1 Version 3.63 Nov 12, 2012
4 - CR escaping for Set-Cookie and P3P headers was improved. There was potential
5 for newline injection in these headers.
6 (Thanks to anazawa, https://github.com/markstos/CGI.pm/pull/23)
8 Version 3.62, Nov 9th, 2012
11 - Changed how the deprecated endform function was defined for compatibilty
12 with the development version of Perl.
13 - Fix failures in t/tmpdir.t when run as root
14 https://github.com/markstos/CGI.pm/issues/22, RT#80659)
16 - Made it possible to force a sorted order for things like hash
17 attributes so that tests are not dependent on a particular hash
18 ordering. This will be required in modern perls which will
19 change the ordering per process. (Yves, RT#80659)
21 Version 3.61 Nov 2nd, 2012
26 - formatting of CGI::Carp documentation was improved. Thanks to benkasminbullock.
27 - un-TODO some tests in t/tmpdir.t that were passing in most cases.
29 https://github.com/markstos/CGI.pm/issues/19#
30 https://github.com/markstos/CGI.pm/commit/cc73dc9807b0fabb56b3cdf1a9726588b2eda0f7
32 Version 3.60 Aug 15th, 2012
35 - In some caes, When unescapeHTML() hit something it didn't recognize with an ampersand and
36 and semicolon, it would throw away the semicolon and ampersand. It now does a better job.
37 of preserving content it doesn't recognize. Thanks to CEBJYRE@cpan.org (RT#75595)
38 - Remove trailing newline after <form> tag inserted by startform and start_form. It can
39 cause rendering problems in some cases. Thanks to SJOHNSTON@cpan.org (RT#67719)
40 - Workaround "Insecure Dependency" warning generated by some versions of Perl (RT#53733).
41 Thanks to degatcpan@ntlworld.com, klchu@lbl.gov and Anonymous Monk
44 - Clarify that when -status is used, the human-readable phase should be included, per RFC 2616.
45 Thanks to SREZIC@cpan.org (RT#76691).
48 - More tests for header(), thanks to Ryo Anazawa.
49 - t/url.t has been fixed on VMS. Thanks to cberry@cpan.org (RT#72380)
50 - MANIFEST patched so that t/multipart_init.t is included again. Thanks to shay@cpan.org (RT#76189)
52 Version 3.59 Dec 29th, 2011
55 - We no longer read from STDIN when the Content-Length is not set, preventing
56 requests with no Content-Length from freezing in some cases. This is consistent
57 with the CGI RFC 3875, and is also consistent with CGI::Simple. However, the old
58 behavior may have been expected by some command-line uses of CGI.pm.
59 Thanks to Philip Potter and Yanick Champoux. See RT#52469 for details:
60 https://rt.cpan.org/Public/Bug/Display.html?id=52469
63 - remove tmpdirs more aggressively. Thanks to rjbs (RT#73288)
64 - use Text::ParseWords instead of ancient shellwords.pl. Thanks to AlexBio.
65 - remove use of define(@arr). Thanks to rjbs.
66 - spelling fixes. Thanks to Gregor Herrmann and Alessandro Ghedini.
67 - fix test count and warning in t/fast.t. Thanks to Yanick.
69 Version 3.58 Nov 11th, 2011
72 - Clarify that using query_string() only has defined behavior when using the GET method. (RT#60813)
74 Version 3.57 Nov 9th, 2011
76 - test failure in t/fast.t introduced in 3.56 is fixed. (Thanks to zefram and chansen).
77 - Test::More requirement has been bumped to 0.98
79 Version 3.56 Nov 8th, 2011
82 Use public and documented FCGI.pm API in CGI::Fast
83 CGI::Fast was using an FCGI API that was deprecated and removed from
84 documentation more than ten years ago. Usage of this deprecated API with
85 FCGI >= 0.70 or FCGI <= 0.73 introduces a security issue.
86 <https://rt.cpan.org/Public/Bug/Display.html?id=68380>
87 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-2766>
91 - tmp files are now cleaned up on VMS ( RT#69210, thanks to cberry@cpan.org )
92 - Fixed test failure: done_testing() added to url.t (Thanks to Ryan Jendoubi)
93 - Clarify preferred bug submission location in docs, and note that Mark Stosberg
94 is the current maintainer.
96 Version 3.55 June 3rd, 2011
98 [THINGS THAT MAY BREAK YOUR CODE]
99 url() was fixed to return "PATH_INFO" when it is explicitly requested
100 with either the path=>1 or path_info=>1 flag.
102 If your code is running under mod_rewrite (or compatible) and you are calling self_url() or
103 you are calling url() and passing path_info=>1, These methods will actually be
104 returning PATH_INFO now, as you have explicitly requested, or has self_url()
105 has requested on your behalf.
107 The PATH_INFO has been omitted in such URLs since the issue was introduced
108 in the 3.12 release in December, 2005.
110 This bug is so old your application may have come to depend on it or
111 workaround it. Check for application before upgrading to this release.
113 Examples of affected method calls:
115 $q->url(-absolute => 1, -query => 1, -path_info => 1 )
117 $q->url(-full=>1,-path=>1)
118 $q->url(-rewrite=>1,-path=>1)
121 Version 3.54, Apr 28, 2011
125 - Address test failures in t/tmpdir.t, thanks to Niko Tyni.
