-
Notifications
You must be signed in to change notification settings - Fork 63
/
Changes
2423 lines (1874 loc) · 95 KB
/
Changes
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
4.66 2024-06-04
[ FIX ]
- Restore trailing slashes in the ->url call (GH #267)
4.65 2024-06-04
[ TESTING ]
- "fix" t/url.t for older Perls (GH #266)
4.64 2024-03-18
[ META ]
- pass --no-xattrs to tar in Makefile to fix tar backwards compat (GH #264, thanks to ryandesign)
4.63 2024-03-01
[ FIX ]
- ->url returns a string in all cases (GH #263, thanks to Sketch6307)
4.62 2024-03-01
[ FIX ]
- ->url now returns the correct thing for ipv6 brackets (GH #259, thanks to eserte)
4.61 2024-01-08
[ ENHANCEMENT ]
- Support Paritioned cookies in CGI::Cookie (GH #262, thanks to dakkar)
4.60 2023-11-01
[ TESTING ]
- move t/changes.t to xt/ as is now broken by the recent rewrite of Test::CPAN::Changes (GH #260)
4.59 2023-10-02
[ FIX ]
- Bring VERSION values inline
4.58 2023-10-02
[ FIX ]
- Update cookie expires date format (GH #258 , thanks to robbiebow)
4.57 2023-05-01
[ DOCUMENTATION ]
- Documentation tweaks around uploadInfo() and hooks (GH #256, thanks to rlauer6)
4.56 2023-03-01
[ TESTING ]
- add new cookie field 'Priority' to CGI::Cookie code (GH #253, thanks to Pavel)
4.55 2023-01-03
[ TESTING ]
- remove dependency on Test::Deep (GH #254)
4.54 2022-02-03
[ FIX ]
- fix use of cache when calling ->cookie (GH #252)
- thanks to Sergey Panteleev for the PR
4.53 2021-06-03
[ FIX ]
- fix typo in passing of max-age to CGI::Cookie (GH #247)
4.52 2021-05-04
[ FIX ]
- sort hash keys for deterministic behaviour (GH #245, GH #246)
4.51 2020-10-01
[ DOCUMENTATION ]
- Document support for SameSite=None cookies in CGI::Cookie (GH #244)
4.50 2020-06-22
[ ENHANCEMENT ]
- Add APPEND_QUERY_STRING option (GH #243, thanks to stevenh)
4.49 2020-06-08
[ FIX ]
- remove deprecation warning as no longer in core (GH #221)
4.48 2020-06-02
[ FIX ]
- fix CGI::Cookie->bake() doesn't work with mod_perl redirects (GH #240)
- thanks to sherrardb for the PR (GH #241)
4.47 2020-05-01
[ FIX / TESTING ]
- fix typo in variable name (GH #239)
4.46 2020-02-03
[ DOCUMENTATION ]
- Document support for SameSite=None cookies (GH #238)
4.45 2019-06-03
[ ENHANCEMENT ]
- Add support for SameSite=None cookies (GH #237, thanks to Dur09)
4.44 2019-06-03
[ ENHANCEMENT ]
- Replace only use of "base" with "parent" (GH #235)
4.43 2019-05-01
[ FIX / TESTING ]
- support unquoted multipart/form-data name values (GH #234)
4.42 2019-03-26
[ DOCUMENTATION ]
- clarify licence also in Makefile.PL (GH #232)
4.41 2019-03-26
[ DOCUMENTATION ]
- clarify licence (GH #232)
4.40 2018-08-15
[ FIX / TESTING ]
- support perls < 5.10.1 in Makefile.PL by being more dynamic
(GH #229, GH #230, thanks to Aristotle)
4.39 2018-08-13
[ FIX / TESTING ]
- specify CONFIGURE_REQUIRES in Makefile.PL so can use TEST_REQUIRES
to build with older perls (GH #228)
4.38 2017-12-01
[ TESTING ]
- command_line.t: Avoid -I for libs (GH #224, thanks to cpansprout)
4.37 2017-11-01
[ FIX ]
- Fix incorrect quoting of ? in ->url (GH #112, GH #222, with
thanks to Reuben Thomas)
4.36 2017-03-29
[ ENHANCEMENT ]
- Support PATCH HTTP method (thanks to GovtGeek for the... patch)
- pass through max_age and samesite to CGI::Cookie->new in the call
in CGI->cookie (GH #220)
[ FIX ]
- skip t/command_line.t on windows as it doesn't work
4.35 2016-10-13
[ FIX ]
- revert changes from 4.34 as they broke stuff
4.34 2016-10-13
[ ENHANCEMENT ]
- If running from the command line, url_param now picks up
parameters given on then command line or on stdin (GH #210)
[ DOCUMENTATION ]
- documentation for above addition
4.33 2016-09-16
[ DOCUMENTATION ]
- clarify that ->param will return the first value if there are
multiple values (when not called in list context)
4.32 2016-07-19
[ DOCUMENTATION ]
- make perldoc CGI object consistent (GH #205)
- clarify reason for absolute URLs (GH #206)
[ INTERNALS ]
- tweak dependency defs in Makefile.PL (GH #207, GH #208)
- (thanks to karenetheridge and kentfredric)
4.31 2016-06-14
[ FEATURES ]
- Add SameSite support to Cookie handling (thanks to pangyre)
[ INTERNALS ]
- The MultipartBuffer package has been renamed to CGI::MultipartBuffer.
