Skip to content
This repository

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse code

Merge remote branch 'remotes/yanick/psgi_support' into psgi_support

Conflicts:
	lib/CGI.pm
  • Loading branch information...
commit b03599f53c89b551ff2ad723c23e0ff563af2996 2 parents 9813925 + 421a707
Mark Stosberg authored December 25, 2010
25  Changes
... ...
@@ -1,6 +1,26 @@
  1
+  [NEW FEATURES]  
  2
+  - A new option to set $CGI::Carp::TO_BROWSER = 0, allows you to explicitly  
  3
+    exclude a particular scope from triggering printing to the browser when
  4
+    fatatlsToBrowser is set. (RT#62783, Thanks to papowell) 
  5
+
1 6
   [BUG FIXES]  
2 7
   - Setting charset() now works for all content types, not just "text/*". 
3  
-    (RT#57945, Thanks to Yanick and Gerv.
  8
+    (RT#57945, Thanks to Yanick and Gerv.)
  9
+  - support for user temporary directories ($HOME/tmp) was commented out
  10
+    in 2.61 but the documentation wasn't updated (Peter Gervai, Niko Tyni)
  11
+  - setting $CGITempFile::TMPDIRECTORY before loading CGI.pm has been
  12
+    working but undocumented since 3.12 (which listed it in Changes as
  13
+    $CGI::TMPDIRECTORY) (Peter Gervai, Niko Tyni)
  14
+  - unfortunately the previous change broke the runtime check for looking
  15
+    for a new temporary directory if the current one suddenly became
  16
+    unwritable (Peter Gervai, Niko Tyni)
  17
+  - A bug was fixed in CGI::Carp triggered by certain death cases in
  18
+    the BEGIN phase of parent classes. 
  19
+    (RT#57224, Thanks to UNERA, Yanick Champoux, Mark Stosberg)
  20
+
  21
+  [SECURITY]
  22
+  - Further improvements have been made to guard against newline injections
  23
+    in headers. (Thanks to Max Kanat-Alexander, Yanick Champoux, Mark Stosberg)
4 24
 
5 25
   [PERFORMANCE]
6 26
   - Make EBCDIC a compile-time constant so there's zero overhead (and less
@@ -11,6 +31,9 @@
11 31
   - typo and whitespace fixes (RT#62785, thanks to  scop@cpan.org) 
12 32
   - The -dtd argument to start_html() is now documented 
13 33
     (RT#60473, Thanks to giecrilj and steve@fisharerojo.org) 
  34
+  - CGI::Carp doc are updated to reflect that it can work with mod_perl 2.0. 
  35
+  - when creating a temporary file in the directory fails, the error message
  36
+    could indicate the root of the problem better (Peter Gervai, Niko Tyni)
14 37
 
15 38
   [INTERNALS]
16 39
   - Re-fixing https test in http.t. (RT#54768, thanks to SPROUT)
3  MANIFEST
@@ -48,12 +48,14 @@ t/fast.t
48 48
 t/form.t
49 49
 t/function.t
50 50
 t/gen-tests/gen-start-end-tags.pl
  51
+t/headers.t
51 52
 t/hidden.t
52 53
 t/html.t
53 54
 t/http.t
54 55
 t/init.t
55 56
 t/init_test.txt
56 57
 t/no_tabindex.t
  58
+t/param_fetch.t
57 59
 t/popup_menu.t
58 60
 t/pretty.t
59 61
 t/push.t
@@ -64,6 +66,7 @@ t/start_end_asterisk.t
64 66
 t/start_end_end.t
65 67
 t/start_end_start.t
66 68
 t/switch.t
  69
+t/tmpfile.t
67 70
 t/unescapeHTML.t
68 71
 t/upload.t
69 72
 t/upload_post_text.txt
52  README
... ...
@@ -1,7 +1,6 @@
1 1
 WHAT IS THIS?
2 2
 
3  
-This is CGI.pm, an easy-to-use Perl5 library for writing World
4  
-Wide Web CGI scripts.
  3
+This is CGI.pm, an easy-to-use Perl5 library for writing CGI scripts.
5 4
 
6 5
 HOW DO I INSTALL IT?
7 6
 
@@ -13,62 +12,31 @@ file and type the following:
13 12
    make test
14 13
    make install
15 14
 
16  
-If this doesn't work for you, try:
17  
-
18  
-   cp lib/CGI.pm /usr/local/lib/perl5
19  
-
20  
-If you have trouble installing CGI.pm because you have insufficient
21  
-access privileges to add to the perl library directory, you can still
22  
-use CGI.pm.  See the docs for details.
23  
-
24 15
 WHAT SYSTEMS DOES IT WORK WITH?
25 16
 
26  
-This module works with NT, Windows, Macintosh, OS/2 and VMS servers,
27  
-although it hasn't been tested as extensively as it should be.  See
28  
-the docs for notes on your particular platform.
  17
+This module works with Linux, Windows, OSX, FreeBSD, VMS and other platforms.
29 18
 
