Perl CGI.pm POST_MAX problem in FC7 - when will latest version be available in archives?

Todd Zullinger tmz at pobox.com
Wed Sep 19 13:52:57 UTC 2007 

B Wooster wrote:
> The CGI.pm that is currently available with FC7 is version 3.15.
> That version has a problem - if a form is uploaded of size greater
> than POST_MAX,  the CGI script will peg the CPU until the web server
> kills it (Apache has default 120 seconds timeout).  This ends up
> having problems on server, as well the client which now sees an
> empty page, or a "cannot load web page" message.
> 
> The latest versions of CGI.pm is 3.29 - using cpan to "install CGI"
> will bring this latest version to a FC7 box.  So, that is a
> workaround for anyone else who is running CGI scripts on FC7 and
> using POST_MAX.
>
> But - note that when perl/perl-lib gets update, an yum update will
> revert back the CGI.pm to 3.15! (As it happened last week when I did
> an yum update).  That may be another issue - cpan updates and yum
> updates.
> 
> Still the key question I'm curious about - how does the FC7 repos
> get updated? 3.15 CGI.pm is now quite old - when will FC7 get the
> latest CGI.pm?

Either the perl package will need to be patched to update CGI.pm or a
new upstream perl release will need to include an updated CGI.pm.
Basically, the version of CGI.pm used is what is in the perl tarball.

This could get updated via a patch.  Something similar was done to
update from 3.08 to 3.10 a few years ago in perl 5.8.6[1].  The diff
from 3.15 to 3.29[2] would need to be tested to ensure that it doesn't
introduce new bugs.

A possibly saner alternative than a wholesale upgrade would be to just
patch CGI.pm to avoid the specific bug you're encountering (CPAN bug
19222[3]).  Attached is an diff against the F-7 perl specfile and the
patch to fix the POST_MAX bug.  You should be able to grab the latest
perl srpm, install it, apply the spec file patch, copy the POST_MAX
bugfix patch to the rpm source dir, rebuild, and test.

You could rebuild the perl rpm with this patch added and verify that
it fixes the problem with POST_MAX, then file a bug requesting that
the patch be included in an updated perl rpm.

[1] https://bugzilla.redhat.com/show_bug.cgi?id=158036
[2] http://search.cpan.org/diff?from=CGI.pm-3.15&to=CGI.pm-3.29
[3] http://rt.cpan.org/Public/Bug/Display.html?id=19222

-- 
Todd        OpenPGP -> KeyID: 0xBEAF0CE3 | URL: www.pobox.com/~tmz/pgp
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
God loves stupid people. That's why he made so many.

-------------- next part --------------
Index: perl.spec
===================================================================
RCS file: /cvs/extras/rpms/perl/F-7/perl.spec,v
retrieving revision 1.125
diff -u -p -r1.125 perl.spec
--- perl.spec	18 Aug 2007 08:48:08 -0000	1.125
+++ perl.spec	19 Sep 2007 13:50:01 -0000
@@ -20,7 +20,7 @@
 
 Name:           perl
 Version:        %{perl_version}
-Release:        23%{?dist}
+Release:        23%{?dist}.1
 Epoch:          %{perl_epoch}
 Summary:        The Perl programming language
 Group:          Development/Languages
@@ -118,6 +118,8 @@ Patch39:        perl-5.8.8-disable_test_
 # XXX: Fixme - Finish patch.
 #Patch39:        perl-5.8.8-bz204679.patch
 Patch40:	perl-5.8.8-U28775.patch
+# http://rt.cpan.org/Public/Bug/Display.html?id=19222
+Patch41:        perl-5.8.8-ubz19222.patch
 BuildRoot:      %{_tmppath}/%{name}-%{perl_version}-%{release}-root-%(%{__id_u} -n)
 BuildRequires:  tcsh, dos2unix, man, groff
 BuildRequires:  gdbm-devel, db4-devel
@@ -345,6 +347,7 @@ Basic utilities for writing tests.
 %patch38 -p1
 %patch39 -p1
 %patch40 -p1
+%patch41 -p1
 #
 # Candidates for doc recoding (need case by case review):
 # find . -name "*.pod" -o -name "README*" -o -name "*.pm" | xargs file -i | grep charset= | grep -v '\(us-ascii\|utf-8\)'
@@ -738,6 +741,9 @@ make test
 %{_mandir}/man3/Test::Tutorial*
 
 %changelog
+* Wed Sep 19 2007 Todd Zullinger <tmz at pobox.com> - 4:5.8.8-23.1
+- Fix upstream bug 19222, CGI.pm POST_MAX read loop
+
 * Sat Aug 18 2007 Stepan Kasal <skasal at redhat.com> - 4:5.8.8-23
 - Remove unnnecessary parens from the License tags.
 
-------------- next part --------------
--- perl-5.8.8/lib/CGI.pm~	2005-12-07 22:35:30.000000000 +0000
+++ perl-5.8.8/lib/CGI.pm	2006-08-21 22:35:19.000000000 +0100
@@ -508,17 +535,10 @@
 
       # avoid unreasonably large postings
       if (($POST_MAX > 0) && ($content_length > $POST_MAX)) {
-	# quietly read and discard the post
-	  my $buffer;
-          my $tmplength = $content_length;
-          while($tmplength > 0) {
-                 my $maxbuffer = ($tmplength < 10000)?$tmplength:10000;
-                 my $bytesread = $MOD_PERL ? $self->r->read($buffer,$maxbuffer) : read(STDIN,$buffer,$maxbuffer);
-                 $tmplength -= $bytesread;
-          }
-          $self->cgi_error("413 Request entity too large");
-          last METHOD;
-       }
+	#discard the post, unread
+	$self->cgi_error("413 Request entity too large");
+	last METHOD;
+      }
 
       # Process multipart postings, but only if the initializer is
       # not defined.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 542 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/fedora-list/attachments/20070919/d4f36d5b/attachment-0001.sig>

More information about the fedora-list mailing list