126 Some tests here are failing on some platforms and have been marked as TODO.
128 Version 3.53, Apr 25, 2011
131 - The DELETE HTTP verb is now supported.
132 (RT#52614, James Robson, Eduardo Ari�o de la Rubia)
135 - Correct t/tmpdir.t MANIFEST entry. (RT#64949)
136 - Update minimum required Perl version to be Perl 5.8.1, which
137 has been out since 2003. This allows us to drop some hacks
138 and exceptions (Mark Stosberg)
140 Version 3.52, Jan 24, 2011
143 - The documentation for multi-line header handling was been updated to reflect
144 the changes in 3.51. (Mark Stosberg, ntyni@iki.fi)
147 - Add missing t/tmpfile.t file. (RT#64949)
148 - Fix warning in t/cookie.t (RT#64570, Chris Williams, Rainer Tammer, Mark Stosberg)
149 - Fixed logic bug in t/multipart_init.t (RT#64261, Niko Tyni)
151 Version 3.51, Jan 5, 2011
154 - A new option to set $CGI::Carp::TO_BROWSER = 0, allows you to explicitly
155 exclude a particular scope from triggering printing to the browser when
156 fatatlsToBrowser is set. (RT#62783, Thanks to papowell)
157 - The <script> tag now supports the "charset" attribute.
158 (RT#62907, Thanks to Fabrice Metge)
159 - In CGI::Cookie, "Max-Age" is now supported for better spec compliance.
163 - Setting charset() now works for all content types, not just "text/*".
164 (RT#57945, Thanks to Yanick and Gerv.)
165 - support for user temporary directories ($HOME/tmp) was commented out
166 in 2.61 but the documentation wasn't updated (Peter Gervai, Niko Tyni)
167 - setting $CGITempFile::TMPDIRECTORY before loading CGI.pm has been
168 working but undocumented since 3.12 (which listed it in Changes as
169 $CGI::TMPDIRECTORY) (Peter Gervai, Niko Tyni)
170 - unfortunately the previous change broke the runtime check for looking
171 for a new temporary directory if the current one suddenly became
172 unwritable (Peter Gervai, Niko Tyni)
173 - A bug was fixed in CGI::Carp triggered by certain death cases in
174 the BEGIN phase of parent classes.
175 (RT#57224, Thanks to UNERA, Yanick Champoux, Mark Stosberg)
176 - CGI::Cookie->new() now follows the documentation and returns undef
177 if the -name and -value args aren't provided. This new behavior is also
178 consistent with the docs and code of CGI::Simple::Cookie. (Mark Stosberg)
179 - CGI::Cookie->parse() now trims leading and trailing whitespace from cookie
180 elements as intended. The change also makes this part of the parsing
181 identical to CGI::Simple::Cookie (Mark Stosberg)
182 - Temp file handling was improved (RT#62762)
185 - Further improvements have been made to guard against newline injections
186 in headers. (Thanks to Max Kanat-Alexander, Yanick Champoux, Mark Stosberg)
189 - Make EBCDIC a compile-time constant so there's zero overhead (and less
190 compiled code) in subroutines that test for it. (Tim Bunce)
191 - If you just want to use CGI::Cookie, CGI.pm will no longer be loaded
192 unless you call the bake() method, which requires it. (Mark Stosberg)
195 - quit referring to the <link> tag as being "rarely used". (Victor Sanders)
196 - typo and whitespace fixes (RT#62785, thanks to scop@cpan.org)
197 - The -dtd argument to start_html() is now documented
198 (RT#60473, Thanks to giecrilj and steve@fisharerojo.org)
199 - CGI::Carp doc are updated to reflect that it can work with mod_perl 2.0.
200 - when creating a temporary file in the directory fails, the error message
201 could indicate the root of the problem better (Peter Gervai, Niko Tyni)
204 - Re-fixing https test in http.t. (RT#54768, thanks to SPROUT)
205 - param_fetch no longer triggers a warning when called with no arguments (ysth, Mark Stosberg)
207 Version 3.50, Nov 8, 2010
210 1. The MIME boundary in multipart_init is now random.
211 Thanks to Byron Jones, Masahiro Yamada, Reed Loden, and Mark Stosberg
212 2. Further improvements to handling of newlines embedded in header values.
213 An exception is thrown if header values contain invalid newlines.
214 Thanks to Michal Zalewski, Max Kanat-Alexander, Yanick Champoux,
215 Lincoln Stein, Fr�d�ric Buclin and Mark Stosberg
218 1. Correcting/clarifying documentation for param_fetch(). Thanks to
219 Ren�e B�cker. (RT#59132)
222 1. Fixing https test in http.t. (RT#54768)
223 2. Tests were added for multipart_init(). Thanks to Mark Stosberg and CGI::Simple.
225 Version 3.49, Feb 5th, 2010
228 1. Fix a regression since 3.44 involving a case when the header includes "Content-Length: 0".
229 Thanks to Alex Vandiver (RT#51109)
230 2. Suppress uninitialized warnings under -w. Thanks to burak. (RT#50301)
231 3. url() now uses virtual_port() instead of server_port(). Thanks to MKANAT and Yanick Champoux. (RT#51562)
232 4. CGI::Carp now properly handles stringifiable objects, like Exception::Class throws (RT#39904)
235 1. embedded newlines are now filtered out of header values in header().
236 Thanks to Mark Stosberg and Yanick Champoux.
239 1. README was updated to reflect that CGI.pm was moved under ./lib.