30 19
 WHERE IS THE DOCUMENTATION?
31 20
 
32 21
 Documentation is found in POD (plain old documentation) form in CGI.pm
33  
-itself.  When you install CGI, the MakeMaker program will
34  
-automatically install the manual pages for you (on Unix systems, type
35  
-"man CGI").
  22
+itself.  When you install CGI, manaul pages will automatically be installed.
  23
+on Unix systems, type "man CGI" or "perldoc CGI").
36 24
 
37 25
 WHERE ARE THE EXAMPLES?
38 26
 
39  
-A collection of examples demonstrating various CGI features and
40  
-techniques are in the directory "examples".
  27
+A collection of examples demonstrating various CGI features and techniques are
  28
+in the directory "examples". These are now rather old examples of Perl code and
  29
+should not be considered as best practices.
41 30
 
42 31
 WHERE IS THE ONLINE DOCUMENTATION?
43 32
 
44 33
 Online documentation of for CGI.pm, and notifications of new versions
45 34
 can be found at:
46 35
 
47  
-   http://search.cpan.org/~lds/
  36
+   http://search.cpan.org/dist/CGI.pm/
48 37
 
49 38
 WHERE CAN I LEARN MORE?
50 39
 
51  
-I have written a book about CGI.pm called "The Official Guide to
  40
+Lincoln Stein wrote a book about CGI.pm called "The Official Guide to
52 41
 Programming with CGI.pm" which was published by John Wiley & Sons in
53  
-May 1998.  If you like CGI.pm, you'll love this book.
54  
-
55  
-IMPORTANT NOTES:
56  
-
57  
-Version 2.69 emits XHTML by default.  To get the old behavior, use the
58  
--no_xhtml pragma.
59  
-
60  
-Versions 2.44-2.46 introduce two API changes that will affect
61  
-users of previous versions:
62  
-
63  
-1) The accept() function has been renamed Accept() to avoid conflicting with
64  
-Perl's built-in function of the same name.
65  
-
66  
-2) The sub() function has been renamed Sub() for similar reasons.
67  
-
68  
-My apologies for these changes, but they were necessary in order for
69  
-CGI to pass the perl5.005 regression tests!
70  
-
71  
-Have fun, and let me know how it turns out!
72  
-
73  
-Lincoln D. Stein
74  
-lstein@cshl.org
  42
+May 1998.
253  cgi-lib_porting.html
... ...
@@ -1,253 +0,0 @@
1  
-<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML//EN">
2  
-<html> <head>
3  
-<title>Porting cgi-lib.pl Scripts to CGI.pm</title>
4  
-</head>
5  
-
6  
-<body>
7  
-<h1>Porting cgi-lib.pl Scripts to CGI.pm</h1>
8  
-
9  
-Steve Brenner, author of cgi-lib.pl, recently asked me to prepare a
10  
-document that compares <a
11  
-href="http://www.bio.cam.ac.uk/web/form.html">cgi-lib.pl</a> to <a
12  
-href="cgi_docs.html">CGI.pm</a> and to give some advice for people
13  
-wishing to port scripts from one to the other.
14  
-
15  
-<p>
16  
-
17  
-I heartily endorse cgi-lib.pl for people who have good reasons for
18  
-sticking with Perl version 4.  However, sites that use Perl 5.001 and
19  
-higher should seriously consider switching to CGI.pm or to the CGI::*
20  
-modules.  Here are some reasons why.
21  
-
22  
-<h2>Why use CGI.pm instead of cgi-lib.pl?</h2>
23  
-
24  
-At their core, both cgi-lib.pl and CGI.pm provide convenient ways to
25  
-get at CGI query strings.  There are a number of reasons to use CGI.pm
26  
-in preference to cgi-lib.pl.
27  
-
28  
-<dl>
29  
-  <dt>CGI.pm provides better support for multi-valued parameters.
30  
-  <dd>Named parameters that correspond to checkboxes and selection
31  
-      lists are frequently multi-valued.  With cgi-lib.pl, you must
32  
-      manually split the components with split() or (in version 2.0)
33  
-      with SplitParam():
34  
-      <blockquote><pre>
35  
-      @players=split("\0",$in{'players'});
36  
-      </pre></blockquote>
37  
-      With CGI.pm, you retrieve single or multi-valued parameters
38  
-      with the same syntax:
39  
-      <blockquote><pre>
40  
-      @players=param('players');
41  
-      </pre></blockquote>
42  
-      <p>
43  
-  <dt>CGI.pm provides a more elegant interface to file uploads.
44  
-  <dd>In cgi-lib.pl you have to anticipate in advance how large 
45  
-      Netscape file uploads may be and select whether the file is to
46  
-      be read into main memory or spooled to disk.  CGI.pm
47  
