Hi Folks,

I'm reasonably certain that this is just a misconfigured mod_perl server on my part, but I can't seem to find a solution for it.

We are currently running ModPerl::Registry to serve legacy CGI code. Now, consider the following URL, with an embedded newline:

http://www.mysite.com/cgi-bin/search.cgi%0d%0a

Since we obviously don't have a CGI file named with a trailing newline character, I would expect apache to return a 404 Not Found. However, apache happily hands the URL off to mod_perl, which attempts to stat search.cgi(newline), and fails with:

[Wed Feb 13 16:27:33 2013] [error] [client 192.168.254.21] Unsuccessful stat on filename containing newline at /usr/local/lib64/perl5/ModPerl/RegistryCooker.pm line 787.\n

... which in turn results in a 500 Server Error.

Trying a similar URL with a php file on the same server correctly returns a 404. Also, requesting a file like /cgi-bin/this_file_does_not_exist.cgi correctly returns a 404. However, /cgi-bin/this_file_does_not_exist.cgi%0d%0a returns 500.

What can / should I do to get the "correct" behaviour out of mod_perl? I could probably do something with a mod_rewrite RewriteRule to strip newlines, but I feel like I shouldn't have to run every request through a RewriteRule. I could also accept if mod_perl treated this as a warning, but that's not the case here.

Here is line 787 of RegistryCooker.pm, btw:

783: # XXX: should go away when finfo() is ported to 2.0 (don't want to
784: # depend on compat.pm)
785: sub Apache2::RequestRec::my_finfo {
786:     my $r = shift;
787:     stat $r->filename;
788:     \*_;
789: }

Thoughts?

Thanks!
Michael

Reply via email to