pull out parameters correctly.
+ 2. Fixed redirect() so that it works with default character set
+ 3. Changed param() so as to returned empty string '' when referring
+ to variables passed in query strings like 'name1=&name2'
+
+ Version 2.62
+
+ 1. Fixed broken ReadParse() function, and added regression tests
+ 2. Fixed broken CGI::Pretty, and added regression tests
+
+ Version 2.61
+
+ 1. Moved more functions from CGI.pm proper into CGI/Util.pm.
+ CGI/Cookie should now be standalone.
+ 2. Disabled per-user temporary directories, which were causing grief.
+
+ Version 2.60
+
+ 1. Fixed junk appearing in autogenerated HTML functions when using
+ object-oriented mode.
+
+ Version 2.59
+
+ 1. autoescape functionality breaks too much existing code, removed
+ it.
+ 2. use escapeHTML() manually
+
+ Version 2.58
+
+ This is the release version of 2.57.
+
+ Version 2.57
+
+ 1. Added -debug pragma and turned off auto reading of STDIN.
+ 2. Default DTD updated to HTML 4.01 transitional.
+ 3. Added charset() method and the -charset argument to header().
+ 4. Fixed behavior of escapeHTML() to respect charset() and to escape
+ nasty Windows characters (thanks to Tom Christiansen).
+ 5. Handle REDIRECT_QUERY_STRING correctly.
+ 6. Removed use_named_parameters() because of dependency problems and
+ general lameness.
+ 7. Fixed problems with bad HREF links generated by url(-relative=>1)
+ when the url is like /people/.
+ 8. Silenced a warning on upload (patch provided by Jonas Liljegren)
+ 9. Fixed race condition in CGI::Carp when errors occur during parsing
+ (patch provided by Maurice Aubrey).
+ 10. Fixed failure of url(-path_info=>1) when path contains % signs.
+ 11. Fixed warning from CGI::Cookie when receiving foreign cookies that
+ don't use name=value format.
+ 12. Fixed incompatibilities with file uploading on VMS systems.
+
+ Version 2.56
+
+ 1. Fixed bugs in file upload introduced in version 2.55
+ 2. Fixed long-standing bug that prevented two files with identical
+ names from being uploaded.
+
+ Version 2.55
+
+ 1. Fixed cookie regression test so as not to produce an error.
+ 2. Fixed path_info() and self_url() to work correctly together when
+ path_info() modified.
+ 3. Removed manify warnings from CGI::{Switch,Apache}.
+
+ Version 2.54
+
+ 1. This will be the last release of the monolithic CGI.pm module.
+ Later versions will be modularized and optimized.
+ 2. DOMAIN tag no longer added to cookies by default. This will break
+ some versions of Internet Explorer, but will avoid breaking
+ networks which use host tables without fully qualified domain
+ names. For compatibility, please always add the -domain tag when
+ creating cookies.
+ 3. Fixed escape() method so that +'s are treated correctly.
+ 4. Updated CGI::Pretty module.
+
+ Version 2.53
+
+ 1. Forgot to upgrade regression tests before releasing 2.52. NOTHING
+ ELSE HAS CHANGED IN LIBRARY
+
+ Version 2.52
+
+ 1. Spurious newline in checkbox() routine removed. (courtesy John
+ Essen)
+ 2. TEXTAREA linebreaks now respected in dump() routine. (courtesy
+ John Essen)
+ 3. Patches for DOS ports (courtesy Robert Davies)
+ 4. Patches for VMS
+ 5. More fixes for cookie problems
+ 6. Fix CGI::Carp so that it doesn't affect eval{} blocks (courtesy
+ Byron Brummer)
+
+ Version 2.51
+
+ 1. Fixed problems with cookies not being remembered when sent to IE
+ 5.0 (and Netscape 5.0 too?)
+ 2. Numerous HTML compliance problems in cgi_docs.html; fixed thanks
+ to Michael Leahy
+
+ Version 2.50
+
+ 1. Added a new Vars() method to retrieve all parameters as a tied
+ hash.
+ 2. Untainted tainted tempfile name so that script doesn't fail on
+ terminal unlink.
+ 3. Made picking of upload tempfile name more intelligent so that
+ doesn't fail in case of name collision.
+ 4. Fixed handling of expire times when passed an absolute timestamp.
+ 5. Changed dump() to Dump() to avoid name clashes.