240 Thanks to Alex Vandiver.
243 1. More tests were added for autoescape, thanks to Bob Kuo. (RT#25485)
244 2. Attempt to avoid test failures with t/fast, thanks to Steve Hay. (RT#49599)
246 Version 3.48, Sep 25, 2009
249 1. <optgroup> default values are now properly escaped.
250 Thanks to #raleigh.pm and Mark Stosberg. (RT#49606)
251 2. The change to exception handling in CGI::Carp introduced in 3.47 has been
252 reverted for now. It caused regressions reported in RT#49630.
253 Thanks to mkanat for the report.
256 1. Documentation for upload() has been overhauled, thanks to Mark Stosberg.
257 2. Documentation for tmpFileName has been added. Thanks to Mark Stosberg and Nathaniel K. Smith.
258 3. URLS were updated, thanks to Leon Brocard and Yanick Champoux. (RT#49770)
261 1. More tests were added for autoescape, thanks to Bob Kuo. (RT#25485)
263 Version 3.47, Sep 9, 2009
268 Re-release of 3.46, which did not contain a proper MANIFEST
273 1. In CGI::Pretty, we no longer add line breaks after tags we claim not to format. Thanks to rrt, Bob Kuo and
274 and Mark Stosberg. (RT#42114).
275 2. unescapeHTML() no longer falsely recognizes certain text as entities. Thanks to Pete Gamanche, Mark Stosberg
276 and Bob Kuo. (RT#39122)
277 3. checkbox_group() now correctly includes a space before the "checked" attribute.
278 Thanks to Andrew Speer and Bob Kuo. (RT#36583)
279 4. Fix case-sensitivity in http() and https() according to docs. Make https()
280 return list of keys in list context. Thanks to riQyRoe and Rhesa Rozendaal. (RT#12909)
281 5. XHTML is now automatically disabled for HTML 4, as well as HTML 2 and HTML 3. Thanks to
282 Dan Harkless and Yanick Champoux. (RT#27907)
283 6. Pre-compiling 'end_form' with ':form' switch now works. Thanks to ryochin and Yanick Champoux. (RT#41530)
284 7. Empty name/values pairs are now properly saved and restored from filehandles. Thanks to rlucas and
285 Rhesa Rozendaal (RT#13158)
286 8. Some differences between startform() and start_form() have been fixed. Thanks to Slaven Rezic and
287 Shawn Corey. (RT#22046)
288 9. url_param() has been updated to be more consistent with the documentation and param().
289 Thanks to Britton Kerin and Yanick Campoux. (RT#43587)
290 10.hidden() now correctly supports multiple default values.
291 Thanks to david@dierauer.net and Russell Jenkins. (RT#20436)
292 11.Calling CGI->new() no longer clobbers the value of $_ in the current scope.
293 Thanks to Alexey Tourbin, Bob Kuo and Mark Stosberg. (RT#25131)
294 12.UTF-8 params should not get double-decoded now.
295 Thanks to Yves, Bodo, Burak G�rsoy, and Michael Schout. (RT#19913)
296 13.We now give objects passed to CGI::Carp::die a chance to be stringified.
297 Thanks to teek and Yanick Champoux (RT#41530)
298 14.Turning off autoEscape() now only affects the behavior of built-in HTML
299 generation fuctions. Explicit calls to escapeHTML() always escape HTML regardless
300 of the setting. Thanks to vindex, Bob Kuo and Mark Stosberg (RT#40748)
301 15.In CGI::Fast, preferences set via pragmas are now preserved.
302 Thanks to heinst and Mark Stosberg (RT#32119)
305 1. remote_addr() is now documented. Thanks to Yanick Champoux. (RT#38884)
306 2. In CGI::Pretty in the list of tags left unformatted was updated to match the code. Thanks to Mark Stosberg. (RT#42114)
307 3. In CGI::Pretty, performance concerns are now documented. Thanks to Jochen, Rhesa Rozendaal and Mark Stosberg (RT#13223)
308 4. A number of outdated Netscape references have been removed. Thanks to Mark Stosberg.
309 5. The documentation has been purged of examples of using indirect object notation. Thanks to Mark Stosberg.
310 6. Some POD formatting was fixed. Thanks to Dave Mitchell (RT#48935).
311 7. Docs and examples were updated to highlight start_form instead of startform.
312 Thanks to Slaven Rezic.
313 8. Note that CGI::Carp::carpout() doesn't work with in-memory filehandles.
314 Thanks to rhubbell and Mark Stosberg.
315 9. The documentation for the -newstyle_urls is now less confusing.
316 Thanks to Ryan Tate and Mark Stosberg (RT#49454)
319 1. Quit bundling an ancient copy of Test::More and and using a custom 'lib' path for the tests. Instead, Test::More
320 is now a dependency. Thanks to Ansgar and Mark Stosberg (RT#48811)
321 2. Automated tests for hidden() have been added, thanks to Russel Jenkins and Mark Stosberg (RT#20436)
322 3. t/util.t has been updated to use Test::More instead of a home-grown test function. Thanks to Bob Kuo.
324 Version 3.45, Aug 14, 2009
327 1. Prevent warnings about "uninitialized values" for REQUEST_URI, HTTP_USER_AGENT and other environment variables.
328 Patches by Callum Gibson, heiko and Mark Stosberg. (RT#24684, RT#29065)
329 2. Avoid death in some cases when running under Taint mode on Windows.
