CGI.pm

Changes for version 3.55

THINGS THAT MAY BREAK YOUR CODE
- url() was fixed to return "PATH_INFO" when it is explicitly requested with either the path=>1 or path_info=>1 flag.
- If your code is running under mod_rewrite (or compatible) and you are calling self_url() or you are calling url() and passing path_info=>1, These methods will actually be returning PATH_INFO now, as you have explicitly requested, or has self_url() has requested on your behalf.
- The PATH_INFO has been omitted in such URLs since the issue was introduced in the 3.12 release in December, 2005.
- This bug is so old your application may have come to depend on it or workaround it. Check for application before upgrading to this release.
- Examples of affected method calls:
  - $q->url(-absolute => 1, -query => 1, -path_info => 1 ) $q->url(-path=>1) $q->url(-full=>1,-path=>1) $q->url(-rewrite=>1,-path=>1) $q->self_url();
Version 3.54, Apr 28, 2011 No code changes
- INTERNALS
  - Address test failures in t/tmpdir.t, thanks to Niko Tyni. Some tests here are failing on some platforms and have been marked as TODO.
Version 3.53, Apr 25, 2011
- NEW FEATURES
  - The DELETE HTTP verb is now supported. (RT#52614, James Robson, Eduardo Ari�o de la Rubia)
- INTERNALS
  - Correct t/tmpdir.t MANIFEST entry. (RT#64949)
  - Update minimum required Perl version to be Perl 5.8.1, which has been out since 2003. This allows us to drop some hacks and exceptions (Mark Stosberg)
Version 3.52, Jan 24, 2011
- DOCUMENTATION
  - The documentation for multi-line header handling was been updated to reflect the changes in 3.51. (Mark Stosberg, ntyni@iki.fi)
- INTERNALS
  - Add missing t/tmpfile.t file. (RT#64949)
  - Fix warning in t/cookie.t (RT#64570, Chris Williams, Rainer Tammer, Mark Stosberg)
  - Fixed logic bug in t/multipart_init.t (RT#64261, Niko Tyni)
Version 3.51, Jan 5, 2011
- NEW FEATURES
  - A new option to set $CGI::Carp::TO_BROWSER = 0, allows you to explicitly exclude a particular scope from triggering printing to the browser when fatatlsToBrowser is set. (RT#62783, Thanks to papowell)
  - The <script> tag now supports the "charset" attribute. (RT#62907, Thanks to Fabrice Metge)
  - In CGI::Cookie, "Max-Age" is now supported for better spec compliance. (Mark Stosberg)
- BUG FIXES
  - Setting charset() now works for all content types, not just "text/*". (RT#57945, Thanks to Yanick and Gerv.)
  - support for user temporary directories ($HOME/tmp) was commented out in 2.61 but the documentation wasn't updated (Peter Gervai, Niko Tyni)
  - setting $CGITempFile::TMPDIRECTORY before loading CGI.pm has been working but undocumented since 3.12 (which listed it in Changes as $CGI::TMPDIRECTORY) (Peter Gervai, Niko Tyni)
  - unfortunately the previous change broke the runtime check for looking for a new temporary directory if the current one suddenly became unwritable (Peter Gervai, Niko Tyni)
  - A bug was fixed in CGI::Carp triggered by certain death cases in the BEGIN phase of parent classes. (RT#57224, Thanks to UNERA, Yanick Champoux, Mark Stosberg)
  - CGI::Cookie->new() now follows the documentation and returns undef if the -name and -value args aren't provided. This new behavior is also consistent with the docs and code of CGI::Simple::Cookie. (Mark Stosberg)
  - CGI::Cookie->parse() now trims leading and trailing whitespace from cookie elements as intended. The change also makes this part of the parsing identical to CGI::Simple::Cookie (Mark Stosberg)
  - Temp file handling was improved (RT#62762)
- SECURITY
  - Further improvements have been made to guard against newline injections in headers. (Thanks to Max Kanat-Alexander, Yanick Champoux, Mark Stosberg)
- PERFORMANCE
  - Make EBCDIC a compile-time constant so there's zero overhead (and less compiled code) in subroutines that test for it. (Tim Bunce)
  - If you just want to use CGI::Cookie, CGI.pm will no longer be loaded unless you call the bake() method, which requires it. (Mark Stosberg)
- DOCUMENTATION
  - quit referring to the <link> tag as being "rarely used". (Victor Sanders)
  - typo and whitespace fixes (RT#62785, thanks to scop@cpan.org)
  - The -dtd argument to start_html() is now documented (RT#60473, Thanks to giecrilj and steve@fisharerojo.org)
  - CGI::Carp doc are updated to reflect that it can work with mod_perl 2.0.