+
+ Version 2.49
+
+ 1. Fixes for FastCGI (globals not getting reset)
+ 2. Fixed url() to correctly handle query string and path under
+ MOD_PERL
+
+ Version 2.48
+
+ 1. Reverted detection of MOD_PERL to avoid breaking PerlEX.
+
+ Version 2.47
+
+ 1. Patch to fix file upload bug appearing in IE 3.01 for
+ Macintosh/PowerPC.
+ 2. Replaced use of $ENV{SCRIPT_NAME} with $ENV{REQUEST_URI} when
+ running under Apache, to fix self-referencing URIs.
+ 3. Fixed bug in escapeHTML() which caused certain constructs, such as
+ CGI->image_button(), to fail.
+ 4. Fixed bug which caused strong('CGI') to fail. Be careful to use
+ CGI::strong('CGI') and not CGI->strong('CGI'). The latter will
+ produce confusing results.
+ 5. Added upload() function, as a preferred replacement for the
+ "filehandle as string" feature.
+ 6. Added cgi_error() function.
+ 7. Rewrote file upload handling to return undef rather than dieing
+ when an error is encountered. Be sure to call cgi_error() to find
+ out what went wrong.
+
+ Version 2.46
+
+ 1. Fix for failure of the "include" tests under mod_perl
+ 2. Added end_multipart_form to prevent failures during qw(-compile
+ :all)
+
+ Version 2.45
+
+ 1. Multiple small documentation fixes
+ 2. CGI::Pretty didn't get into 2.44. Fixed now.
+
+ Version 2.44
+
+ 1. Fixed file descriptor leak in upload function.
+ 2. Fixed bug in header() that prevented fields from containing double
+ quotes.
+ 3. Added Brian Paulsen's CGI::Pretty package for pretty-printing
+ output HTML.
+ 4. Removed CGI::Apache and CGI::Switch from the distribution.
+ 5. Generated start_* shortcuts so that start_table(), end_table(),
+ start_ol(), end_ol(), and so forth now work (see the docs on how
+ to enable this feature).
+ 6. Changed accept() to Accept(), sub() to Sub(). There's still a
+ conflict with reset(), but this will break too many existing
+ scripts!
+
+ Version 2.43
+
+ 1. Fixed problem with "use strict" and file uploads (thanks to Peter
+ Haworth)
+ 2. Fixed problem with not MSIE 3.01 for the power_mac not doing file
+ uploads right.
+ 3. Fixed problem with file upload on IIS 4.0 when authorization in
+ use.
+ 4. -content_type and '-content-type' can now be provided to header()
+ as synonyms for -type.
+ 5. CGI::Carp now escapes the ampersand BEFORE escaping the > and <
+ signs.
+ 6. Fixed "not an array reference" error when passing a hash reference
+ to radio_group().
+ 7. Fixed non-removal of uploaded TMP files on NT platforms which
+ occurs when server runs on non-C drive (thanks to Steve Kilbane
+ for finding this one).
+
+ Version 2.42
+
+ 1. Too many screams of anguish at changed behavior of url(). Is now
+ back to its old behavior by default, with options to generate all
+ the variants.
+ 2. Added regression tests. "make test" now works.
+ 3. Documentation fixes.
+ 4. Fixes for Macintosh uploads, but uploads STILL do not work pending
+ changes to MacPerl.
+
+ Version 2.41
+
+ 1. url() method now includes the path info. Use script_name() to get
+ it without path info().
+ 2. Changed handling of empty attributes in HTML tag generation. Be
+ warned! Use table({-border=>undef}) rather than
+ table({-border=>''}).
+ 3. Changes to allow uploaded filenames to be compared to other
+ strings with "eq", "cmp" and "ne".
+ 4. Changes to allow CGI.pm to coexist more peacefully with
+ ActiveState PerlEX.
+ 5. Changes to prevent exported variables from clashing when importing
+ ":all" set in combination with cookies.
+
+ Version 2.40
+
+ 1. CGI::Carp patched to work better with mod_perl (thanks to Chris
+ Dean).
+ 2. Uploads of files whose names begin with numbers or the Windows
+ \\UNC\shared\file nomenclature should no longer fail.
+ 3. The <STYLE> tag (for cascading style sheets) now generates the
+ required TYPE attribute.
+ 4. Server push primitives added, thanks to Ed Jordan.
+ 5. Table and other HTML3 functions are now part of the :standard set.
+ 6. Small documentation fixes.