330 Patch by Peter Hancock (RT#43796)
331 3. Allow 0 to be used as a default value in popup_menu(). This was broken starting in 3.37.
332 Thanks to Haze, who was the first to report this and supply a patch, and pfschill, who pinpointed
333 when the bug was introduced. A regression test for this was also added. (RT#37908)
334 4. Allow "+" as a valid character in file names, which fixes temp file creation on OS X Leopard.
335 Thanks to Andy Armstrong, and alech for patches. (RT#30504)
336 5. Set binmode() on the Netware platform, thanks to Guenter Knauf (RT#27455)
337 6. Don't allow a CGI::Carp error handler to die recursively. Print a warning and exit instead.
338 Thanks to Marc Chantreux. (RT#45956)
339 7. The Dump() method now is fixed to escape HTML properly. Thanks to Mark Stosberg (RT#21341)
340 8. Support for <optgroup> with scrolling_list() now works the same way as it does for popup_menu().
341 Thanks to Stuart Johnston (RT#30097)
342 9. CGI::Pretty now works properly when $" is set to ''. Thanks to Jim Keenan (RT#12401)
343 10. Fix crash when used in combination with PerlEx::DBI. Thanks to Burak G�rsoy (RT#19902)
346 1. Several typos were fixed, Thanks to ambs. (RT#41105)
347 2. A typo related to the nosticky pragma was fixed, thanks to Britton Kerin. (RT#43220)
348 3. examples/nph-clock.cgi is now more portable, by calling localtime() rather than `/bin/date`,
349 thanks to Guenter Knauf. (RT#27456).
350 4. In CGI::Carp, the SEE ALSO section was cleaned up, thanks to Slaven Rezic. (RT#32769)
351 5. The docs for redirect() were updated to reflect that most headers are
352 ignored during redirection. Thanks to Mark Stosberg (RT#44911)
355 1. New t/unescapeHTML.t test script has been added. It includes a TODO test for a pre-existing
356 bug which could use a patch. Thanks to Pete Gamache and Mark Stosberg (RT#39122)
357 2. New test scripts have been added for user_agent(), popup_menu() and query_string(), scrolling_list() and Dump()
358 Thanks to Mark Stosberg and Stuart Johnston. (RT#37908, RT#43006, RT#21341, RT#30097)
359 3. CGI::Carp and CGI::Util have been updated to have non-developer version numbers.
360 Thanks to Slaven Rezic. (RT#48425)
361 4. CGI::Switch and CGI::Apache now properly set their VERSION in their own name space.
362 Thanks to Alexey Tourbin (RT#11941,RT#11942)
364 Version 3.44, Jul 30, 2009
366 1. Patch from Kurt Jaeger to allow HTTP PUT even if the content length is unknown.
367 2. Patch from Pavel merdin to fix a problem for one of the FireFox addons.
368 3. Fixed issue in mod_perl & fastCGI environment of cookies returned from
369 CGI->cookie() leaking from one session to another.
371 Version 3.43, Apr 06, 2009
373 1. Documentation patch from MARKSTOS@cpan.org to replace all occurrences of
374 "new CGI" with CGI->new()" to reflect best perl practices.
375 2. Patch from Stepan Kasal to fix utf-8 related problems in perl 5.10
377 Version 3.42, Sep 08, 2008
379 1. Added patch from Renee Baecker that makes it possible to subclass
381 2. Added patch from Nicholas Clark to allow ~ characters in temporary directories.
382 3. Added patch from Renee Baecker that fixes the inappropriate escaping of fields
383 in multipart headers.
385 Version 3.41, Aug 25, 2008
387 1. Fix url() returning incorrect path when query string contains escaped newline.
388 2. Added additional windows temporary directories and environment variables, courtesy patch from Renee Baecker
389 3. Added a handle() method to the lightweight upload
390 filehandles. This method returns a real IO::Handle object.
391 4. Added patch from Tony Vanlingen to fix deep recursion warnings in CGI::Pretty.
393 Version 3.40, Aug 06, 2008
395 1. Fixed CGI::Fast docs to eliminate references to a "special"
397 2. Makefile.PL now depends on FCGI so that CGI::Fast installs properly.
398 3. Fix script_name() call from Stephane Chazelas.
400 Version 3.39, Jun 29, 2008
402 1. Fixed regression in "exists" function when using tied interface to CGI via $q->Vars.
404 Version 3.38, Jun 25, 2008
406 1. Fix annoying warning in http://rt.cpan.org/Ticket/Display.html?id=34551
407 2. Added nobr() function http://rt.cpan.org/Ticket/Display.html?id=35377
408 3. popup_menu() allows multiple items to be selected by default, satisfying
409 http://rt.cpan.org/Ticket/Display.html?id=35376
410 4. Patch from Renee Backer to avoid doubled <http-equiv> headers.
411 5. Fixed documentation bug that describes what happens when a
412 parameter is empty (e.g. "?test1=").
413 6. Fixed minor warning described at http://rt.cpan.org/Public/Bug/Display.html?id=36435
414 7. Fixed overlap of attribute and parameter space described in http://rt.perl.org/rt3//Ticket/Display.html?id=24294
416 Version 3.37, Apr 22, 2008
418 1. Fix pragmas so that they persist over modperl invocations (e.g. RT 34761)
419 2. Fixed handling of chunked multipart uploads; thanks to Michael Bernhardt
420 who reported and fixed the problem.
