Changes for version 1.113
- (thanks to Yamada Masahiro) randomise multipart boundary string (security).
- Numerous changes from Mark Stosberg:
- Port max-age support from CGI.pm, to improve compatibility and RFC-compliance
- Correct header comment in cookie.t
- It claims that is a simple copy/paste/modify from CGI.pm's test by the same name, but this has not been true for some time-- CGI::Simple added
- httponly tests that CGI.pm lacks, for example.
- Sync cookie references with CGI.pm: add reference to the newer RFC 2695
- "Interface to browse cookies" looks like it was typo for "browser". HTTP is more precise.
- Fix awkward "CGI::Simple.pm" language. It looks like it probably originated from the CGI.pm form. "CGI::Simple" is used instead.
- Best Practice: eliminate indirect object notation from new(), parse() and fetch() calls
- Security: Fix handling of embedded malicious newlines in header values This is a direct port of the same security fix that
- Security: use a random MIME boundary by default in multipart_init(). This is a direct port of the same issue which was addressed in CGI.pm, preventing some kinds of potential header injection attacks.
- Port from CGI.pm: Fix multi-line header parsing. This fix is covered by the tests in t/header.t added in the previous patch. If you run those tests without this patch, you'll see how the headers would be malformed without this fix.
- Port CRLF injection prevention from CGI.pm
- Optimize Vars(): Don't build %hash if we aren't going to use it.
- Micro-optimization to Vars(): Don't call "tie" unless we need to.
- Numerous changes from K. Berov:
- Added "+" to the mime character class.
- Added tests for C<$mime = $q->upload_info( $filename, 'mime' );>
- Fixed wrong match for mimetypes. Example: matched only 'application/vnd' instead of 'application/vnd.ms-excel'.
- Added "\." to the mime character class