This has been done in a way to ensure any $MultipartBuffer package
variables are still set correctly in CGI::MultipartBuffer. if you are
explicitly using MultipartBuffer in a form such as:
MultipartBuffer->new
your code will break. you should be calling:
CGI->new->new_MultipartBuffer( $boundary,$length );
to ensure the correctly package is called. if you are extending the
MultipartBuffer package though use of ISA or base (or parent) then you
will need to update your code to use CGI::MultipartBuffer
- fake using strict and warnings to appease CPANTS Kwalitee
- require File::Temp v0.17+ to get seekable file handles (GH #204)
4.28 2016-03-14
[ RELEASE NOTES ]
- please see v4.21 Changes for any potentially impacting changes
[ SPEC / BUG FIXES ]
- undef %QUERY_PARAM in initialize_globals to clean mod_perl env
[ TESTING ]
- improve test coverage on request types (GH #199, GH #200)
- improve test coverage on CGI::Carp
4.27 2016-03-02
[ RELEASE NOTES ]
- please see v4.21 Changes for any potentially impacting changes
[ INTERNALS ]
- fix a couple of warnings in test harness
- add taint flag to example file_upload
- fix a warnings in STORE subroutine
4.26 2016-02-04
[ RELEASE NOTES ]
- please see v4.21 Changes for any potentially impacting changes
[ SPEC / BUG FIXES ]
- sort HTML attributes by default (GH #106, GH #196)
[ DOCUMENTATION ]
- clarifications about HTML function non removal
4.25 2015-12-17
[ RELEASE NOTES ]
- please see v4.21 Changes for any potentially impacting changes
[ DOCUMENTATION ]
- fix link to CONTRIBUTING file (thanks to Manwar for the fix)
- clarify that "soft" deprecation means that the HTML functions
are deprecated but will not raise any deprecation warnings
[ SPEC / BUG FIXES ]
- make the list context warning only happen once per process (or
thread) to prevent excessive log noise in long running or in
persistent processes (thanks to @dadamail for the suggestion)
4.23 2015-12-17
[ RELEASE NOTES ]
- Documentation fixes only - please see v4.21 Changes for any potentially
impacting changes
[ DOCUMENTATION ]
- add LICENSE file and LICENSE info to Makefile.PL
4.22 2015-10-16
[ RELEASE NOTES ]
- Documentation fixes only - please see v4.21 Changes for any potentially
impacting changes
[ DOCUMENTATION ]
- fix typos in CONTRIBUTING file
- links to docs, stackoverflow and perlmonks
- clarify deprecation policy on HTML functions (GH #188)
- mention HTML::Tiny in CGI::HTML::Functions (thanks to osfameron for
the suggestion)
4.21 2015-06-16
[ RELEASE NOTES ]
- CGI.pm is now considered "done". See also "mature" and "legacy"
Features requests and non-critical issues will be outright rejected.
The module is now in maintenance mode for critical issues only.
- This release removes the AUTOLOAD and compile optimisations from CGI.pm
that were introduced into CGI.pm twenty (20) years ago as a response to
its large size, which meant there was a significant compile time penalty.
- This optimisation is no longer relevant and makes the code difficult to
deal with as well as making test coverage metrics incorrect. Benchmarks
show that advantages of AUTOLOAD / lazy loading / deferred compile are
less than 0.05s, which will be dwarfed by just about any meaningful code
in a cgi script. If this is an issue for you then you should look at
running CGI.pm in a persistent environment (FCGI, etc)
- To offset some of the time added by removing the AUTOLOAD functionality
the dependencies have been made runtime rather than compile time. The
POD has also been split into its own file. CGI.pm now contains around
4000 lines of code, which compared to some modules on CPAN isn't really
that much
- This essentially deprecates the -compile pragma and ->compile method. The
-compile pragma will no longer do anything, whereas the ->compile method
will raise a deprecation warning. More importantly this also REMOVES the
-any pragma because as per the documentation this pragma needed to be
"used with care or not at all" and allowing arbitrary HTML tags is almost
certainly a bad idea. If you are using the -any pragma and using arbitrary
tags (or have typo's in your code) your code will *BREAK*
- Although this release should be back compatible (with the exception of any
code using the -any pragma) you are encouraged to test it throughly as if
you are doing anything out of the ordinary with CGI.pm (i.e. have bugs
that may have been masked by the AUTOLOAD feature) you may see some issues.
