-
-
Notifications
You must be signed in to change notification settings - Fork 3
/
Changes
443 lines (357 loc) · 14.2 KB
/
Changes
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
Revision history for CGI-Info
0.86 Mon Nov 25 09:17:30 EST 2024
Ensure correct message is logged on SQL injection attempt
Remember warnings in the warnings array - added warnings() method
0.85 Sun Nov 17 09:49:52 EST 2024
Send back HTTP code 422 when argument fails "allow"
Added come comments and small optimisations
new(): Use Scalar::Util to verify it's an object
Refactor AUTOLOAD
Avoid re-importing modules
Refactor status() and cookie() and add more tests
Added t/as_string.t
0.84 Fri Oct 18 08:21:05 EDT 2024
Intercept SQL Injection
entry=-4346" OR 1749\=1749 AND "dgiO"\="dgiO;page=people
Use Test::DescribeMe to simplify tests
Don't fail on systems that Test::Script fails to install on (e.g. Haiku)
0.83 Sun 8 Sep 08:52:23 EDT 2024
Mark Go-http-client as a robot
Support CircleCI
Fix t/script.t which failed on some platforms
Use gtar to create a distribution on Macs
Mark 'expect' as deprecated
0.82 Thu Aug 8 07:51:02 EDT 2024
Mark ClaudeBot as a robot
Mark YaK/1.0 as a robot
Mark trendictionbot as a robot
Added helper routine _get_params() and use it
0.81 Tue Apr 9 10:08:29 EDT 2024
Use Test::Needs
Added t/version.t
Added t/tabs.t
Mark axios/1.6.7, ias_crawler and ZoominfoBot as robots
Block "/**/ORDER/**/BY/**/" in the argument
Strip NUL byte poison
0.80 Fri Jan 19 08:05:29 EST 2024
Added documentroot() as a synonym to rootdir()
For compatibility with Apache
Allow "use lib CGI::Info::script_dir() . '../lib';"
Mark Facebook as a search engine, not a robot
0.79 Wed Jan 3 14:25:42 EST 2024
Better arg count checking
Mark techiaith.cymru as a robot
Facebook FBCLID can have "--" which can cause false positives
Mark ChatGPT as a search engine
Added root_dir() as synonym to rootdir()
That's the naming that CHI uses
0.78 Fri Oct 6 13:59:51 EDT 2023
Set HTTP status to 403 on HTTP_USER_AGENT SQL injection attack
Test::Exception hasn't been used for sometime, so removed dependency
0.77 Tue Aug 15 16:49:51 EDT 2023
Reduce the size of the cache
Added Dreamhost monitor as a robot
0.76 Tue Aug 8 20:43:57 EDT 2023
Marked serpstatbot as a robot
Only load JSON::MaybeXS when needed
0.75 Sat Apr 15 14:44:30 EDT 2023
Remove most calls to substr
Added Mediatoolkitbot as a robot
Added NetcraftSurveyAgent as a robot
Added Expanse as a robot
Added Bytespider as a robot
Added t/pod-synopsis.t
Refactored t/unused.t and t/10-compile.t
Fixed Github Actions on Alpine Linux, FreeBSD and OpenBSD
Label AmazonBot as a search engine
Block directory traversal attacks
Set HTTP status to 403 on blocked attacks
Catch another SQL injection attempt
0.74 Wed Jan 4 22:16:12 EST 2023
Added python-requests/2.27.1 as a robot
Use latest Github Actions environment
Support Sec-CH-UA-Mobile
Calling new on an object now returns a clone rather than setting the defaults in the new object
0.73 Fri Oct 29 07:32:37 EDT 2021
Attempt to fix https://www.cpantesters.org/cpan/report/6db47260-389e-11ec-bc66-57723b537541
0.72 Thu Oct 28 09:08:43 EDT 2021
More sensible default statuses when params() has yet to be called
Ensure \u0026 is interpreted as &
Use JSON::MaybeXS instead of JSON
0.71 Wed Feb 3 15:14:13 EST 2021
Added t/fixme.t
Use JSON module instead of JSON::Parse as the latter has dropped support for Solaris
Allow status to be set, this will be used later by CGI::Allow
0.70 Fri 7 Jun 12:39:52 EDT 2019