-      provides you with a variable that you can treat as a scalar to
48  
-      recover the original file name, or as a file handle that you can
49  
-      read from just as if you were reading the original file.  You
50  
-      don't have to worry about spooling issues:
51  
-      <blockquote><pre>
52  
-      $in_file = param('file_to_upload');
53  
-      while (<$in_file>) {
54  
-         $lineCount++;
55  
-      }
56  
-      </pre></blockquote>
57  
-      <p>
58  
-  <dt>CGI.pm gives you lots of HTML and HTTP shortcuts.
59  
-  <dd>CGI.pm includes methods that generate HTTP headers,
60  
-      redirection requests, and HTML tags (including
61  
-      the Netscape extensions).  These features are not included in
62  
-      cgi-lib.pl
63  
-      <p>
64  
-  <dt>CGI.pm provides a simple way of creating "sticky" forms and
65  
-      maintaining state.
66  
-  <dd>Among the HTML tag-generating shortcuts are methods for
67  
-      generating the elements of fill-out forms.  By default, these
68  
-      methods use the current query string to initialize the form
69  
-      element contents.  This gives you a simple mechanism for saving
70  
-      the state of a session, and has the nice side effect that the
71  
-      form doesn't revert back to its initial state every time you
72  
-      regenerate it.  Other methods in CGI.pm allow you to save
73  
-      state in URLs, write the state out to a file, or even store the
74  
-      session state in an external database.
75  
-      <p>
76  
-  <dt>CGI.pm gives you access to advanced HTTP and HTML features.
77  
-  <dd>Support for persistent cookies, Netscape frames and JavaScript
78  
-      is built into the module, along with some of the more esoteric
79  
-      HTTP features such as content negotiation.
80  
-</dl>
81  
-
82  
-<h2>Reasons not to migrate to CGI.pm</h2>
83  
-
84  
-The main difference is performance.  On a Pentium 90 system running
85  
-Linux, cgi-lib.pl takes 0.11 seconds to load.  CGI.pm takes 0.21
86  
-seconds.  If that tenth of a second matters to you, then you should
87  
-continue to use cgi-lib.pl.
88  
-
89  
-<h2>How do I migrate from cgi-lib.pl to CGI.pm?</h2>
90  
-
91  
-A compatability mode allows you to port most scripts that use
92  
-cgi-lib.pl to CGI.pm without making extensive source code changes.
93  
-Most of the functions defined in cgi-lib.pl version 2.10 are available
94  
-for your use.  Missing functions are easy to work around.  Follow this
95  
-model:
96  
-
97  
-<h3>Old Script</h3>
98  
-<blockquote>
99  
-<pre>
100  
-require "cgi-lib.pl";
101  
-&ReadParse;
102  
-print "The price of your purchase is $in{price}.\n";
103  
-</pre>
104  
-</blockquote>
105  
-
106  
-<h3>New Script</h3>
107  
-<blockquote>
108  
-<pre>
109  
-use CGI qw(:cgi-lib);
110  
-&ReadParse;
111  
-print "The price of your purchase is $in{price}.\n";
112  
-</pre>
113  
-</blockquote>
114  
-
115  
-In most cases the only change you'll need to make is the
116  
-<cite>require</cite> line.  The line
117  
-
118  
-<blockquote><pre>
119  
-use CGI qw(:cgi-lib);
120  
-</pre></blockquote>
121  
-
122  
-instructs Perl to read in CGI.pm and to import into your script's name
123  
-space the cgi-lib.pl compatability routines.  (In case you've never
124  
-run into this syntax before, the colon in front of
125  
-<code>cgi-lib</code> indicates that we're importing a family of
126  
-routines identified by the tag <cite>cgi-lib</cite> rather than a
127  
-single routine.)  The main routine that is imported is
128  
-<cite>ReadParse</cite>, which behaves in exactly the same way as
129  
-cgi-lib.pl's.  You can call it without any parameters, in which case
130  
-it will place the query string in the associative array
131  
-<code>%in</code>, or pass it the name of the associative array that
132  
-you want to use:
133  
-
134  
-<blockquote>
135  
-<pre>
136  
-ReadParse(*Query);
137  
-@partners = split("\0",$Query{'golf_partners'});
138  
-</pre>
139  
-</blockquote>
140  
-
141  
-CGI.pm is object-oriented, meaning that the parsed query string is
142  
-stored inside a "CGI" object.  When you use ReadParse(), a default CGI
143  
-object is created: behind the scenes access to the <code>%in</code>