- References: GH #162, GH #137, GH #164
[ SPEC / BUG FIXES ]
- make the list context warning in param show the filename rather than
the package so we have more information on exactly where the warning
has been raised from (GH #171)
- correct self_url when PATH_INFO and SCRIPT_NAME are the same but we
are not running under IIS (GH #176)
- Add the multi_param method to :cgi export (thanks to xblitz for the patch
and tests. GH #167)
- Fix warning for lack of HTTP_USER_AGENT in CGI::Carp (GH #168)
- Fix imports when called from CGI::Fast, restores the import of CGI functions
into the callers namespace for users of CGI::Fast (GH leejo/cgi-fast#11 and
GH leejo/cgi-fast#12)
- Fix regression of tmpFileName when calling with a plain string (GH #178,
thanks to Simon McVittie for the report and fix)
[ FEATURES ]
- CGI::Carp now has $CGI::Carp::FULL_PATH for displaying the full path to the
offending script in error messages
- CGI now has env_query_string() for getting the value of QUERY_STRING from
the environment and not that fiddled with by CGI.pm (which is what
query_string() does) (GH #161)
- CGI::ENCODE_ENTITIES var added to control which chracters are encoded by
the call to the HTML::Entities module - defaults to &<>"' (GH #157 - the
\x8b and \x9b chars have been removed from this list as we are concerned
more about unicode compat these days than old browser support.)
[ DOCUMENTATION ]
- Fix some typos (GH #173, GH #174)
- All *documentation* for HTML functionality in CGI has been moved into
its own namespace: CGI::HTML::Functions - although the functionality
continues to exist within CGI.pm so there are no code changes required
(GH #142)
- Add missing documentation for env variable fetching routines (GH #163)
[ TESTING ]
- Increase test coverage (GH #3)
[ INTERNALS ]
- Cwd made a TEST_REQUIRES rather than a BUILD_REQUIRES in Makefile.PL
(GH #170)
- AutoloadClass variables have been removed as AUTOLOAD was removed in
v4.14 so these are no longer necessary (GH #172 thanks to alexmv)
- Remove dependency on constant - internal DEBUG, XHTML_DTD and EBCDIC
constants changes to $_DEBUG, $_XHTML_DTD, and $_EBCDIC
4.13 2014-12-18
[ RELEASE NOTES ]
- CGI::Pretty is now DEPRECATED and will be removed in a future release.
Please see GH #162 (https://github.com/leejo/CGI.pm/issues/162) for more
information and discussion (also GH #140 for HTML function deprecation
discussion: https://github.com/leejo/CGI.pm/issues/140)
[ TESTING ]
- fix t\rt-84767.t for failures on Win32 platforms related to file paths
4.11 2014-12-02
[ SPEC / BUG FIXES ]
- more hash key ordering bugs fixed in HTML attribute output (GH #158,
thanks to Marcus Meissner for the patch and test case)
[ REFACTORING ]
- escapeHTML (and unescapeHTML) have been refactored to use the functions
exported by the HTML::Entities module (GH #157)
- change BUILD_REQUIRES to TEST_REQUIRES in Makefile.PL as these are test
dependencies not build dependencies (GH #159)
[ DOCUMENTATION ]
- replace any remaining uses of indirect object notation (new Object) with
the safer Object->new syntax (GH #156)
4.10 2014-11-27
[ SPEC / BUG FIXES ]
- favour -content-type arg in header if -type and -charset options are also
passed in (GH #155, thanks to kaoru for the test case). this change also
sorts the hash keys in the rearrange method in CGI::Util meaning the order
of the arrangement will always be the same for params that have multiple
aliases. really you shouldn't be passing in multiple aliases, but this will
make it consistent should you do that
[ DOCUMENTATION ]
- fix some typos
4.09 2014-10-21
[ RELEASE NOTES ]
- with this release the large backlog of issues against CGI.pm has been
cleared. All fixes have been made in the versions 4.00 and above so if
you are upgrading from 3.* you should thoroughly test your code against
recent versions of CGI.pm
- an effort has been made to retain back compatibility against previous
versions of CGI.pm for any fixes made, however some changes related to
the handling of temporary files may have consequences for your code
- please refer to the RELEASE NOTES for version 4.00 and above for all
recent changes and file an issue on github if there has been a regression.