424 1. Fix CGI::Cookie to support cookies that are separated by "," instead of ";".
426 Version 3.35, Mar 27, 2008
428 1. Resync with bleadperl, primarily fixing a bug in parsing semicolons in uploaded filenames.
430 Version 3.34, Mar 18, 2008
432 1. Handle Unicode %uXXXX escapes properly -- patch from DANKOGAI@cpan.org
433 2. Fix url() method to not choke on path names that contain regex characters.
435 Version 3.33, Jan 02, 2008
437 1. Remove uninit variable warning when calling url(-relative=>1)
438 2. Fix uninit variable warnings for two lc calls
439 3. Fixed failure of tempfile upload due to sprintf() taint failure in perl 5.10
441 Version 3.32, Dec 27, 2007
443 1. Patch from Miguel Santinho to prevent sending premature headers under mod_perl 2.0
445 Version 3.31, Nov 30, 2007
447 1. Patch from Xavier Robin so that CGI::Carp issues a 500 Status code rather than a 200 status code.
448 2. Patch from Alexander Klink to select correct temporary directory in OSX Leopard so that upload works.
449 3. Possibly fixed "wrapped pack" error on 5.10 and higher.
453 1. Patch from Mike Barry to handle POSTDATA in the same way as PUT.
454 2. Patch from Rafael Garcia-Suarez to correctly reencode unicode values as byte values.
456 Version 3.29, Apr 16, 2007
458 1. The position of file handles is now reset to zero when CGI->new is called.
460 2. uploadInfo() now works across multiple object instances. Also, the first
461 tests for uploadInfo() were added as part of the fix. (CPAN bug 11895, with
462 contributions from drfrench and Mark Stosberg).
464 Version 3.28, Mar 29, 2007
466 1. Applied patch from Allen Day that makes Cookie parsing RFC2109 compliant
467 (attribute/values can be separated by commas as well as semicolons).
468 2. Applied patch from Stephan Struckmann that allows script_name() to be set correctly.
469 3. Fixed problem with url(-full) in which port number appears twice.
471 Version 3.27, Feb 27, 2007
473 1. Applied patch from Steve Taylor that allows checkbox_groups to be
474 disabled with a new -disabled=> option.
478 1. Fixed alternate stylesheet behavior so that it is insensitive to order of declarations.
479 2. Patch from John Binns to allow users to provide a callback to CGI::Carp.
480 3. Added "~" as an unreserved character in escape().
481 4. Patch from Chris Fedde to prevent HTTP_HOST from inhibiting SERVER_PORT in url() generation.
482 5. Fixed outdated documentation (and behavior) of -language in start_html -script option.
483 6. Fixed bug in seconds calculation in CGI::Util::expire_calc.
485 Version 3.25, Sep 28, 2006
487 1. Fixed the link to the Netscape frames page.
488 2. Added ability to specify an alternate stylesheet.
489 3. Add support for XForms POST submssion both as application/xml or as multipart/related
493 1. In startform(), if request_uri() returns undef, then falls back
494 to self_url(). This should rarely happen except when run outside of
496 2. image button alignment options were mistakenly being capitalized, causing xhtml validation to fail.
498 Version 3.23, Aug 23, 2006
500 1. Typo in upload() persisted, now fixed for real. Thanks to
501 Emanuele Zeppieri for correct patch and regression test.
503 Version 3.22, Aug 23, 2006
505 1. Typo in upload() function broke uploads. Now fixed (CPAN bug 21126).
507 Version 3.21, Aug 21, 2006
509 1. Don't try to read data at all when POST > $POST_MAX.
510 2. Fixed bug that caused $cgi->param('name',undef,'value') to unset param('name') entirely.
511 3. Fixed bug in which upload() sometimes returns empty. (CPAN bug #12694).
512 4. Incorporated patch from BURAK@cpan.org to support HTTPcookies (CPAN bug 21019).
516 1. Patch from David Wheeler for CGI::Cookie->bake(). Uses mod_perl headers_out->add()
517 rather than headers_out->set().
518 2. Fixed problem identified by Andrei Voronkov in which start_form() output was screwed
519 up when initial argument begins with a dash and subsequent arguments do not.
520 3. Quashed uninitialized variable warnings coming from script_name(), url() and other
521 functions that require access to the PATH_INFO environment variable.
525 1. Added patch from Stephen Frost that allows one to suppress use of the temp file that is
526 created during uploads.
527 2. Fixed problem noted by Martin Foster in which regular expression meta-character terms
528 in the path information were not quoted, causing URL parsing
529 to fail on URLs that contained metacharacters (such as +).
530 3. More fixes to the url() method.
531 4. Removed "hack to fix broken PATH_INFO in MSII".
536 2. Patch from Steve Peters to default the document type to match the charset.
537 3. Fixed param() so that param(-name=>'foo',-values=>[]) sets the parameter to empty list.
539 Version 3.17, Feb 24, 2006
541 1. Added patch from Mike Hanafey which caused 0 arguments to CGI::Cookie->new() to
543 2. Patch to CGI::Carp from Peter Whaite to fix the unfixable problem of CGI::Carp
544 not behaving correctly in an eval() context.
545 3. CGI::Fast->new() calls CGI->_reset_globals to avoid contamination of one session
546 with another's variables.
547 4. Fixed upload failure on files that contain semicolons in their names.