144  
-associative array is actually reading and writing its values to the
145  
-CGI object.  You can get direct access to the underlying object by
146  
-using the special key 'CGI':
147  
-
148  
-<blockquote>
149  
-<pre>
150  
-&ReadParse;
151  
-print "The price of your purchase is $in{price}.\n";
152  
-$q = $in{CGI};
153  
-print $q->textfield(-name=&gt;'price',
154  
-                -default=&gt;'$1.99');
155  
-</pre>
156  
-</blockquote>
157  
-
158  
-This allows you to start taking advantage of the CGI.pm features
159  
-without scouring your code for all the places where you used the
160  
-cgi-lib.pl <code>%in</code> variable.  An even simpler way to mix
161  
-cgi-lib calls with CGI.pm calls is to import both the
162  
-<cite>:cgi-lib</cite> and <cite>:standard</cite> method:
163  
-
164  
-<blockquote>
165  
-<pre>
166  
-use CGI qw(:cgi-lib :standard);
167  
-&ReadParse;
168  
-print "The price of your purchase is $in{price}.\n";
169  
-print textfield(-name=&gt;'price',
170  
-                -default=&gt;'$1.99');
171  
-</pre>
172  
-</blockquote>
173  
-
174  
-<h2>Cgi-lib functions that are available in CGI.pm</h2>
175  
-
176  
-In compatability mode, the following cgi-lib.pl functions are
177  
-available for your use:
178  
-
179  
-<ol>
180  
-  <li>ReadParse()
181  
-  <li>PrintHeader()
182  
-  <li>HtmlTop()
183  
-  <li>HtmlBot()
184  
-  <li>SplitParam()
185  
-  <li>MethGet()
186  
-  <li>MethPost()
187  
-</ol>
188  
-
189  
-<h2>Cgi-lib functions that are not available in CGI.pm</h2>
190  
-
191  
-<dl>
192  
-  <dt>Extended form of ReadParse()
193  
-  <dd>The extended form of ReadParse() that provides for file upload
194  
-      spooling, is not available.  However you can read the contents
195  
-      of the file directly from %in as follows:
196  
-      <blockquote><pre>
197  
-      print "The name of the file is $in{uploaded_file};
198  
-      while (<$in{uploaded_file}>) {
199  
-         print "Next line = $_";
200  
-      }
201  
-      </pre></blockquote>
202  
-      <p>
203  
-  <dt>MyBaseURL()
204  
-  <dd>This function is not available.  Use CGI.pm's url() method instead.
205  
-      <p>
206  
-  <dt>MyFullURL()
207  
-  <dd>This function is not available.  Use CGI.pm's self_url() method
208  
-      instead.
209  
-      <p>
210  
-  <dt>CgiError(), CgiDie()
211  
-  <dd>These functions are not supported.  Look at CGI::Carp for the way I
212  
-      prefer to handle error messages.
213  
-      <p>
214  
-  <dt>PrintVariables()
215  
-  <dd>This function is not available.  To achieve the same effect,
216  
-      just print out the CGI object:
217  
-      <blockquote><pre>
218  
-      use CGI qw(:standard);
219  
-      $q = new CGI;
220  
-      print h1("The Variables Are"),$q;
221  
-      </pre></blockquote>
222  
-      <p>
223  
-  <dt>PrintEnv()
224  
-  <dd>This function is not available.  You'll have to roll your own if
225  
-      you really need it.
226  
-      <p>
227  
-  <dt>@in not supported
228  
-  <dd>The original ReadParse() stores the individual elements of the
229  
-      query string in an array named <code>@in</code>.  This rarely-
230  
-      used feature is not supported.  To retrieve the keywords from an
231  
-      oldstyle &lt;ISINDEX&gt; search, fetch the special array key
232  
-      <cite>keywords</cite>:
233  
-      <blockquote><pre>
234  
-      @keywords = SplitParam($in{'keywords'});
235  
-      </pre></blockquote>
236  
-</dl>
237  
-
238  
-<h2>Caveats</h2>
239  
-
240  
-The compatability routines are a recent feature (added in CGI.pm
241  
-version 2.20, released on May 22, 1996) and may contain bugs.
242  
-<strong>Caveat emptor!</strong>
243  
-<hr>
244  
-
245  
-<a href="cgi_docs.html">CGI.pm Documentation</a>
246  
-
247  
-<hr>
248  
-<address>Lincoln D. Stein, lstein@genome.wi.mit.edu<br>
249  
-<a href="/">Whitehead Institute/MIT Center for Genome Research</a></address>
250  
-<!-- hhmts start -->
251  
-Last modified: Wed May 22 23:33:25 EDT 1996
252  
-<!-- hhmts end -->
253  
-</body> </html>
106  lib/CGI.pm
@@ -1563,7 +1563,7 @@ sub header {
1563 1563
             $header =~ s/$CRLF(\s)/$1/g;
1564 1564
 