- please do *NOT* file issues regarding HTML generating functions, these
are no longer being maintained (see perldoc for rationale)
[ SPEC / BUG FIXES ]
- tweak url to DTRT when the web server is IIS (RT #89827 / GH #152)
- fix temporary file handling when dealing with multiple files in MIME uploads
(GH #154, thanks to GeJ for the test case)
4.08 2014-10-18
[ DOCUMENTATION ]
- note that calling headers without a -charset may lead to a nonsensical
charset being added to certain content types due to the default and the
workaround
- remove documentation stating that calls to escapeHTML with a changed
charset force numeric encoding of all characters, because that does not
happen
- documentation tweaks for calling param() in list context and the addition
of multi_param()
[ SPEC / BUG FIXES ]
- don't sub out PATH_INFO in url if PATH_INFO is the same as SCRIPT_NAME
(RT #89827)
- add multi_param() method to allow calling of param() in list context
without having to disable the $LIST_CONTEXT_WARN flag (see RELEASE NOTES
for version 4.05 on why calling param() in list context could be a bad
thing)
4.07 2014-10-12
[ RELEASE NOTES ]
- please see changes for v4.05
[ TESTING ]
- typo and POD fixes, add test to check POD and compiles
4.06 2014-10-10
[ RELEASE NOTES ]
- please see changes for v4.05
[ DOCUMENTATION ]
- make warning on list context call of ->param more lenient and don't
warn if called with no arguments
4.05 2014-10-08
[ RELEASE NOTES ]
- this release includes *significant* refactoring of temporary file
handling in CGI.pm. See "Changes in temporary file handling" in perldoc
- this release adds a warning for when the param method is called
in list context, see the Warning in the perldoc for the section
"Fetching the value or values of a single named parameter" for why
this has been added and how to disable this warning
[ DOCUMENTATION ]
- change AUTHOR INFORMATION to LICENSE to please Kwalitee
[ TESTING ]
- t/arbitrary_handles.t to check need for patch in RT #54055, it
turns out there is no need - the first argument to CGI->new can
be an arbitrary handle
- add test case for incorrect unescaping of redirect headers
(RT #61120)
- add tests for the handle method (RT #85074, thanks to TONYC@cpan.org)
[ SPEC / BUG FIXES ]
- don't set binmode on STDOUT/STDERR/STDIN if a none standard layer
is already set on them on none UNIX platforms (RT #57524)
- make XForms:Model data accesible through POSTDATA/PUTDATA param
(RT #75628)
- prevent corruption of POSTDATA/PUTDATA when -utf8 flag is used and use
tempfiles to handle this data (RT #79102, thanks anonymous)
- unescape request URI *after* having removed the query string to prevent
removal of ? chars that are part of the original URI (and were encoded)
(RT #83265)
- fix q( to qq( in CGI::Carp so $@ is correct interpolated (RT #83360)
- don't call ->query_string in url unless -query is passed (RT #87790)
(optimisation and fits the current documented behaviour)
4.04 2014-09-04
[ RELEASE NOTES ]
- this release removes some long deprecated modules/functions and
includes refactoring to the temporary file handling in CGI.pm. if
you are doing anything out of the ordinary with regards to temp
files you should test your code before deploying this update as
temp files may no longer be stored in previously used locations
[ REMOVED / DEPRECATIONS ]
- startform and endform methods removed (previously deprecated, you
should be using the start_form and end_form methods)
- both CGI::Apache and CGI::Switch have been removed as these modules
1) have been deprecated for *years*, and 2) do nothing whatsoever
[ SPEC / BUG FIXES ]
- handle multiple values in X-Forwarded-Host header, we follow the
logic in most other frameworks and take the last value from the list
(RT #54487)
- reverse the order of TEMP dir placement for WINDOWS: TEMP > TMP > WINDIR
(RT #71799, thanks to jeff@math.tntech.edu), this returns the behaviour
to pre e24d04e9bc5fda7722444b02fec135d8cc2ff488 but with the undefined
fix still in place
- refactor CGITempFile::find_tempdir to use File::Spec->tmpdir
(related: RT #71799)
- fix warnings when QUERY_STRING has empty key=value pairs (RT #54511)
- pad custom 500 status response messages to > 512 for MSIE (RT #81946)
- make Vars tied hash delete method return the value deleted from the hash
making it act like perl's delete (RT #51020)
[ TESTING ]
- add .travis.yml (https://travis-ci.org)
- test case for RT #53966 - disallow filenames with ~ char
- test case for RT #55166 - calling Vars to get the filename does not return
a filehandle, so this cannot be used in the call to uploadinfo, also
update documentation for the uploadInfo to show that ->Vars should not be
used to get the filename for this method
- fix t/url.t to pass on Win32 platforms that have the SCRIPT_NAME env
variable set (RT #89992)
- add procedural call tests for upload and uploadInfo to confirm these work
as should (RT #91136)
[ DOCUMENTATION ]
- tweak perldoc for -utf8 option (RT #54341, thanks to Helmut Richter)
- explain the HTML generation functions should no longer be used and that
they may be deprecated in a future release
4.03 2014-07-02
[ REMOVED / DEPRECATIONS ]
- the -multiple option to popup_menu is now IGNORED as this did not
function correctly. If you require a menu with multiple selections
use the scrolling_list method. (RT #30057)
[ SPEC / BUG FIXES ]
- support redirects in mod_perl2, or fall back to using env variable
for up to 5 redirects, when getting the query string (RT #36312)
- CGI::Cookie now correctly supports the -max-age argument, previously
if this was passed the value of the -expires argument would be used
meaning there was no way to supply *only* this argument (RT #50576)
- make :all actually import all methods, except for :cgi-lib, and add
:ssl to the :standard import (RT #70337)
[ DOCUMENTATION ]
- clarify documentation regarding query_string method (RT #48370)
- links fixed in some perldoc (Thanks to Michiel Beijen)
[ TESTING ]
- add t/changes.t for testing this Changes file
- test case for RT #31107 confirming multipart parsing is to spec
- improve t/rt-52469.t by adding a timeout check
4.02 2014-06-09
[ NEW FEATURES ]
- CGI::Carp learns noTimestamp / $CGI::Carp::NO_TIMESTAMP to prevent
timestamp in messages (RT #82364, EDAVIS@cpan.org)
- multipart_init and multipart_start learn -charset option (RT #22737)
[ SPEC / BUG FIXES ]
- Support multiple cookies when passing an ARRAY ref with -set-cookie
(RT #15065, JWILLIAMS@cpan.org)
[ DOCUMENTATION ]
- Made licencing information consistent and remove duplicate comments
about licence details, corrected location to report bugs (RT #38285)
4.01 2014-05-27
[ DOCUMENTATION ]
- CGI.pm hasn't been removed from core *just* yet, but will be soon:
http://perl5.git.perl.org/perl.git/commitdiff/e9fa5a80
4.00 2014-05-22
[ INTERNALS ]
- CGI::Fast split out into its own distribution, related files and tests removed
- developer test added for building with perlbrew
[ DOCUMENTATION ]
- Update perldoc to explain that CGI.pm has been removed from perl core
- Make =head2 perldoc less shouty (RT #91140)
- Tickets migrated from RT to github issues (both CGI and CGI.pm distributions)
- Repointing bugtracker at newly forked github repo and note that Lee Johnson
is the current maintainer.