+
+ TO DO:
+ 1. Do something about the DTD mess. The module should generate
+ correct DTDs, or at least offer the programmer a way to specify
+ the correct one.
+ 2. Split CGI.pm into CGI processing and HTML-generating modules.
+ 3. More robust file upload (?still not working on the Macintosh?).
+ 4. Bring in all the HTML4 functionality, particular the accessibility
+ features.
+
+ Version 2.39
+
+ 1. file uploads failing because of VMS patch; fixed.
+ 2. -dtd parameter was not being properly processed.
+
+ Version 2.38
+
+ I finally got tired of all the 2.37 betas and released 2.38. The main
+ difference between this version and the last 2.37 beta (2.37b30) are
+ some fixes for VMS. This should allow file upload to work properly on
+ all VMS Web servers.
+
+ Version 2.37, various beta versions
+
+ 1. Added a CGI::Cookie::parse() method for lucky mod_perl users.
+ 2. No longer need separate -values and -labels arguments for
+ multi-valued form elements.
+ 3. Added better interface to raw cookies (fix courtesy Ken Fox,
+ kfox@ford.com)
+ 4. Added param_fetch() function for direct access to parameter list.
+ 5. Fix to checkbox() to allow for multi-valued single checkboxes
+ (weird problem).
+ 6. Added a compile() method for those who want to compile without
+ importing.
+ 7. Documented the import pragmas a little better.
+ 8. Added a -compile switch to the use clause for the long-suffering
+ mod_perl and Perl compiler users.
+ 9. Fixed initialization routines so that FileHandle and type globs
+ work correctly (and hash initialization doesn't fail!).
+ 10. Better deletion of temporary files on NT systems.
+ 11. Added documentation on escape(), unescape(), unescapeHTML() and
+ unescapeHTML() subroutines.
+ 12. Added documentation on creating subclasses.
+ 13. Fixed problem when calling $self->SUPER::foo() from inheriting
+ subclasses.
+ 14. Fixed problem using filehandles from within subroutines.
+ 15. Fixed inability to use the string "CGI" as a parameter.
+ 16. Fixed exponentially growing $FILLUNIT bug
+ 17. Check for undef filehandle in read_from_client()
+ 18. Now requires the UNIVERSAL.pm module, present in Perl 5.003_7 or
+ higher.
+ 19. Fixed problem with uppercase-only parameters being ignored.
+ 20. Fixed vanishing cookie problem.
+ 21. Fixed warning in initialize_globals() under mod_perl.
+ 22. File uploads from Macintosh versions of MSIE should now work.
+ 23. Pragmas now preceded by dashes (-nph) rather than colons (:nph).
+ Old style is supported for backward compatability.
+ 24. Can now pass arguments to all functions using {} brackets,
+ resolving historical inconsistencies.
+ 25. Removed autoloader warnings about absent MultipartBuffer::DESTROY.
+ 26. Fixed non-sticky checkbox() when -name used without -value.
+ 27. Hack to fix path_info() in IIS 2.0. Doesn't help with IIS 3.0.
+ 28. Parameter syntax for debugging from command line now more
+ straightforward.
+ 29. Added $DISABLE_UPLOAD to disable file uploads.
+ 30. Added $POST_MAX to error out if POSTings exceed some ceiling.
+ 31. Fixed url_param(), which wasn't working at all.
+ 32. Fixed variable suicide problem in s///e expressions, where the
+ autoloader was needed during evaluation.
+ 33. Removed excess spaces between elements of checkbox and radio
+ groups
+ 34. Can now create "valueless" submit buttons
+ 35. Can now set path_info as well as read it.
+ 36. ReadParse() now returns a useful function result.
+ 37. import_names() now allows you to optionally clear out the
+ namespace before importing (for mod_perl users)
+ 38. Made it possible to have a popup menu or radio button with a value
+ of "0".
+ 39. link() changed to Link() to avoid overriding native link function.
+ 40. Takes advantage of mod_perl's register_cleanup() function to clear
+ globals.
+ 41. <LAYER> and <ILAYER> added to :html3 functions.
+ 42. Fixed problems with private tempfiles and NT/IIS systems.
+ 43. No longer prints the DTD by default (I bet no one will complain).
+ 44. Allow underscores to replace internal hyphens in parameter names.
+ 45. CGI::Push supports heterogeneous MIME types and adjustable delays
+ between pages.