1565 1565
             # All other uses of newlines are invalid input. 
1566  
-            if ($header =~ m/$CRLF/) {
  1566
+            if ($header =~ m/$CRLF|\015|\012/) {
1567 1567
                 # shorten very long values in the diagnostic
1568 1568
                 $header = substr($header,0,72).'...' if (length $header > 72);
1569 1569
                 die "Invalid header value contains a newline not followed by whitespace: $header";
@@ -1870,20 +1870,20 @@ sub _script {
1870 1870
 
1871 1871
     my (@scripts) = ref($script) eq 'ARRAY' ? @$script : ($script);
1872 1872
     for $script (@scripts) {
1873  
-	my($src,$code,$language);
1874  
-	if (ref($script)) { # script is a hash
1875  
-	    ($src,$code,$type) =
1876  
-		rearrange(['SRC','CODE',['LANGUAGE','TYPE']],
1877  
-				 '-foo'=>'bar',	# a trick to allow the '-' to be omitted
1878  
-				 ref($script) eq 'ARRAY' ? @$script : %$script);
  1873
+    my($src,$code,$language,$charset);
  1874
+    if (ref($script)) { # script is a hash
  1875
+        ($src,$code,$type,$charset) =
  1876
+        rearrange(['SRC','CODE',['LANGUAGE','TYPE'],'CHARSET'],
  1877
+                 '-foo'=>'bar', # a trick to allow the '-' to be omitted
  1878
+                 ref($script) eq 'ARRAY' ? @$script : %$script);
1879 1879
             $type ||= 'text/javascript';
1880 1880
             unless ($type =~ m!\w+/\w+!) {
1881 1881
                 $type =~ s/[\d.]+$//;
1882 1882
                 $type = "text/$type";
1883 1883
             }
1884  
-	} else {
1885  
-	    ($src,$code,$type) = ('',$script, 'text/javascript');
1886  
-	}
  1884
+    } else {
  1885
+        ($src,$code,$type,$charset) = ('',$script, 'text/javascript', '');
  1886
+    }
1887 1887
 
1888 1888
     my $comment = '//';  # javascript by default
1889 1889
     $comment = '#' if $type=~/perl|tcl/i;
@@ -1901,6 +1901,7 @@ sub _script {
1901 1901
      my(@satts);
1902 1902
      push(@satts,'src'=>$src) if $src;
1903 1903
      push(@satts,'type'=>$type);
  1904
+     push(@satts,'charset'=>$charset) if ($src && $charset);
1904 1905
      $code = $cdata_start . $code . $cdata_end if defined $code;
1905 1906
      push(@result,$self->script({@satts},$code || ''));
1906 1907
     }
@@ -3647,7 +3648,7 @@ sub read_multipart {
3647 3648
 	    last if defined($filehandle = Fh->new($filename,$tmp,$PRIVATE_TEMPFILES));
3648 3649
             $seqno += int rand(100);
3649 3650
           }
3650  
-          die "CGI open of tmpfile: $!\n" unless defined $filehandle;
  3651
+          die "CGI.pm open of tmpfile $tmp/$filename failed: $!\n" unless defined $filehandle;
3651 3652
 	  $CGI::DefaultClass->binmode($filehandle) if $CGI::needs_binmode 
3652 3653
                      && defined fileno($filehandle);
3653 3654
 
@@ -4282,7 +4283,10 @@ $AUTOLOADED_ROUTINES=<<'END_OF_AUTOLOAD';
4282 4283
 sub new {
4283 4284
     my($package,$sequence) = @_;
4284 4285
     my $filename;
4285  
-    find_tempdir() unless -w $TMPDIRECTORY;
  4286
+    unless (-w $TMPDIRECTORY) {
  4287
+        $TMPDIRECTORY = undef;
  4288
+        find_tempdir();
  4289
+    }
4286 4290
     for (my $i = 0; $i < $MAXTRIES; $i++) {
4287 4291
 	last if ! -f ($filename = sprintf("\%s${SL}CGItemp%d", $TMPDIRECTORY, $sequence++));
4288 4292
     }
@@ -5140,8 +5144,7 @@ file is created with mode 0600 (neither world nor group readable).
5140 5144
 
5141 5145
 The temporary directory is selected using the following algorithm:
5142 5146
 
5143  
-    1. if the current user (e.g. "nobody") has a directory named
5144  
-    "tmp" in its home directory, use that (Unix systems only).
  5147
+    1. if $CGITempFile::TMPDIRECTORY is already set, use that
5145 5148
 
5146 5149
     2. if the environment variable TMPDIR exists, use the location
5147 5150
     indicated.
@@ -5509,12 +5512,10 @@ Use the B<-noScript> parameter to pass some HTML text that will be displayed on
5509 5512
 browsers that do not have JavaScript (or browsers where JavaScript is turned
5510 5513
 off).
5511 5514
 
5512  
-The <script> tag, has several attributes including "type" and src.
5513  
-The latter is particularly interesting, as it allows you to keep the
5514  
-JavaScript code in a file or CGI script rather than cluttering up each
5515  
-page with the source.  To use these attributes pass a HASH reference
5516  
-in the B<-script> parameter containing one or more of -type, -src, or
5517  
--code:
  5515
+The <script> tag, has several attributes including "type", "charset" and "src".
  5516
+"src" allows you to keep JavaScript code in an external file. To use these
  5517
+attributes pass a HASH reference in the B<-script> parameter containing one or
  5518
+more of -type, -src, or -code:
5518 5519
 
5519 5520
     print $q->start_html(-title=>'The Riddle of the Sphinx',
5520 5521
 			 -script=>{-type=>'JAVASCRIPT',
@@ -5695,14 +5696,8 @@ method, the results will not be what you expect.
5695 5696
 
5696 5697
 =head1 CREATING STANDARD HTML ELEMENTS:
5697 5698
 
5698  
-CGI.pm defines general HTML shortcut methods for most, if not all of
5699  
-the HTML 3 and HTML 4 tags.  HTML shortcuts are named after a single
5700  
-HTML element and return a fragment of HTML text that you can then
5701  
-print or manipulate as you like.  Each shortcut returns a fragment of
5702  
-HTML code that you can append to a string, save to a file, or, most
5703  
-commonly, print out so that it displays in the browser window.
5704  
-
5705  
-This example shows how to use the HTML methods:
  5699
+CGI.pm defines general HTML shortcut methods for many HTML tags.  HTML shortcuts are named after a single
  5700
+HTML element and return a fragment of HTML text. Example:
5706 5701
 