- Bump version to 4.00 for clear boundary of above changes
Version 3.65 Feb 11, 2014
[INTERNALS]
- Update Makefile to refine where CGI.pm gets installed
(Thanks to bingo, rjbs: https://github.com/markstos/CGI.pm/pull/30)
Version 3.64 Nov 23, 2013
[BUG FIXES]
- Avoid warning about "undefined variable in user_agent in some cases (RT#72882)
[INTERNALS]
- Avoiding warning about "unitialized value" in when calling user_agent() in some cases. (RT#72882, perl@max-maurer.de)
- Update minimum required version in Makefile.PL to 5.8.1. It had already been
updated to 5.8.1 in the CGI.pm module in 3.53.
- Fix POD errors reported by newer pod2man (Thanks to jmdh)
- Typo fixes, (dsteinbrunner).
- use deprecate.pm on perls 5.19.0 and later. (rjbs).
[DOCUMENTATION]
- Update CGI::Cookie docs to reflect that HttpOnly is widely supported now.
Version 3.63 Nov 12, 2012
[SECURITY]
- CR escaping for Set-Cookie and P3P headers was improved. There was potential
for newline injection in these headers.
(Thanks to anazawa, https://github.com/markstos/CGI.pm/pull/23)
Version 3.62, Nov 9th, 2012
[INTERNALS]
- Changed how the deprecated endform function was defined for compatibility
with the development version of Perl.
- Fix failures in t/tmpdir.t when run as root
https://github.com/markstos/CGI.pm/issues/22, RT#80659)
- Made it possible to force a sorted order for things like hash
attributes so that tests are not dependent on a particular hash
ordering. This will be required in modern perls which will
change the ordering per process. (Yves, RT#80659)
Version 3.61 Nov 2nd, 2012
(No code changes)
[INTERNALS]
- formatting of CGI::Carp documentation was improved. Thanks to benkasminbullock.
- un-TODO some tests in t/tmpdir.t that were passing in most cases.
More on this:
https://github.com/markstos/CGI.pm/issues/19#
https://github.com/markstos/CGI.pm/commit/cc73dc9807b0fabb56b3cdf1a9726588b2eda0f7
Version 3.60 Aug 15th, 2012
[BUG FIXES]
- In some caes, When unescapeHTML() hit something it didn't recognize with an ampersand and
and semicolon, it would throw away the semicolon and ampersand. It now does a better job.
of preserving content it doesn't recognize. Thanks to CEBJYRE@cpan.org (RT#75595)
- Remove trailing newline after <form> tag inserted by startform and start_form. It can
cause rendering problems in some cases. Thanks to SJOHNSTON@cpan.org (RT#67719)
- Workaround "Insecure Dependency" warning generated by some versions of Perl (RT#53733).
Thanks to degatcpan@ntlworld.com, klchu@lbl.gov and Anonymous Monk
[DOCUMENTATION]
- Clarify that when -status is used, the human-readable phase should be included, per RFC 2616.
Thanks to SREZIC@cpan.org (RT#76691).
[INTERNALS]
- More tests for header(), thanks to Ryo Anazawa.
- t/url.t has been fixed on VMS. Thanks to cberry@cpan.org (RT#72380)
- MANIFEST patched so that t/multipart_init.t is included again. Thanks to shay@cpan.org (RT#76189)
Version 3.59 Dec 29th, 2011
[BUG FIXES]
- We no longer read from STDIN when the Content-Length is not set, preventing
requests with no Content-Length from freezing in some cases. This is consistent
with the CGI RFC 3875, and is also consistent with CGI::Simple. However, the old
behavior may have been expected by some command-line uses of CGI.pm.
Thanks to Philip Potter and Yanick Champoux. See RT#52469 for details:
https://rt.cpan.org/Public/Bug/Display.html?id=52469
[INTERNALS]
- remove tmpdirs more aggressively. Thanks to rjbs (RT#73288)
- use Text::ParseWords instead of ancient shellwords.pl. Thanks to AlexBio.
- remove use of define(@arr). Thanks to rjbs.
- spelling fixes. Thanks to Gregor Herrmann and Alessandro Ghedini.
- fix test count and warning in t/fast.t. Thanks to Yanick.