Allow logdir() and tmpdir() to be called as a class methods
Fix http://www.cpantesters.org/cpan/report/78a1401c-42de-11e9-bf31-80c71e9d5857
Trap SQL injections with SELECT statements
0.69 Sat 9 Mar 19:28:32 EST 2019
Added logdir()
0.68 Fri Dec 7 08:14:21 EST 2018
Allow a parameter to have the value 0
0.67 Tue Mar 27 12:31:12 EDT 2018
Remove the 'provides' tag
0.66 Thu Dec 14 18:36:31 EST 2017
Added MyLogger to the MANIFEST
0.65 Tue Dec 12 16:54:42 EST 2017
Fix breakage on 5.27.5 and beyond (Github issue 7)
Send 501 on unknown request, not 405
Bump minimum version of File::Spec
Use List::MoreUtils instead of grep
0.64 Thu Oct 12 10:30:18 EDT 2017
Added mechanism to speak to setlogsock - useful for Dreamhost customers
Added set_logger
0.63 Wed Jul 5 20:57:31 EDT 2017
When preventing SQL injection or XSS, don't return any parameters, since
it's best to assume everything is poisoned
Added max_upload_size to new()
OPTIONS shouldn't get through to CGI::Info, so disallow it
0.62 Wed 21 Dec 09:28:36 EST 2016
Added status() method
Set maximum file upload size to 512K
0.61 Thu 1 Dec 21:46:44 EST 2016
Missed bin/* from the MANIFEST
0.60 Thu Dec 1 14:42:37 EST 2016
Handle JSON POST data
AUTOLOAD parameters
Added the cookie() method
Added Appveyor support to CI test on Windows
Added tests that the framework to allow CGI scripts to be tested from
the command line work
Added Travis and Coveralls integration
Mark some SEO scanners as robots
On unknown input, debug what it is
Added seznambot as a search engine
0.59 Tue Apr 12 17:38:03 EDT 2016
Log the IP address of client attempting SQL injection
H::B says robot() returns undef if it's not a robot; but sometimes it returns 0
Bump minimum HTTP::Browserdetect to ensure bingbot is found
0.58 Sat Dec 26 10:12:47 EST 2015
Support allowed list of arguments changing, this is useful for -
$my action = $info->param('action');
my %allowed;
if($action eq 'action1') {
%allowed = ('foo' => qr(\d+));
} else {
%allowed = ('bar' => qr(\d+));
}
my $params = $info->params(allowed => \%allowed);
0.57 Sun Oct 25 15:43:05 EDT 2015
Reduce attack false positives
Don't add an argument if it's already there
--search-engine and --mobile didn't work
Less harsh SQL injection tests, there were too many false positives
Tabletsare no longer considered mobile phones
params now returns undef if no arguments were given
Pretend Facebookexternal (used to prefetch pages for
display) is a search_engine.
Don't mark search engines as robots
0.56 Sun Aug 16 20:05:27 EDT 2015
Catch XML read failures
Twitterbot is a robot
Catch more injection attempts
0.55 Thu Jun 11 17:33:10 EDT 2015
protocol() - Don't warn when not running as a CGI script
Added more explicit catching of XSS and SQL injection attempts
0.54 Wed Jun 3 13:10:59 EDT 2015
Fix --tablet option
protocol() - Warn if the calling protocol can't be determined
Fix protocol() on OpenBSD, Solaris and NetBSD
Ensure that the temporary directory is writeable, otherwise tests will
fail
0.53 Sat May 30 16:00:49 EDT 2015
Remove implicit assumption of the build directory
0.52 Sat May 30 08:13:28 EDT 2015
Fix problem where mobile Chrome claimed it's a robot when data
compression is enabled
Ensure + is handled in parameters when encoded as %2B
cgi_host_url could sometimes give http:// instead of https://
Set minimum version as 5.6.1 since we use the 3 argument open()
When running outside CGI, allow one of --tablet, --search-engine,
--mobile and --robot to mimick those agents.