+ 46. url_param() method added for retrieving URL parameters even when a
+ fill-out form is POSTed.
+ 47. Got rid of warnings when radio_group() is called.
+ 48. Cookies now moved to their very own module.
+ 49. Fixed documentation bug in CGI::Fast.
+ 50. Added a :no_debug pragma to the import list.
+
+ Version 2.36
+
+ 1. Expanded JavaScript functionality
+ 2. Preliminary support for cascading stylesheets
+ 3. Security fixes for file uploads:
+ + Module will bail out if its temporary file already exists
+ + Temporary files can now be made completely private to avoid
+ peeking by other users or CGI scripts.
+ 4. use CGI qw/:nph/ wasn't working correctly. Now it is.
+ 5. Cookie and HTTP date formats didn't meet spec. Thanks to Mark
+ Fisher (fisherm@indy.tce.com) for catching and fixing this.
+
+ p
+
+ Version 2.35
+
+ 1. Robustified multipart file upload against incorrect syntax in
+ POST.
+ 2. Fixed more problems with mod_perl.
+ 3. Added -noScript parameter to start_html().
+ 4. Documentation fixes.
+
+ Version 2.34
+
+ 1. Stupid typo fix
+
+ Version 2.33
+
+ 1. Fixed a warning about an undefined environment variable.
+ 2. Doug's patch for redirect() under mod_perl
+ 3. Partial fix for busted inheritence from CGI::Apache
+ 4. Documentation fixes.
+
+ Version 2.32
+
+ 1. Improved support for Apache's mod_perl.
+ 2. Changes to better support inheritance.
+ 3. Support for OS/2.
+
+ Version 2.31
+
+ 1. New uploadInfo() method to obtain header information from uploaded
+ files.
+ 2. cookie() without any arguments returns all the cookies passed to a
+ script.
+ 3. Removed annoying warnings about $ENV{NPH} when running with the -w
+ switch.
+ 4. Removed operator overloading throughout to make compatible with
+ new versions of perl.
+ 5. -expires now implies the -date header, to avoid clock skew.
+ 6. WebSite passes cookies in $ENV{COOKIE} rather than
+ $ENV{HTTP_COOKIE}. We now handle this, even though it's O'Reilly's
+ fault.
+ 7. Tested successfully against new sfio I/O layer.
+ 8. Documentation fixes.
+
+ Version 2.30
+
+ 1. Automatic detection of operating system at load time.
+ 2. Changed select() function to Select() in order to avoid conflict
+ with Perl built-in.
+ 3. Added Tr() as an alternative to TR(); some people think it looks
+ better that way.
+ 4. Fixed problem with autoloading of MultipartBuffer::DESTROY code.
+ 5. Added the following methods:
+ + virtual_host()
+ + server_software()
+ 6. Automatic NPH mode when running under Microsoft IIS server.
+
+ Version 2.29
+
+ 1. Fixed cookie bugs
+ 2. Fixed problems that cropped up when useNamedParameters was set to
+ 1.
+ 3. Prevent CGI::Carp::fatalsToBrowser() from crapping out when
+ encountering a die() within an eval().
+ 4. Fixed problems with filehandle initializers.
+
+ Version 2.28
+
+ 1. Added support for NPH scripts; also fixes problems with Microsoft
+ IIS.
+ 2. Fixed a problem with checkbox() values not being correctly saved
+ and restored.
+ 3. Fixed a bug in which CGI objects created with empty string
+ initializers took on default values from earlier CGI objects.
+ 4. Documentation fixes.
+
+ Version 2.27
+
+ 1. Small but important bug fix: the automatic capitalization of tag
+ attributes was accidentally capitalizing the VALUES as well as the
+ ATTRIBUTE names (oops).
+
+ Version 2.26
+
+ 1. Changed behavior of scrolling_list(), checkbox() and
+ checkbox_group() methods so that defaults are honored correctly.
+ The "fix" causes endform() to generate additional <INPUT
+ TYPE="HIDDEN"> tags -- don't be surpised.
+ 2. Fixed bug involving the detection of the SSL protocol.
+ 3. Fixed documentation error in position of the -meta argument in
+ start_html().
+ 4. HTML shortcuts now generate tags in ALL UPPERCASE.
+ 5. start_html() now generates correct SGML header:
+ <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML//EN">
+
+ 6. CGI::Carp no longer fails "use strict refs" pragma.