Version 3.58 Nov 11th, 2011
[DOCUMENTATION]
- Clarify that using query_string() only has defined behavior when using the GET method. (RT#60813)
Version 3.57 Nov 9th, 2011
[INTERNALS]
- test failure in t/fast.t introduced in 3.56 is fixed. (Thanks to zefram and chansen).
- Test::More requirement has been bumped to 0.98
Version 3.56 Nov 8th, 2011
[SECURITY]
Use public and documented FCGI.pm API in CGI::Fast
CGI::Fast was using an FCGI API that was deprecated and removed from
documentation more than ten years ago. Usage of this deprecated API with
FCGI >= 0.70 or FCGI <= 0.73 introduces a security issue.
<https://rt.cpan.org/Public/Bug/Display.html?id=68380>
<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-2766>
(Thanks to chansen)
[INTERNALS]
- tmp files are now cleaned up on VMS ( RT#69210, thanks to cberry@cpan.org )
- Fixed test failure: done_testing() added to url.t (Thanks to Ryan Jendoubi)
- Clarify preferred bug submission location in docs, and note that Mark Stosberg
is the current maintainer.
Version 3.55 June 3rd, 2011
[THINGS THAT MAY BREAK YOUR CODE]
url() was fixed to return "PATH_INFO" when it is explicitly requested
with either the path=>1 or path_info=>1 flag.
If your code is running under mod_rewrite (or compatible) and you are calling self_url() or
you are calling url() and passing path_info=>1, These methods will actually be
returning PATH_INFO now, as you have explicitly requested, or has self_url()
has requested on your behalf.
The PATH_INFO has been omitted in such URLs since the issue was introduced
in the 3.12 release in December, 2005.
This bug is so old your application may have come to depend on it or
workaround it. Check for application before upgrading to this release.
Examples of affected method calls:
$q->url(-absolute => 1, -query => 1, -path_info => 1 )
$q->url(-path=>1)
$q->url(-full=>1,-path=>1)
$q->url(-rewrite=>1,-path=>1)
$q->self_url();
Version 3.54, Apr 28, 2011
No code changes
[INTERNALS]
- Address test failures in t/tmpdir.t, thanks to Niko Tyni.
Some tests here are failing on some platforms and have been marked as TODO.
Version 3.53, Apr 25, 2011
[NEW FEATURES]
- The DELETE HTTP verb is now supported.
(RT#52614, James Robson, Eduardo Ari�o de la Rubia)
[INTERNALS]
- Correct t/tmpdir.t MANIFEST entry. (RT#64949)
- Update minimum required Perl version to be Perl 5.8.1, which
has been out since 2003. This allows us to drop some hacks
and exceptions (Mark Stosberg)
Version 3.52, Jan 24, 2011
[DOCUMENTATION]
- The documentation for multi-line header handling was been updated to reflect
the changes in 3.51. (Mark Stosberg, ntyni@iki.fi)
[INTERNALS]
- Add missing t/tmpfile.t file. (RT#64949)
- Fix warning in t/cookie.t (RT#64570, Chris Williams, Rainer Tammer, Mark Stosberg)
- Fixed logic bug in t/multipart_init.t (RT#64261, Niko Tyni)
Version 3.51, Jan 5, 2011
[NEW FEATURES]
- A new option to set $CGI::Carp::TO_BROWSER = 0, allows you to explicitly
exclude a particular scope from triggering printing to the browser when
fatatlsToBrowser is set. (RT#62783, Thanks to papowell)
- The <script> tag now supports the "charset" attribute.
(RT#62907, Thanks to Fabrice Metge)
- In CGI::Cookie, "Max-Age" is now supported for better spec compliance.
(Mark Stosberg)
[BUG FIXES]
- Setting charset() now works for all content types, not just "text/*".
(RT#57945, Thanks to Yanick and Gerv.)
- support for user temporary directories ($HOME/tmp) was commented out
in 2.61 but the documentation wasn't updated (Peter Gervai, Niko Tyni)
- setting $CGITempFile::TMPDIRECTORY before loading CGI.pm has been
working but undocumented since 3.12 (which listed it in Changes as
$CGI::TMPDIRECTORY) (Peter Gervai, Niko Tyni)
- unfortunately the previous change broke the runtime check for looking
for a new temporary directory if the current one suddenly became
unwritable (Peter Gervai, Niko Tyni)
- A bug was fixed in CGI::Carp triggered by certain death cases in
the BEGIN phase of parent classes.
(RT#57224, Thanks to UNERA, Yanick Champoux, Mark Stosberg)
- CGI::Cookie->new() now follows the documentation and returns undef
if the -name and -value args aren't provided. This new behavior is also
consistent with the docs and code of CGI::Simple::Cookie. (Mark Stosberg)
- CGI::Cookie->parse() now trims leading and trailing whitespace from cookie
elements as intended. The change also makes this part of the parsing
identical to CGI::Simple::Cookie (Mark Stosberg)
- Temp file handling was improved (RT#62762)
[SECURITY]
- Further improvements have been made to guard against newline injections
in headers. (Thanks to Max Kanat-Alexander, Yanick Champoux, Mark Stosberg)
[PERFORMANCE]
- Make EBCDIC a compile-time constant so there's zero overhead (and less
compiled code) in subroutines that test for it. (Tim Bunce)
- If you just want to use CGI::Cookie, CGI.pm will no longer be loaded
unless you call the bake() method, which requires it. (Mark Stosberg)
[DOCUMENTATION]
- quit referring to the <link> tag as being "rarely used". (Victor Sanders)
- typo and whitespace fixes (RT#62785, thanks to scop@cpan.org)
- The -dtd argument to start_html() is now documented
(RT#60473, Thanks to giecrilj and steve@fisharerojo.org)
- CGI::Carp doc are updated to reflect that it can work with mod_perl 2.0.