is_mobile: include code from detectmobilebrowsers.com
0.51 Fri Jan 2 20:34:46 EST 2015
Fix breakage on older Perls
0.50 Fri Jan 2 10:37:56 EST 2015
Put is_mobile in the cache
Added 'search' to the list of return values from browser_type()
Added t/used.t
Don't load cleaning modules when no arguments are given
Don't use String::EscapeCage - RT99598, String::Clean::XSS should
suffice
0.49 Fri Nov 7 17:16:25 EST 2014
Ensure different agents from the same IP don't clash in the cache
Restore alloing new() arguments to be a reference
0.48 Sun Oct 19 20:35:56 EDT 2014
Incorporated patch-1 from https://github.com/szabgab/CGI-Info
Consider Majestic12 to be a search engine
Only load File::Basename when needed
Use String::EscapeCage to taint and grab values
Added param message
0.47 Sun Aug 24 14:56:10 EDT 2014
Support hostnames with dots at the end, e.g. when the URL used to
access a site is http://www.example.com., domain_name() will
return example.com, not example.com..
params() - return nothing when the call is OPTIONS
Added more hardening to file uploads
Added optional cache argument to new() to speed up look-ups
Test that tmpdir works at the class level
0.46 Mon 11 Nov 08:46:26 EST 2013
Corrected some documentation issues on params()
Corrected handling of many cookies
Ensure script_path(), script_name() and tmpdir() are untainted.
0.45 Fri 31 May 16:22:08 EDT 2013
_multipart_data(): Handle missing filename when uploading
Added _syslog and _logger to new()
Added warning if domain information can't be found
Don't load HTTP::BrowserDetect more than once (assume
HTTP_USER_AGENT doesn't change)
Use Test::Most instead of Test::More
Improve XSS prevention by using String::Clean::XSS
Added the allow option. It will replace the expected option
0.44 Wed Apr 10 09:53:31 EDT 2013
Fix t/params.t when the root directory is writable (e.g.
running as root or on Windows)
params(): When running outside a CGI environment (i.e. in
development), avoid prompting for the arguments more
than once if just 'quit' is entered
_find_paths(): use File::Basename, it's more portable
0.43 Sat Feb 16 12:18:50 EST 2013
Warn if reading POST arguments fail
Replaced t/unused.t with t/vars.t
Added extra check to t/script.t to check it returns an
existing file
Used 'PERL5OPT=-MDevel::Cover make test; cover' to add extra
tests
is_mobile(): return true for clients running on Androd
0.42 Sat Oct 13 17:22:38 EDT 2012
Croak rather than carp if upload_dir isn't set
t/params.t no longer runs in tainted mode for File::Spec::Win32
Added t/changes.t, though that doesn't support date(1) output
Added browser_type()
0.41 Thu Sep 13 13:38:43 BST 2012
get_cookie(): added validation, fix unitialized variable if the
requested cookie isn't in the jar
0.40 Mon Sep 10 08:21:31 BST 2012
Fixed t/rootdir.t on Windows
0.39 Wed Sep 5 10:17:55 BST 2012
Added get_cookie()
0.38 Tue Sep 4 11:25:22 BST 2012
t/rootdir.t - don't check htdocs exists
0.37 Mon Sep 3 16:18:59 BST 2012
Added rootdir
0.36 Sun Sep 2 20:13:42 BST 2012
Change _find_paths to use rel2abs()
0.35 Mon Aug 27 21:48:00 BST 2012
Added t/unused.t
Ensure that if the class is instantiated more than once, that POST
still works even though STDIN has already been read
documented and verified that protocol() can be used as a class method
as well as an object method
0.34 Sun Aug 19 22:17:02 BST 2012
params(): when using POST, if CONTENT_LENGTH is defined, return undef
XML now sets XML not xml in params()
Test::Kwalitee isn't needed for build, only for optional testing
Added is_tablet()
0.33 Tue Jul 31 09:38:43 BST 2012
Handle XML requests
Added t/dist.t
0.32 Thu Jul 19 15:38:22 BST 2012