5707 5702
    print $q->blockquote(
5708 5703
 		     "Many years ago on the island of",
@@ -7948,19 +7943,68 @@ NEW VERSION
7948 7943
 CGI.pm's ReadParse() routine creates a tied variable named %in,
7949 7944
 which can be accessed to obtain the query variables.  Like
7950 7945
 ReadParse, you can also provide your own variable.  Infrequently
7951  
-used features of ReadParse, such as the creation of @in and $in 
  7946
+used features of ReadParse, such as the creation of @in and $in
7952 7947
 variables, are not supported.
7953 7948
 
7954 7949
 Once you use ReadParse, you can retrieve the query object itself
7955 7950
 this way:
7956 7951
 
7957 7952
     $q = $in{CGI};
7958  
-    print textfield(-name=>'wow',
7959  
-			-value=>'does this really work?');
  7953
+    print $q->textfield(-name=>'wow',
  7954
+            -value=>'does this really work?');
7960 7955
 
7961 7956
 This allows you to start using the more interesting features
7962 7957
 of CGI.pm without rewriting your old scripts from scratch.
7963 7958
 
  7959
+An even simpler way to mix cgi-lib calls with CGI.pm calls is to import both the
  7960
+C<:cgi-lib> and C<:standard> method:
  7961
+
  7962
+ use CGI qw(:cgi-lib :standard);
  7963
+ &ReadParse;
  7964
+ print "The price of your purchase is $in{price}.\n";
  7965
+ print textfield(-name=>'price', -default=>'$1.99');
  7966
+
  7967
+=head2 Cgi-lib functions that are available in CGI.pm
  7968
+
  7969
+In compatability mode, the following cgi-lib.pl functions are
  7970
+available for your use:
  7971
+
  7972
+ ReadParse()
  7973
+ PrintHeader()
  7974
+ HtmlTop()
  7975
+ HtmlBot()
  7976
+ SplitParam()
  7977
+ MethGet()
  7978
+ MethPost()
  7979
+
  7980
+=head2 Cgi-lib functions that are not available in CGI.pm
  7981
+
  7982
+  * Extended form of ReadParse()
  7983
+    The extended form of ReadParse() that provides for file upload
  7984
+    spooling, is not available.
  7985
+
  7986
+  * MyBaseURL()
  7987
+    This function is not available.  Use CGI.pm's url() method instead.
  7988
+
  7989
+  * MyFullURL()
  7990
+    This function is not available.  Use CGI.pm's self_url() method
  7991
+    instead.
  7992
+
  7993
+  * CgiError(), CgiDie()
  7994
+    These functions are not supported.  Look at CGI::Carp for the way I
  7995
+    prefer to handle error messages.
  7996
+
  7997
+  * PrintVariables()
  7998
+    This function is not available.  To achieve the same effect,
  7999
+       just print out the CGI object:
  8000
+
  8001
+       use CGI qw(:standard);
  8002
+       $q = CGI->new;
  8003
+       print h1("The Variables Are"),$q;
  8004
+
  8005
+  * PrintEnv()
  8006
+    This function is not available. You'll have to roll your own if you really need it.
  8007
+
7964 8008
 =head1 AUTHOR INFORMATION
7965 8009
 
7966 8010
 The CGI.pm distribution is copyright 1995-2007, Lincoln D. Stein.  It is
41  lib/CGI/Carp.pm
@@ -116,7 +116,7 @@ occur in the early compile phase will be seen.
116 116
 Nonfatal errors will still be directed to the log file only (unless redirected
117 117
 with carpout).
118 118
 
119  
-Note that fatalsToBrowser does B<not> work with mod_perl version 2.0
  119
+Note that fatalsToBrowser may B<not> work well with mod_perl version 2.0
120 120
 and higher.
121 121
 
122 122
 =head2 Changing the default message
@@ -183,6 +183,28 @@ attempting to set SIG{__DIE__} yourself, you may interfere with
183 183
 this module's functionality, or this module may interfere with 
184 184
 your module's functionality.
185 185
 
  186
+=head2 SUPPRESSING PERL ERRORS APPEARING IN THE BROWSER WINDOW
  187
+
  188
+A problem sometimes encountered when using fatalsToBrowser is
  189
+when a C<die()> is done inside an C<eval> body or expression.
  190
+Even though the
  191
+fatalsToBrower support takes precautions to avoid this,
  192
+you still may get the error message printed to STDOUT.
  193
+This may have some undesireable effects when the purpose of doing the
  194
+eval is to determine which of several algorithms is to be used.
  195
+
  196
+By setting C<$CGI::Carp::TO_BROWSER> to 0 you can suppress printing the C<die> messages
  197
+but without all of the complexity of using C<set_die_handler>.
  198
+You can localize this effect to inside C<eval> bodies if this is desireable:
  199
+For example:
  200
+
  201
+ eval {
  202
+   local $CGI::Carp::TO_BROWSER = 0;
  203
+   die "Fatal error messages not sent browser"
  204
+ }
  205
+ # $@ will contain error message
  206
+
  207
+
186 208
 =head1 MAKING WARNINGS APPEAR AS HTML COMMENTS
187 209
 