- when creating a temporary file in the directory fails, the error message
could indicate the root of the problem better (Peter Gervai, Niko Tyni)
[INTERNALS]
- Re-fixing https test in http.t. (RT#54768, thanks to SPROUT)
- param_fetch no longer triggers a warning when called with no arguments (ysth, Mark Stosberg)
Version 3.50, Nov 8, 2010
[SECURITY]
1. The MIME boundary in multipart_init is now random.
Thanks to Byron Jones, Masahiro Yamada, Reed Loden, and Mark Stosberg
2. Further improvements to handling of newlines embedded in header values.
An exception is thrown if header values contain invalid newlines.
Thanks to Michal Zalewski, Max Kanat-Alexander, Yanick Champoux,
Lincoln Stein, Fr�d�ric Buclin and Mark Stosberg
[DOCUMENTATION]
1. Correcting/clarifying documentation for param_fetch(). Thanks to
Ren�e B�cker. (RT#59132)
[INTERNALS]
1. Fixing https test in http.t. (RT#54768)
2. Tests were added for multipart_init(). Thanks to Mark Stosberg and CGI::Simple.
Version 3.49, Feb 5th, 2010
[BUG FIXES]
1. Fix a regression since 3.44 involving a case when the header includes "Content-Length: 0".
Thanks to Alex Vandiver (RT#51109)
2. Suppress uninitialized warnings under -w. Thanks to burak. (RT#50301)
3. url() now uses virtual_port() instead of server_port(). Thanks to MKANAT and Yanick Champoux. (RT#51562)
4. CGI::Carp now properly handles stringifiable objects, like Exception::Class throws (RT#39904)
[SECURITY]
1. embedded newlines are now filtered out of header values in header().
Thanks to Mark Stosberg and Yanick Champoux.
[DOCUMENTATION]
1. README was updated to reflect that CGI.pm was moved under ./lib.
Thanks to Alex Vandiver.
[INTERNALS]
1. More tests were added for autoescape, thanks to Bob Kuo. (RT#25485)
2. Attempt to avoid test failures with t/fast, thanks to Steve Hay. (RT#49599)
Version 3.48, Sep 25, 2009
[BUG FIXES]
1. <optgroup> default values are now properly escaped.
Thanks to #raleigh.pm and Mark Stosberg. (RT#49606)
2. The change to exception handling in CGI::Carp introduced in 3.47 has been
reverted for now. It caused regressions reported in RT#49630.
Thanks to mkanat for the report.
[DOCUMENTATION]
1. Documentation for upload() has been overhauled, thanks to Mark Stosberg.
2. Documentation for tmpFileName has been added. Thanks to Mark Stosberg and Nathaniel K. Smith.
3. URLS were updated, thanks to Leon Brocard and Yanick Champoux. (RT#49770)
[INTERNALS]
1. More tests were added for autoescape, thanks to Bob Kuo. (RT#25485)
Version 3.47, Sep 9, 2009
No code changes.
[INTERNALS]
Re-release of 3.46, which did not contain a proper MANIFEST
Version 3.46
[BUG FIXES]
1. In CGI::Pretty, we no longer add line breaks after tags we claim not to format. Thanks to rrt, Bob Kuo and
and Mark Stosberg. (RT#42114).
2. unescapeHTML() no longer falsely recognizes certain text as entities. Thanks to Pete Gamanche, Mark Stosberg
and Bob Kuo. (RT#39122)
3. checkbox_group() now correctly includes a space before the "checked" attribute.
Thanks to Andrew Speer and Bob Kuo. (RT#36583)
4. Fix case-sensitivity in http() and https() according to docs. Make https()
return list of keys in list context. Thanks to riQyRoe and Rhesa Rozendaal. (RT#12909)
5. XHTML is now automatically disabled for HTML 4, as well as HTML 2 and HTML 3. Thanks to
Dan Harkless and Yanick Champoux. (RT#27907)
6. Pre-compiling 'end_form' with ':form' switch now works. Thanks to ryochin and Yanick Champoux. (RT#41530)
7. Empty name/values pairs are now properly saved and restored from filehandles. Thanks to rlucas and
Rhesa Rozendaal (RT#13158)
8. Some differences between startform() and start_form() have been fixed. Thanks to Slaven Rezic and
Shawn Corey. (RT#22046)
9. url_param() has been updated to be more consistent with the documentation and param().
Thanks to Britton Kerin and Yanick Campoux. (RT#43587)
10.hidden() now correctly supports multiple default values.