549 Version 3.16, Feb 8, 2006
551 1. header() -charset option now works even when the MIME type is not "text".
552 2. Fixed documentation for cookie() function and fastCGI.
553 3. Upload filehandles now only closed automatically on Windows systems.
554 4. Apache::Cookie compatibility fix from David Wheeler
555 5. CGI::Carp->fatalsToBrowser() does not work correctly with
556 mod_perl 2. No workaround is known.
557 6. Fixed text status code associated with 302 redirects. Should be "Found"
559 7. Fixed charset in start_html() and header() to be in synch.
561 Version 3.15, Dec 7, 2005
563 1. Remove extraneous "?" from self_url() when URI contains a ? but no query string.
565 Version 3.14, Dec 6, 2005
567 1. Fixed broken scrolling_list() select attribute.
569 Version 3.13, Dec 4, 2005
571 1. Removed extraneous empty "?" from end of self_url().
573 Version 3.12, Dec 4, 2005
575 1. Fixed virtual_port so that it works properly with https protocol.
576 2. Fixed documentation for upload_hook().
577 3. Added POSTDATA documentation.
578 4. Made upload_hook() work in function-oriented mode.
579 5. Fixed POST_MAX behavior so that it doesn't cause client to hang.
580 6. Disabled automatic tab indexes and added new -tabindex pragma to
581 turn automatic indexes back on.
582 7. The url() and self_url() methods now work better in the context of Apache
583 mod_rewrite. Be advised that path_info() may give you confusing results
584 when mod_rewrite is active because Apache calculates the path info *after*
585 rewriting. This is mostly worked around in url() and self_url(), but you
586 may notice some anomalies.
587 8. Removed empty (and non-validating) <div> from code emitted by end_form().
588 9. Fixed CGI::Carp to work correctly with Mod_perl 1.29 in an Apache 2 environment.
589 10. Setting $CGI::TMPDIRECTORY should now be effective.
591 Version 3.11, Aug 3, 2005
593 1. Killed warning in CGI::Cookie about MOD_PERL_API_VERSION
594 2. Fixed append() so that it works in function mode.
595 3. Workaround for a bug that appears in Apache2 versions through 2.0.54
596 in which SCRIPT_NAME and PATH_INFO are incorrect if the additional path_info
597 contains a double slash. This workaround will handle the common case of
598 http://mysite.com/cgi-bin/log.cgi/http://www.some.other.site/args, but will
599 not handle the uncommon case of a ScriptAlias directive that adds additional
600 path information to the end of the translated URI.
602 Version 3.10, May 13, 2005
604 1. Added Apache2::RequestIO, which is necessary for mp2 interoperability.
606 Version 3.09, May 5, 2005
608 1. Fixed tabindex="0" when using CGI to create forms without a prior start_html
609 2. Removed warning about non-numeric MOD_PERL_API_VERSION.
611 Version 3.08, Apr 20, 2005
613 1. update support for mod_perl 2.0. versions prior to
614 mod_perl 1.999_22 (2.0.0-RC5) are no longer supported.
616 Version 3.07, Mar 14, 2005
618 1. Fixed typo in mod_perl detection.
620 Version 3.06, Mar 09, 2005
622 1. Fixed bare call to script() in start_html
623 2. Moved Fh::DESTROY out of autoloaded functions so as to avoid
624 clobbering $@ when CGI functions are executed in an eval{}
626 3. mod_perl 2.0 version detection patch in CGI::Cookie provided by
628 4. autoEscape() flag is now respected when generating extra
630 5. Tests for *tag start/end generation from Shlomi Fish.
631 6. Support for can() method provided by Ron Savage.
632 7. Fix for lang='' when outputting XHTML.
633 8. Added support for chunked transfer encoding, as suggested by
635 9. Fixed clobbering of row and column headers in tableized radio
636 and checkbox groups, as reported by Nicolas Thierry-Mieg.
637 10. <Label> tags are now associated with form elements, as suggested
638 by accessibility guidelines.
639 11. The <?xml> directive produced by start_html is now turned off by
640 default and the charset is specified in a <meta> directive. Apparently
641 IE6 (and maybe some versions of Opera) were getting confused by this.
642 12. Support for tab indexes.
643 13. Retired the HTML docs. The POD docs are now primary documentation.
644 14. CGI::Carp now correctly detects and handles Apache::Dispatch.
645 15. CGI::Util::utf8_chr now correctly sets the UTF8 flag on 5.006 or
646 higher perls (fix courtesy Slaven Rezic).
649 Version 3.05, Apr 12, 2004
651 1. Fixed uninitialized variable warning on start_form() when running
653 2. Fixed CGI::_set_attributes so that attributes with a - are handled
655 3. Fixed CGI::Carp::die() so as to avoid problems from _longmess()
657 4. If HTTP_X_FORWARDED_HOST is defined (i.e. running under a proxy),
658 the various functions that return HOST will use that instead.
659 5. Fix for undefined utf8() call in CGI::Util.
660 6. Changed the call to warningsToBrowser() in
661 CGI::Carp::fatalsToBrowser to call only after HTTP header is sent
662 (thanks to Didier Lebrun for noticing).
663 7. Patches from Dan Harkless to make CGI.pm validatable against HTML
665 8. Fixed an extraneous "foo=bar" appearing when extra style
666 parameters passed to start_html;
667 9. Fixed cross-site scripting bug in startform() pointed out by Dan
669 10. Fixed documentation to discuss list context behavior of
670 form-element generators explicitly.