Removed some duplicate tests
Fixed t/script.t on Windows
0.31 Wed Jul 18 15:57:04 BST 2012
Fixed script_name and script_path when not running as a CGI script
Added some tests
0.30 Fri Jul 13 09:35:07 BST 2012
Fixed handling of POST content-type application/x-www-form-urlencoded
Fixed t/params.t on Windows
Removed unused variables
0.29 Fri Jun 15 11:01:18 EDT 2012
Fixed t/carp.t on systems without Test::Carp
0.28 Tue Jun 12 15:30:00 EDT 2012
Fixed boundary detection
0.27 Mon Jun 11 23:28:16 EDT 2012
Debugged _multipart_data. Still some TODOs to be done
0.26 Mon Jun 11 14:49:24 EDT 2012
Bump minimum version of HTTP::Browserdetect to 1.42
Rewrote _multipart_data
0.25 Sun Jun 10 22:15:59 EDT 2012
Allow params to take a reference to a hash as an argument
0.24 Sun Jun 10 10:29:26 EDT 2012
Added first draft of handling of multipart form data
Ignore invalid key=arg parameters in params()
0.23 Tue May 15 14:58:01 EDT 2012
Added is_search_engine()
0.22 Thu May 3 09:32:37 BST 2012
Fix tmpdir() in Cygwin, where giving a default value of '/non-existant' would
return '/non-existant/../tmp' rather than '/non-existant'. I
guess it would also have broken under the Newcastle Connection.
0.21 Wed May 2 13:21:40 BST 2012
Clean up a couple of regular expressions
Small speed improvement
0.20 Thu Mar 15 13:58:25 EDT 2012
Fixed script_dir() on Windows
0.19 Mon Mar 12 10:50:12 EDT 2012
Only do kwalitee test in author environment because it throws too
many false positives
Added script_dir()
0.18 Fri Jan 27 09:28:44 GMT 2012
Fix t/tmpdir.t on Cygwin
0.17
params: remove leading spaces and some attempts to put in hacking values
Added missing prerequisites to Makefile.PL
0.16 Mon Oct 3 10:18:11 EDT 2011
Added expected argument to new and params
0.15 Sun Sep 4 09:11:11 EDT 2011
Added plukkie to the list of robots
Added Test::NoWarnings tests
Stopped running some Windows tests. I need to think about paths
on Windows
is_mobile/is_robot now falls back to HTTP::BrowserDetect if it's present
0.14 Thu Aug 25 11:51:49 EDT 2011
Added is_robot
Only attempt to read POSTed data when there is some to read
Better path handling on Windows
Added t/critit.t and t/snippets.t
Documented and tested compatibility with CGI::Untaint
0.13 Thu Aug 11 13:30:38 EDT 2011
Added tmpdir function
0.12
Remove \r from parameters
0.11 Fri Jul 29 17:59:08 EDT 2011
as_string() now returns the empty string instead of undef if there
were no arguments
0.10 Fri Jul 22 09:48:58 EDT 2011
Added protocol method
cgi_host_url now prepends https:// for secure connections
Fixed Test::Portability::Files' test - now ignores MS-DOS breakages
that aren't the fault of CGI::Info
0.09 Sat Jul 16 10:36:27 EDT 2011
Added as_string() method
Removed space after the comma in comma seperated lists if an argument
is given more than once
0.08 Thu Jul 14 12:30:11 EDT 2011
Check the value of GATEWAY_INTERFACE as well to see if we're running
under CGI
Corrected the HTML in the documentation
Added many tests
Fixed incompatibility with cgi_buffer, http://www.mnot.net/cgi_buffer/
0.07 Thu Mar 24 10:40:17 EDT 2011
Ensure that Test:More >= 0.82 for new_ok
Added is_mobile()
Better example use of params
0.06 Sat Jan 1 10:46:09 GMT 2011
Better error handling
0.05 Sun Dec 26 11:16:08 GMT 2010
_domain_name wasn't being filled in
0.04 Thu Dec 23 09:55:32 GMT 2010
More improved handling of script_path in test environments
0.03 Wed Dec 22 21:48:43 GMT 2010
Better error handling in _domain_name
script_path works better in test environments
0.02 Mon Dec 20 10:26:24 GMT 2010
script_name now does something useful when not running in a CGI
environment
0.01 Sun Dec 12 22:24:09 EST 2010
First draft