+
+ Version 2.25
+
+ 1. Fixed bug that caused bad redirection on destination URLs with
+ arguments.
+ 2. Fixed bug involving use_named_parameters() followed by
+ start_multipart_form()
+ 3. Fixed bug that caused incorrect determination of binmode for
+ Macintosh.
+ 4. Spelling fixes on documentation.
+
+ Version 2.24
+
+ 1. Fixed bug that caused generation of lousy HTML for some form
+ elements
+ 2. Fixed uploading bug in Windows NT
+ 3. Some code cleanup (not enough)
+
+ Version 2.23
+
+ 1. Fixed an obscure bug that caused scripts to fail mysteriously.
+ 2. Fixed auto-caching bug.
+ 3. Fixed bug that prevented HTML shortcuts from passing taint checks.
+ 4. Fixed some -w warning problems.
+
+ Version 2.22
+
+ 1. New CGI::Fast module for use with FastCGI protocol. See pod
+ documentation for details.
+ 2. Fixed problems with inheritance and autoloading.
+ 3. Added TR() (<tr>) and PARAM() (<param>) methods to list of
+ exported HTML tag-generating functions.
+ 4. Moved all CGI-related I/O to a bottleneck method so that this can
+ be overridden more easily in mod_perl (thanks to Doug MacEachern).
+ 5. put() method as substitute for print() for use in mod_perl.
+ 6. Fixed crash in tmpFileName() method.
+ 7. Added tmpFileName(), startform() and endform() to export list.
+ 8. Fixed problems with attributes in HTML shortcuts.
+ 9. Functions that don't actually need access to the CGI object now no
+ longer generate a default one. May speed things up slightly.
+ 10. Aesthetic improvements in generated HTML.
+ 11. New examples.
+
+ Version 2.21
+
+ 1. Added the -meta argument to start_html().
+ 2. Fixed hidden fields (again).
+ 3. Radio_group() and checkbox_group() now return an appropriate
+ scalar value when called in a scalar context, rather than
+ returning a numeric value!
+ 4. Cleaned up the formatting of form elements to avoid unesthetic
+ extra spaces within the attributes.
+ 5. HTML elements now correctly include the closing tag when
+ parameters are present but null: em('')
+ 6. Added password_field() to the export list.
+
+ Version 2.20
+
+ 1. Dumped the SelfLoader because of problems with running with taint
+ checks and rolled my own. Performance is now significantly
+ improved.
+ 2. Added HTML shortcuts.
+ 3. import() now adheres to the Perl module conventions, allowing
+ CGI.pm to import any or all method names into the user's name
+ space.
+ 4. Added the ability to initialize CGI objects from strings and
+ associative arrays.
+ 5. Made it possible to initialize CGI objects with filehandle
+ references rather than filehandle strings.
+ 6. Added the delete_all() and append() methods.
+ 7. CGI objects correctly initialize from filehandles on NT/95 systems
+ now.
+ 8. Fixed the problem with binary file uploads on NT/95 systems.
+ 9. Fixed bug in redirect().
+ 10. Added '-Window-target' parameter to redirect().
+ 11. Fixed import_names() so that parameter names containing funny
+ characters work.
+ 12. Broke the unfortunate connection between cookie and CGI parameter
+ name space.
+ 13. Fixed problems with hidden fields whose values are 0.
+ 14. Cleaned up the documentation somewhat.
+
+ Version 2.19
+
+ 1. Added cookie() support routines.
+ 2. Added -expires parameter to header().
+ 3. Added cgi-lib.pl compatability mode.
+ 4. Made the module more configurable for different operating systems.
+ 5. Fixed a dumb bug in JavaScript button() method.
+
+ Version 2.18
+
+ 1. Fixed a bug that corrects a hang that occurs on some platforms
+ when processing file uploads. Unfortunately this disables the
+ check for bad Netscape uploads.
+ 2. Fixed bizarre problem involving the inability to process uploaded
+ files that begin with a non alphabetic character in the file name.
+ 3. Fixed a bug in the hidden fields involving the -override directive
+ being ignored when scalar defaults were passed.
+ 4. Added documentation on how to disable the SelfLoader features.
+
+ Version 2.17
+
+ 1. Added support for the SelfLoader module.
+ 2. Added oodles of JavaScript support routines.
+ 3. Fixed bad bug in query_string() method that caused some parameters
+ to be silently dropped.
+ 4. Robustified file upload code to handle premature termination by
+ the client.