  - when creating a temporary file in the directory fails, the error message could indicate the root of the problem better (Peter Gervai, Niko Tyni)
- INTERNALS
  - Re-fixing https test in http.t. (RT#54768, thanks to SPROUT)
  - param_fetch no longer triggers a warning when called with no arguments (ysth, Mark Stosberg)
Version 3.50, Nov 8, 2010
- SECURITY
  - 1. The MIME boundary in multipart_init is now random. Thanks to Byron Jones, Masahiro Yamada, Reed Loden, and Mark Stosberg 2. Further improvements to handling of newlines embedded in header values. An exception is thrown if header values contain invalid newlines. Thanks to Michal Zalewski, Max Kanat-Alexander, Yanick Champoux, Lincoln Stein, Fr�d�ric Buclin and Mark Stosberg
- DOCUMENTATION
  - 1. Correcting/clarifying documentation for param_fetch(). Thanks to Ren�e B�cker. (RT#59132)
- INTERNALS
  - 1. Fixing https test in http.t. (RT#54768) 2. Tests were added for multipart_init(). Thanks to Mark Stosberg and CGI::Simple.
Version 3.49, Feb 5th, 2010
- BUG FIXES
  - 1. Fix a regression since 3.44 involving a case when the header includes "Content-Length: 0". Thanks to Alex Vandiver (RT#51109) 2. Suppress uninitialized warnings under -w. Thanks to burak. (RT#50301) 3. url() now uses virtual_port() instead of server_port(). Thanks to MKANAT and Yanick Champoux. (RT#51562) 4. CGI::Carp now properly handles stringifiable objects, like Exception::Class throws (RT#39904)
- SECURITY
  - 1. embedded newlines are now filtered out of header values in header(). Thanks to Mark Stosberg and Yanick Champoux.
- DOCUMENTATION
  - 1. README was updated to reflect that CGI.pm was moved under ./lib. Thanks to Alex Vandiver.
- INTERNALS
  - 1. More tests were added for autoescape, thanks to Bob Kuo. (RT#25485) 2. Attempt to avoid test failures with t/fast, thanks to Steve Hay. (RT#49599)
Version 3.48, Sep 25, 2009
- BUG FIXES
  - 1. <optgroup> default values are now properly escaped. Thanks to #raleigh.pm and Mark Stosberg. (RT#49606) 2. The change to exception handling in CGI::Carp introduced in 3.47 has been reverted for now. It caused regressions reported in RT#49630. Thanks to mkanat for the report.
- DOCUMENTATION
  - 1. Documentation for upload() has been overhauled, thanks to Mark Stosberg. 2. Documentation for tmpFileName has been added. Thanks to Mark Stosberg and Nathaniel K. Smith. 3. URLS were updated, thanks to Leon Brocard and Yanick Champoux. (RT#49770)
- INTERNALS
  - 1. More tests were added for autoescape, thanks to Bob Kuo. (RT#25485)
Version 3.47, Sep 9, 2009
- No code changes.
- INTERNALS
  - Re-release of 3.46, which did not contain a proper MANIFEST