188 210
 It is now also possible to make non-fatal errors appear as HTML
@@ -245,6 +267,8 @@ non-overridden program name
245 267
   
246 268
 =head1 CHANGE LOG
247 269
 
  270
+3.51 Added $CGI::Carp::TO_BROWSER
  271
+
248 272
 1.29 Patch from Peter Whaite to fix the unfixable problem of CGI::Carp
249 273
      not behaving correctly in an eval() context.
250 274
 
@@ -321,9 +345,10 @@ use File::Spec;
321 345
 
322 346
 $main::SIG{__WARN__}=\&CGI::Carp::warn;
323 347
 
324  
-$CGI::Carp::VERSION     = '3.45';
  348
+$CGI::Carp::VERSION     = '3.51';
325 349
 $CGI::Carp::CUSTOM_MSG  = undef;
326 350
 $CGI::Carp::DIE_HANDLER = undef;
  351
+$CGI::Carp::TO_BROWSER  = 1;
327 352
 
328 353
 
329 354
 # fancy import routine detects and handles 'errorWrap' specially.
@@ -421,23 +446,27 @@ sub ineval {
421 446
 }
422 447
 
423 448
 sub die {
424  
-  my ($arg,@rest) = @_;
  449
+    # if no argument is passed, propagate $@ like
  450
+    # the real die
  451
+  my ($arg,@rest) = @_ ? @_ 
  452
+                  : $@ ? "$@\t...propagated" 
  453
+                  :      "Died"
  454
+                  ;
425 455
 
426 456
   &$DIE_HANDLER($arg,@rest) if $DIE_HANDLER;
427 457
 
  458
+  # the "$arg" is done on purpose!
428 459
   # if called as die( $object, 'string' ),
429 460
   # all is stringified, just like with
430 461
   # the real 'die'
431 462
   $arg = join '' => "$arg", @rest if @rest;
432 463
 
433  
-  $arg ||= 'Died';
434  
-
435 464
   my($file,$line,$id) = id(1);
436 465
 
437 466
   $arg .= " at $file line $line.\n" unless ref $arg or $arg=~/\n$/;
438 467
 
439 468
   realdie $arg           if ineval();
440  
-  &fatalsToBrowser($arg) if $WRAP;
  469
+  &fatalsToBrowser($arg) if ($WRAP and $CGI::Carp::TO_BROWSER);
441 470
 
442 471
   $arg=~s/^/ stamp() /gme if $arg =~ /\n$/ or not exists $ENV{MOD_PERL};
443 472
 
31  t/carp.t
... ...
@@ -1,12 +1,12 @@
1 1
 # -*- Mode: cperl; coding: utf-8; cperl-indent-level: 2 -*-
2  
-#!/usr/local/bin/perl -w
  2
+#!perl -w
3 3
 
4 4
 use strict;
5 5
 
6  
-use Test::More tests => 59;
  6
+use Test::More tests => 61;
7 7
 use IO::Handle;
8 8
 
9  
-BEGIN { use_ok('CGI::Carp') };
  9
+use CGI::Carp;
10 10
 
11 11
 #-----------------------------------------------------------------------------
12 12
 # Test id
@@ -337,9 +337,14 @@ ok(!defined buffer("WIBBLE"),      '"WIBBLE" doesn\'t returns proper filehandle'
337 337
     CGI::Carp::die( My::Stringified::Object->new );
338 338
     $result{string_object} .= $_ while <STDOUT>;
339 339
 
  340
+    undef $@;
340 341
     CGI::Carp::die();
341 342
     $result{no_args} .= $_ while <STDOUT>;
342 343
 
  344
+    $@ = "I think I caught a virus";
  345
+    CGI::Carp::die();
  346
+    $result{propagated} .= $_ while <STDOUT>;
  347
+
343 348
     untie *STDOUT;
344 349
 
345 350
     like $result{string}    => qr/regular string/, 'regular string, wrapped';
@@ -352,6 +357,9 @@ ok(!defined buffer("WIBBLE"),      '"WIBBLE" doesn\'t returns proper filehandle'
352 357
       'stringified object, wrapped';
353 358
     like $result{no_args} => qr/Died at/, 'no args, wrapped';
354 359
 
  360
+    like $result{propagated} => qr/I think I caught a virus\t\.{3}propagated/, 
  361
+        'propagating $@ if no argument';
  362
+
355 363
 }
356 364
 