+ 5. Exported temporary file names on file upload.
+ 6. Removed spurious "uninitialized variable" warnings that appeared
+ when running under 5.002.
+ 7. Added the Carp.pm library to the standard distribution.
+ 8. Fixed a number of errors in this documentation, and probably added
+ a few more.
+ 9. Checkbox_group() and radio_group() now return the buttons as
+ arrays, so that you can incorporate the individual buttons into
+ specialized tables.
+ 10. Added the '-nolabels' option to checkbox_group() and
+ radio_group(). Probably should be added to all the other
+ HTML-generating routines.
+ 11. Added the url() method to recover the URL without the entire query
+ string appended.
+ 12. Added request_method() to list of environment variables available.
+ 13. Would you believe it? Fixed hidden fields again!
+
+ Version 2.16
+
+ 1. Fixed hidden fields yet again.
+ 2. Fixed subtle problems in the file upload method that caused
+ intermittent failures (thanks to Keven Hendrick for this one).
+ 3. Made file upload more robust in the face of bizarre behavior by
+ the Macintosh and Windows Netscape clients.
+ 4. Moved the POD documentation to the bottom of the module at the
+ request of Stephen Dahmen.
+ 5. Added the -xbase parameter to the start_html() method, also at the
+ request of Stephen Dahmen.
+ 6. Added JavaScript form buttons at Stephen's request. I'm not sure
+ how to use this Netscape extension correctly, however, so for now
+ the form() method is in the module as an undocumented feature. Use
+ at your own risk!
+
+ Version 2.15
+
+ 1. Added the -override parameter to all field-generating methods.
+ 2. Documented the user_name() and remote_user() methods.
+ 3. Fixed bugs that prevented empty strings from being recognized as
+ valid textfield contents.
+ 4. Documented the use of framesets and added a frameset example.
+
+ Version 2.14
+
+ This was an internal experimental version that was never released.
+
+ Version 2.13
+
+ 1. Fixed a bug that interfered with the value "0" being entered into
+ text fields.
+
+ Version 2.01
+
+ 1. Added -rows and -columns to the radio and checkbox groups. No
+ doubt this will cause much grief because it seems to promise a
+ level of meta-organization that it doesn't actually provide.
+ 2. Fixed a bug in the redirect() method -- it was not truly HTTP/1.0
+ compliant.
+
+ Version 2.0
+
+ The changes seemed to touch every line of code, so I decided to bump
+ up the major version number.
+ 1. Support for named parameter style method calls. This turns out
+ to be a big win for extending CGI.pm when Netscape adds new HTML
+ "features".
+ 2. Changed behavior of hidden fields back to the correct "sticky"
+ behavior. This is going to break some programs, but it is for
+ the best in the long run.
+ 3. Netscape 2.0b2 broke the file upload feature. CGI.pm now handles
+ both 2.0b1 and 2.0b2-style uploading. It will probably break again
+ in 2.0b3.
+ 4. There were still problems with library being unable to distinguish
+ between a form being loaded for the first time, and a subsequent
+ loading with all fields blank. We now forcibly create a default
+ name for the Submit button (if not provided) so that there's
+ always at least one parameter.
+ 5. More workarounds to prevent annoying spurious warning messages
+ when run under the -w switch. -w is seriously broken in perl
+ 5.001!
+
+ Version 1.57
+
+ 1. Support for the Netscape 2.0 "File upload" field.
+ 2. The handling of defaults for selected items in scrolling lists and
+ multiple checkboxes is now consistent.
+
+ Version 1.56
+
+ 1. Created true "pod" documentation for the module.
+ 2. Cleaned up the code to avoid many of the spurious "use of
+ uninitialized variable" warnings when running with the -w switch.
+ 3. Added the autoEscape() method. v
+ 4. Added string interpolation of the CGI object.
+ 5. Added the ability to pass additional parameters to the <BODY> tag.
+ 6. Added the ability to specify the status code in the HTTP header.
+
+ Bug fixes in version 1.55
+
+ 1. Every time self_url() was called, the parameter list would grow.
+ This was a bad "feature".
+ 2. Documented the fact that you can pass "-" to radio_group() in
+ order to prevent any button from being highlighted by default.
+
+ Bug fixes in version 1.54
+
+ 1. The user_agent() method is now documented;
+ 2. A potential security hole in import() is now plugged.