Thanks to david@dierauer.net and Russell Jenkins. (RT#20436)
11.Calling CGI->new() no longer clobbers the value of $_ in the current scope.
Thanks to Alexey Tourbin, Bob Kuo and Mark Stosberg. (RT#25131)
12.UTF-8 params should not get double-decoded now.
Thanks to Yves, Bodo, Burak G�rsoy, and Michael Schout. (RT#19913)
13.We now give objects passed to CGI::Carp::die a chance to be stringified.
Thanks to teek and Yanick Champoux (RT#41530)
14.Turning off autoEscape() now only affects the behavior of built-in HTML
generation fuctions. Explicit calls to escapeHTML() always escape HTML regardless
of the setting. Thanks to vindex, Bob Kuo and Mark Stosberg (RT#40748)
15.In CGI::Fast, preferences set via pragmas are now preserved.
Thanks to heinst and Mark Stosberg (RT#32119)
[DOCUMENTATION]
1. remote_addr() is now documented. Thanks to Yanick Champoux. (RT#38884)
2. In CGI::Pretty in the list of tags left unformatted was updated to match the code. Thanks to Mark Stosberg. (RT#42114)
3. In CGI::Pretty, performance concerns are now documented. Thanks to Jochen, Rhesa Rozendaal and Mark Stosberg (RT#13223)
4. A number of outdated Netscape references have been removed. Thanks to Mark Stosberg.
5. The documentation has been purged of examples of using indirect object notation. Thanks to Mark Stosberg.
6. Some POD formatting was fixed. Thanks to Dave Mitchell (RT#48935).
7. Docs and examples were updated to highlight start_form instead of startform.
Thanks to Slaven Rezic.
8. Note that CGI::Carp::carpout() doesn't work with in-memory filehandles.
Thanks to rhubbell and Mark Stosberg.
9. The documentation for the -newstyle_urls is now less confusing.
Thanks to Ryan Tate and Mark Stosberg (RT#49454)
[INTERNALS]
1. Quit bundling an ancient copy of Test::More and and using a custom 'lib' path for the tests. Instead, Test::More
is now a dependency. Thanks to Ansgar and Mark Stosberg (RT#48811)
2. Automated tests for hidden() have been added, thanks to Russel Jenkins and Mark Stosberg (RT#20436)
3. t/util.t has been updated to use Test::More instead of a home-grown test function. Thanks to Bob Kuo.
Version 3.45, Aug 14, 2009
[BUG FIXES]
1. Prevent warnings about "uninitialized values" for REQUEST_URI, HTTP_USER_AGENT and other environment variables.
Patches by Callum Gibson, heiko and Mark Stosberg. (RT#24684, RT#29065)
2. Avoid death in some cases when running under Taint mode on Windows.
Patch by Peter Hancock (RT#43796)
3. Allow 0 to be used as a default value in popup_menu(). This was broken starting in 3.37.
Thanks to Haze, who was the first to report this and supply a patch, and pfschill, who pinpointed
when the bug was introduced. A regression test for this was also added. (RT#37908)
4. Allow "+" as a valid character in file names, which fixes temp file creation on OS X Leopard.
Thanks to Andy Armstrong, and alech for patches. (RT#30504)
5. Set binmode() on the Netware platform, thanks to Guenter Knauf (RT#27455)
6. Don't allow a CGI::Carp error handler to die recursively. Print a warning and exit instead.
Thanks to Marc Chantreux. (RT#45956)
7. The Dump() method now is fixed to escape HTML properly. Thanks to Mark Stosberg (RT#21341)
8. Support for <optgroup> with scrolling_list() now works the same way as it does for popup_menu().
Thanks to Stuart Johnston (RT#30097)
9. CGI::Pretty now works properly when $" is set to ''. Thanks to Jim Keenan (RT#12401)
10. Fix crash when used in combination with PerlEx::DBI. Thanks to Burak G�rsoy (RT#19902)
[DOCUMENTATION]
1. Several typos were fixed, Thanks to ambs. (RT#41105)
2. A typo related to the nosticky pragma was fixed, thanks to Britton Kerin. (RT#43220)
3. examples/nph-clock.cgi is now more portable, by calling localtime() rather than `/bin/date`,
thanks to Guenter Knauf. (RT#27456).
4. In CGI::Carp, the SEE ALSO section was cleaned up, thanks to Slaven Rezic. (RT#32769)
5. The docs for redirect() were updated to reflect that most headers are
ignored during redirection. Thanks to Mark Stosberg (RT#44911)
[INTERNALS]
1. New t/unescapeHTML.t test script has been added. It includes a TODO test for a pre-existing
bug which could use a patch. Thanks to Pete Gamache and Mark Stosberg (RT#39122)
2. New test scripts have been added for user_agent(), popup_menu() and query_string(), scrolling_list() and Dump()
Thanks to Mark Stosberg and Stuart Johnston. (RT#37908, RT#43006, RT#21341, RT#30097)
3. CGI::Carp and CGI::Util have been updated to have non-developer version numbers.
Thanks to Slaven Rezic. (RT#48425)
4. CGI::Switch and CGI::Apache now properly set their VERSION in their own name space.
Thanks to Alexey Tourbin (RT#11941,RT#11942)