Bug#607479: libfcgi-perl: After reloading some environment vars become constants, that will be used if not overruled by the headers of new requests.
Ferdinand
debbug at smitplaza.com
Sat Dec 18 21:13:40 UTC 2010
Package: libfcgi-perl
Version: 0.71-1
Severity: normal
Hi,
I had some strange problems with cookies, it seems that sometimes username cookies were highjacked, but not always, even by search bots.
I am using the Fast::CGI (libcgi-fast-perl 5.10.1-16) wrapper, but i think the problem lies in the FCGI code. I use apache (apache2 2.2.16-4) as webserver.
This is wat hapens:
I create a simple fpl file to show environment vars, and request that from 2 different locations (one with a proxy).
Every request is handled fine, i do not have any problems with environment vars. But after i change the file,
or simply touch it, the new version is compiled when a new request hapens, but some environment vars seems to get
a default value from the request that triggers the recompile. So if that request has some cookies, all request
without cookies will according to Fast::CGI module have the same cookies as the "recompile request".
I did not check all the env vars, but X_FORWARDED_FOR had the same problem. The problem vanished when i clear the %ENV just before i ask for the CGI object.
Example code (with ENV cleaning):
#! /usr/bin/perl -w
use CGI::Fast qw(:standard :cgi-lib);
use Data::Dumper;
use strict;
while ( my $cgi = getRequest() ) {
print $cgi->header();
print "<pre>========= ID:$$ =========\n";
while (my ($key,$value) = each %ENV) {
print "$key=$value\n";
}
print "========= VARS =========\n";
print Dumper($cgi->Vars());
print "========= COOKIE =========\n";
print Dumper($cgi->cookie());
print ".</pre>";
#%ENV = undef;
}
sub getRequest {
%ENV = () if $main::clearENV; # Clear the ENV
$main::clearENV = 1; # Do not clear the ENV the first time otherwise the Fast::CGI "slow mode" will not work anymore
return new CGI::Fast;
}
I used 2 wget together to examine it:
(posted to the proxy server to disable caching)
$ http_proxy=http://proxy:8080 watch -d 'wget -qO - --post-data='xxx' --header "Cookie: usernaam=test" http://www.myserver.nl/env.fcgi'
$ watch -d 'wget -qO - http://www.myserver.nl/env.fcgi'
After a apache restart, both requests will output only there own env vars, but after a touch of the scriptfile,
you get a 50% chance both request will show the same cookie, postdata and x_forwarded_for headers. A restart fixes that allways.
I tried to look at the FCGI library, found out that they do some stuff with the %ENV, but could not figure out what exectly
caused the problem.
Regards,
Ferdinand
-- System Information:
Debian Release: squeeze/sid
APT prefers testing
APT policy: (500, 'testing')
Architecture: i386 (i686)
Kernel: Linux 2.6.26-2-vserver-686 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to en_US.UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages libfcgi-perl depends on:
ii libc6 2.11.2-7 Embedded GNU C Library: Shared lib
ii perl 5.10.1-16 Larry Wall's Practical Extraction
ii perl-base [perlapi-5.10.1] 5.10.1-16 minimal Perl system
libfcgi-perl recommends no packages.
libfcgi-perl suggests no packages.
-- no debconf information
More information about the pkg-perl-maintainers
mailing list