357 365
 {
@@ -371,3 +379,20 @@ ok(!defined buffer("WIBBLE"),      '"WIBBLE" doesn\'t returns proper filehandle'
371 379
         return bless {}, shift;
372 380
     }
373 381
 }
  382
+
  383
+
  384
+@result = ();
  385
+tie *STDOUT, 'StoreStuff' or die "Can't tie STDOUT";
  386
+ {
  387
+ 	eval {
  388
+ 		$CGI::Carp::TO_BROWSER = 0;
  389
+ 		die 'Message ToBrowser = 0';
  390
+	};
  391
+ 	$result[0] = $@;
  392
+ 	$result[1] .= $_ while (<STDOUT>);
  393
+ }
  394
+untie *STDOUT;
  395
+
  396
+ like $result[0] => qr/Message ToBrowser/, 'die message for ToBrowser = 0 is OK';
  397
+ ok !$result[1], 'No output for ToBrowser = 0';
  398
+
27  t/headers.t
@@ -16,29 +16,32 @@ my $cgi = CGI->new;
16 16
 like $cgi->header( -type => "text/html" ),
17 17
     qr#Type: text/html#, 'known header, basic case: type => "text/html"';
18 18
 
19  
-eval { like $cgi->header( -type => "text/html".$CGI::CRLF."evil: stuff" ),
20  
-    qr#Type: text/html evil: stuff#, 'known header'; };
  19
+eval { $cgi->header( -type => "text/html".$CGI::CRLF."evil: stuff" ) };
21 20
 like($@,qr/contains a newline/,'invalid header blows up');
22 21
 
23 22
 like $cgi->header( -type => "text/html".$CGI::CRLF." evil: stuff " ),
24 23
     qr#Content-Type: text/html evil: stuff#, 'known header, with leading and trailing whitespace on the continuation line';
25 24
 
26  
-eval { like $cgi->header( -foobar => "text/html".$CGI::CRLF."evil: stuff" ),
27  
-    qr#Foobar: text/htmlevil: stuff#, 'unknown header'; };
  25
+eval { $cgi->header( -foobar => "text/html".$CGI::CRLF."evil: stuff" ) };
28 26
 like($@,qr/contains a newline/,'unknown header with CRLF embedded blows up');
29 27
 
30  
-like $cgi->header( -foobar => "Content-type: evil/header" ),
31  
-    qr#^Foobar: Content-type: evil/header#m, 'unknown header with leading newlines';
  28
+eval { $cgi->header( -foobar => $CGI::CRLF."Content-type: evil/header" ) };
  29
+like($@,qr/contains a newline/, 'unknown header with leading newlines blows up');
32 30
 
33  
-eval { like $cgi->redirect( -type => "text/html".$CGI::CRLF."evil: stuff" ),
34  
-    qr#Type: text/htmlevil: stuff#, 'redirect w/ known header'; };
  31
+eval { $cgi->redirect( -type => "text/html".$CGI::CRLF."evil: stuff" ) };
35 32
 like($@,qr/contains a newline/,'redirect with known header with CRLF embedded blows up');
36 33
 
37  
-eval { like $cgi->redirect( -foobar => "text/html".$CGI::CRLF."evil: stuff" ),
38  
-    qr#Foobar: text/htmlevil: stuff#, 'redirect w/ unknown header'; };
  34
+eval { $cgi->redirect( -foobar => "text/html".$CGI::CRLF."evil: stuff" ) };
39 35
 like($@,qr/contains a newline/,'redirect with unknown header with CRLF embedded blows up');
40 36
 
41  
-eval { like $cgi->redirect( $CGI::CRLF.$CGI::CRLF."Content-Type: text/html"),
42  
-    qr#Location: Content-Type#, 'redirect w/ leading newline '; };
  37
+eval { $cgi->redirect( $CGI::CRLF.$CGI::CRLF."Content-Type: text/html") };
43 38
 like($@,qr/contains a newline/,'redirect with leading newlines blows up');
44 39
 
  40
+{
  41
+    my $cgi = CGI->new('t=bogus%0A%0A<html>');
  42
+    my $out;
  43
+    eval { $out = $cgi->redirect( $cgi->param('t') ) };
  44
+    like($@,qr/contains a newline/, "redirect does not allow double-newline injection");
  45
+}
  46
+
  47
+
6  t/html.t
@@ -88,13 +88,17 @@ is start_html(), <<END, "start_html()";
88 88
 <body>
89 89
 END
90 90
 
91  
-is start_html( -Title => 'The world of foo' ), <<END, "start_html()";
  91
+is start_html(
  92
+    -Title  => 'The world of foo' ,
  93
+    -Script => [ {-src=> 'foo.js', -charset=>'utf-8'} ],
  94
+    ), <<END, "start_html()";
92 95
 <!DOCTYPE html
93 96
 	PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
94 97
 	 "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
95 98
 <html xmlns="http://www.w3.org/1999/xhtml" lang="en-US" xml:lang="en-US">
96 99
 <head>
97 100
 <title>The world of foo</title>
  101
+<script src="foo.js" charset="utf-8" type="text/javascript"></script>
98 102
 <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
99 103
 </head>
100 104
 <body>

0 notes on commit b03599f

Please sign in to comment.
Something went wrong with that request. Please try again.