Bug#607479: libfcgi-perl: After reloading some environment vars become constants, that will be used if not overruled by the headers of new requests.

[Ferdinand]

Package: libfcgi-perl
Version: 0.71-1
Severity: normal


Hi,

I had some strange problems with cookies, it seems that sometimes username cookies were highjacked, but not always, even by search bots.
I am using the Fast::CGI (libcgi-fast-perl 5.10.1-16) wrapper, but i think the problem lies in the FCGI code. I use apache (apache2 2.2.16-4) as webserver.

This is wat hapens:

I create a simple fpl file to show environment vars, and request that from 2 different locations (one with a proxy).
Every request is handled fine, i do not have any problems with environment vars. But after i change the file,
or simply touch it, the new version is compiled when a new request hapens, but some environment vars seems to get
a default value from the request that triggers the recompile. So if that request has some cookies, all request
without cookies will according to Fast::CGI module have the same cookies as the "recompile request".
I did not check all the env vars, but X_FORWARDED_FOR had the same problem. The problem vanished when i clear the %ENV just before i ask for the CGI object.

Example code (with ENV cleaning):

#! /usr/bin/perl -w

use CGI::Fast qw(:standard :cgi-lib);
use Data::Dumper;
use strict;

while ( my $cgi = getRequest() ) {

    print $cgi->header();

    print "<pre>========= ID:$$ =========\n";
    while (my ($key,$value) = each %ENV) {
       print "$key=$value\n";
    }
    print "========= VARS =========\n";
    print Dumper($cgi->Vars());
    print "========= COOKIE =========\n";
    print Dumper($cgi->cookie());
    print ".</pre>";

    #%ENV = undef;
}

sub getRequest {
    %ENV = () if $main::clearENV; # Clear the ENV
    $main::clearENV = 1;          # Do not clear the ENV the first time otherwise the Fast::CGI "slow mode" will not work anymore
    return new CGI::Fast;
}


I used 2 wget together to examine it:
(posted to the proxy server to disable caching)

$ http_proxy=http://proxy:8080 watch -d 'wget -qO - --post-data='xxx' --header "Cookie: usernaam=test" http://www.myserver.nl/env.fcgi'
$ watch -d 'wget -qO - http://www.myserver.nl/env.fcgi'

After a apache restart, both requests will output only there own env vars, but after a touch of the scriptfile,
you get a 50% chance both request will show the same cookie, postdata and x_forwarded_for headers. A restart fixes that allways.

I tried to look at the FCGI library, found out that they do some stuff with the %ENV, but could not figure out what exectly 
caused the problem.

Regards,
Ferdinand

-- System Information:
Debian Release: squeeze/sid
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: i386 (i686)

Kernel: Linux 2.6.26-2-vserver-686 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to en_US.UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages libfcgi-perl depends on:
ii  libc6                         2.11.2-7   Embedded GNU C Library: Shared lib
ii  perl                          5.10.1-16  Larry Wall's Practical Extraction 
ii  perl-base [perlapi-5.10.1]    5.10.1-16  minimal Perl system

libfcgi-perl recommends no packages.

libfcgi-perl suggests no packages.

-- no debconf information