+ 3. Changed name of import() to import_names() for compatability with
+ CGI:: modules.
+
+ Bug fixes in version 1.53
+
+ 1. Fixed several typos in the code that were causing the following
+ subroutines to fail in some circumstances
+ 1. checkbox()
+ 2. hidden()
+ 2. No features added
+
+ New features added in version 1.52
+
+ 1. Added backslashing, quotation marks, and other shell-style escape
+ sequences to the parameters passed in during debugging off-line.
+ 2. Changed the way that the hidden() method works so that the default
+ value always overrides the current one.
+ 3. Improved the handling of sticky values in forms. It's now less
+ likely that sticky values will get stuck.
+ 4. If you call server_name(), script_name() and several other methods
+ when running offline, the methods now create "dummy" values to
+ work with.
+
+ Bugs fixed in version 1.51
+
+ 1. param() when called without arguments was returning an array of
+ length 1 even when there were no parameters to be had. Bad bug!
+ Bad!
+ 2. The HTML code generated would break if input fields contained the
+ forbidden characters ">< or &. You can now use these characters
+ freely.
+
+ New features added in version 1.50
+
+ 1. import() method allows all the parameters to be imported into a
+ namespace in one fell swoop.
+ 2. Parameters are now returned in the same order in which they were
+ defined.
+
+ Bugs fixed in version 1.45
+
+ 1. delete() method didn't work correctly. This is now fixed.
+ 2. reset() method didn't allow you to set the name of the button.
+ Fixed.
+
+ Bugs fixed in version 1.44
+
+ 1. self_url() didn't include the path information. This is now fixed.
+
+ New features added in version 1.43
+
+ 1. Added the delete() method.
+
+ New features added in version 1.42
+
+ 1. The image_button() method to create clickable images.
+ 2. A few bug fixes involving forms embedded in <PRE> blocks.
+
+ New features added in version 1.4
+
+ 1. New header shortcut methods
+ + redirect() to create HTTP redirection messages.
+ + start_html() to create the HTML title, complete with the
+ recommended <LINK> tag that no one ever remembers to include.
+ + end_html() for completeness' sake.
+ 2. A new save() method that allows you to write out the state of an
+ script to a file or pipe.
+ 3. An improved version of the new() method that allows you to restore
+ the state of a script from a file or pipe. With (2) this gives you
+ dump and restore capabilities! (Wow, you can put a "121,931
+ customers served" banner at the bottom of your pages!)
+ 4. A self_url() method that allows you to create state-maintaining
+ hypertext links. In addition to allowing you to maintain the state
+ of your scripts between invocations, this lets you work around a
+ problem that some browsers have when jumping to internal links in
+ a document that contains a form -- the form information gets lost.
+ 5. The user-visible labels in checkboxes, radio buttons, popup menus
+ and scrolling lists have now been decoupled from the values sent
+ to your CGI script. Your script can know a checkbox by the name of
+ "cb1" while the user knows it by a more descriptive name. I've
+ also added some parameters that were missing from the text fields,
+ such as MAXLENGTH.
+ 6. A whole bunch of methods have been added to get at environment
+ variables involved in user verification and other obscure
+ features.
+
+ Bug fixes
+
+ 1. The problems with the hidden fields have (I hope at last) been
+ fixed.
+ 2. You can create multiple query objects and they will all be
+ initialized correctly. This simplifies the creation of multiple
+ forms on one page.
+ 3. The URL unescaping code works correctly now.
diff --git a/lib/CGI/Cookie.pm b/lib/CGI/Cookie.pm
index 3afeae22dd..a900ec0d7f 100644
--- a/lib/CGI/Cookie.pm
+++ b/lib/CGI/Cookie.pm
@@ -13,7 +13,7 @@ package CGI::Cookie;
# wish, but if you redistribute a modified version, please attach a note
# listing the modifications you have made.
-$CGI::Cookie::VERSION='1.24';
+$CGI::Cookie::VERSION='1.25';
use CGI::Util qw(rearrange unescape escape);
use overload '""' => \&as_string,
@@ -26,7 +26,7 @@ if (exists $ENV{MOD_PERL}) {
eval "require mod_perl";
if (defined $mod_perl::VERSION) {
my $float = $mod_perl::VERSION;
- $float = ~ s/^.+?([\d.]+).+$/$1/;
+ $float += 0;
if ($float >= 1.99) {
$MOD_PERL = 2;
require Apache::RequestUtil;