671 11. Fixed incorrect results from end_form() when called in OO manner.
672 12. Fixed query string stripping in order to handle URLs containing
674 13. During server push, set NPH to 0 rather than 1. This is supposed
675 to fix problems with Apache.
676 14. Fixed incorrect processing of multipart form fields that contain
677 embedded quotes. There's still the issue of how to handle ones
678 that contain embedded semicolons, but no one has complained (yet).
679 15. Fixed documentation bug in -style argument to start_html()
680 16. Added -status argument to redirect().
682 Version 3.04, Jan 18, 2004
684 1. Fixed the problem with mod_perl crashing when "defaults" button
687 Version 3.03, Jan 13, 2004
689 1. Fix upload hook functionality
690 2. Workaround for CGI->unescape_html()
691 3. Bumped version numbers in CGI::Fast and CGI::Util for 5.8.3-tobe
695 1. Bring in Apache::Response just in case.
696 2. File upload on EBCDIC systems now works.
698 Version 3.01, Dec 10, 2003
700 1. No fix yet for upload failures when running on EBCDIC server.
701 2. Fixed uninitialized glob warnings that appeared when file
702 uploading under perl 5.8.2.
703 3. Added patch from Schlomi Fish to allow debugging of PATH_INFO from
705 4. Added patch from Steve Hay to correctly unlink tmp files under
707 5. Added upload_hook functionality from Jamie LeTaul
708 6. Workarounds for mod_perl 2 IO issues. Check that file upload and
709 state saving still working.
710 7. Added code for underreads.
711 8. Fixed misleading description of redirect() and relative URLs in
713 9. Workaround for weird interaction of CGI::Carp with Safe module
714 reported by William McKee.
715 10. Added patches from Ilmari Karonen to improve behavior of
717 11. Fixed documentation error in -style argument.
718 12. Added virtual_port() method for finding out what port server is
719 listening on in a virtual-host aware fashion.
721 Version 3.00, Aug 18, 2003
723 1. Patch from Randal Schwartz to fix bug introduced by cross-site
724 scripting vulnerability "fix."
725 2. Patch from JFreeman to replace UTF-8 escape constant of 0xfe with
726 0xfc. Hope this is right!
730 1. Patch from Steve Hay to fix extra Content-type: appearing on
731 browser screen when FatalsToBrowser invoked.
732 2. Patch from Ewann Corvellec to fix cross-site scripting
734 3. Fixed tmpdir routine for file uploading to solve problem that
735 occurs under mod_perl when tmpdir is writable at startup time, but
740 1. Fixed crash in Dump() function.
744 1. Sigh. Uploaded wrong 2.96 to CPAN.
748 1. More bugfixes to the -style argument.
752 1. Fixed bugs in start_html(-style=>...) support introduced in 2.94.
756 1. Removed warning from reset() method.
759 and tags into the :html3 group. Hope this removes undefined CGI::Area
762 Changed CGI::Carp to play with mod_perl2 and to (hopefully) restore
763 reporting of compile-time errors.
765 Fixed potential deadlock between web server and CGI.pm when aborting
766 a read due to POST_MAX (reported by Antti Lankila).
768 Fixed issue with tag-generating function not incorporating content
769 when first variable undef.
771 Fixed cross-site scripting bug reported by obscure.
773 Fixed Dump() function to return correctly formed XHTML - bug
774 reported by Ralph Siemsen.
778 1. Fixed embarassing bug in mp1 support.
782 1. Fix to be P3P compliant submitted from MPREWITT.
783 2. Added CGI->r() API for mod_perl1/mod_perl2.
784 3. Fixed bug in redirect() that was corrupting cookies.
785 4. Minor fix to behavior of reset() button to make it consistent with
786 submit() button (first time this has been changed in 9 years).
787 5. Patch from Dan Kogai to handle UTF-8 correctly in 5.8 and higher.
788 6. Patch from Steve Hay to make CGI::Carp's error messages appear on
790 7. Added Yair Lenga's patch for non-urlencoded postings.
791 8. Added Stas Bekman's patches for mod_perl 2 compatibility.
792 9. Fixed uninitialized escape behavior submitted by William Campbell.
793 10. Fixed tied behavior so that you can pass arguments to tie()
794 11. Fixed incorrect generation of URLs when the path_info contains +
795 and other odd characters.
796 12. Fixed redirect(-cookies=>$cookie) problem.
797 13. Fixed tag generation bug that affects -javascript passed to
802 1. Attribute generation now correctly respects the value of
804 2. Fixed endofrm() syntax error introduced by Ben Edgington's patch.
808 1. Fixed bug in redirect header handling.
809 2. Added P3P option to header().
810 3. Patches from Alexey Mahotkin to make CGI::Carp work correctly with
811 object-oriented exceptions.
812 4. Removed inaccurate description of how to set multiple cookies from
813 CGI::Cookie pod file.
814 5. Patch from Kevin Mahony to prevent running out of filehandles when
815 uploading lots of files.
816 6. Documentation enhancement from Mark Fisher to note that the
817 import_names() method transforms the parameter names into valid
819 7. Patch from Dan Harkless to suppress lang attribute in <html> tag
820 if specified as a null string.
821 8. Patch from Ben Edgington to fix broken XHTML-transitional 1.0
822 validation on endform().
