++ed by:

1 PAUSE user(s)
2 non-PAUSE user(s).

Andy Armstrong



Changes for version 1.113

  • (thanks to Yamada Masahiro) randomise multipart boundary string (security).
  • Numerous changes from Mark Stosberg:
    • Port max-age support from CGI.pm, to improve compatibility and RFC-compliance
    • Correct header comment in cookie.t
    • It claims that is a simple copy/paste/modify from CGI.pm's test by the same name, but this has not been true for some time-- CGI::Simple added
    • httponly tests that CGI.pm lacks, for example.
    • Sync cookie references with CGI.pm: add reference to the newer RFC 2695
    • "Interface to browse cookies" looks like it was typo for "browser". HTTP is more precise.
    • Fix awkward "CGI::Simple.pm" language. It looks like it probably originated from the CGI.pm form. "CGI::Simple" is used instead.
    • Best Practice: eliminate indirect object notation from new(), parse() and fetch() calls
    • Security: Fix handling of embedded malicious newlines in header values This is a direct port of the same security fix that
    • Security: use a random MIME boundary by default in multipart_init(). This is a direct port of the same issue which was addressed in CGI.pm, preventing some kinds of potential header injection attacks.
    • Port from CGI.pm: Fix multi-line header parsing. This fix is covered by the tests in t/header.t added in the previous patch. If you run those tests without this patch, you'll see how the headers would be malformed without this fix.
    • Port CRLF injection prevention from CGI.pm
    • Optimize Vars(): Don't build %hash if we aren't going to use it.
    • Micro-optimization to Vars(): Don't call "tie" unless we need to.
  • Numerous changes from K. Berov:
    • Added "+" to the mime character class.
    • Added tests for C<$mime = $q->upload_info( $filename, 'mime' );>
    • Fixed wrong match for mimetypes. Example: matched only 'application/vnd' instead of 'application/vnd.ms-excel'.
    • Added "\." to the mime character class