823 9. Custom html header fix from Steffen Beyer (first letter correctly
825 10. Added a -verbatim option to stylesheet generation from Michael
827 11. Faster delete() method from Neelam Gupta
828 12. Fixed broken Cygwin support.
829 13. Added empty charset support from Bradley Baetz
830 14. Patches from Doug Perham and Kevin Mahoney to fix file upload
831 failures when uploaded file is a multiple of 4096.
835 1. Fixed behavior of ACTION tag when POSTING to a URL that has a
837 2. Added Patch from Michael Rommel to handle multipart/mixed uploads
842 1. Fixed problem with uploads being refused under Perl 5.8 when under
844 2. Fixed uninitialized variable warnings under Perl 5.8.
845 3. Fixed CGI::Pretty regression test failures.
849 1. Security hole patched: when processing multipart/form-data
850 postings, most arguments were being untainted silently. Returned
851 arguments are now tainted correctly. This may cause some scripts
852 to fail that used to work (thanks to Nick Cleaton for pointing
853 this out and persisting until it was fixed).
854 2. Update for mod_perl 2.0.
855 3. Pragmas such as -no_xhtml are now respected in mod_perl
860 1. Fixes for broken CGI::Cookie expiration dates introduced in 2.84.
864 1. Fix for broken autoEscape function introduced in 2.84.
868 1. Fix for failed file uploads on Cygwin platforms.
869 2. HTML escaping code now replaced 0x8b and 0x9b with unicode
870 references < and *#8250;
874 1. Fixed autoEscape() documentation inconsistencies.
875 2. Patch from Ville Skytt� to fix a number of XHTML inconsistencies.
876 3. Added Max-Age to list of CGI::Cookie headers.
880 1. Patch from Rudolf Troller to add attribute setting and option
881 groups to form fields.
882 2. Patch from Simon Perreault for silent crashes when using CGI::Carp
884 3. Patch from Scott Gifford allows you to set the program name for
889 1. Removed extraneous slash from end of stylesheet tags generated by
890 start_html in non-XHTML mode.
891 2. Changed behavior of CGI::Carp with respect to eval{} contexts so
892 that output behaves properly in mod_perl environments.
893 3. Fixed default DTD so that it validates with W3C validator.
897 1. Fixed broken messages in CGI::Carp.
898 2. Changed checked="1" to checked="checked" for real XHTML
900 3. Resurrected REQUEST_URI code so that url() works correctly with
905 1. Changes to CGI::Carp to avoid "subroutine redefined" error
907 2. Default DTD is now XHTML 1.0 Transitional
908 3. Patches to support all HTML4 tags.
912 1. Added ability to change encoding in <?xml> assertion.
913 2. Fixed the old escapeHTML('CGI') ne "CGI" bug
914 3. In accordance with XHTML requirements, there are no longer any
915 minimized attributes, such as "checked".
916 4. Patched bug which caused file uploads of exactly 4096 bytes to be
917 truncated to 4094 (thanks to Kevin Mahony)
918 5. New tests and fixes to CGI::Pretty (thanks to Michael Schwern).
922 1. No new features, but released in order to fix an apparent CPAN
927 1. New esc.t regression test for EBCDIC translations courtesy Peter
929 2. Patches from James Jurach to make compatible with FCGI-ProcManager
930 3. Additional fields passed to header() (like -Content_disposition)
931 now honor initial capitalization.
932 4. Patch from Andrew McNaughton to handle utf-8 escapes (%uXXXX
937 1. Syntax error in the autoloaded Fh::new() subroutine.
938 2. Better error reporting in autoloaded functions.
942 1. Tiny tweak to filename regular expression function on line 3355.
946 1. Fixed bug in server push boundary strings (CGI.pm and CGI::Push).
947 2. Fixed bug that occurs when uploading files with funny characters
949 3. Fixed non-XHTML-compliant attributes produced by textfield()
950 4. Added EPOC support, courtesy Olaf Flebbe
951 5. Fixed minor XHTML bugs.
952 6. Made escape() and unescape() symmetric with respect to EBCDIC,
953 courtesy Roca, Ignasi <ignasi.roca@fujitsu.siemens.es>
954 7. Removed uninitialized variable warning from CGI::Cookie, provided
955 by Atipat Rojnuckarin <rojnuca@yahoo.com>
956 8. Fixed bug in CGI::Pretty that causes it to print partial end tags
957 when the $INDENT global is changed.
958 9. Single quotes are changed to character entity ' for compatibility
964 1. Quashed one-character bug that caused CGI.pm to fail on file
970 1. Added -base to the list of arguments accepted by url().
971 2. Fixes to XHTML support.
972 3. POST parameters no longer show up in the Location box.
977 1. Fixed the defaults button so that it works again
978 2. Charset is now correctly saved and restored when saving to files
979 3. url() now works correctly when given scripts with %20 and other
980 escapes in the additional path info. This undoes a patch
981 introduced in version 2.47 that I no longer understand the
987 1. Newlines in the value attributes of hidden fields and other form
988 elements are now escaped when using ISO-Latin.
989 2. Inline script and style sections are now protected as CDATA
990 sections when XHTML mode is on (the default).
995 1. Fixed bug in scrolling_list() which omitted a space in front of
996 the "multiple" attribute.
997 2. Squashed the "useless use of string in void context" message from
1002 1. startform() now creates default ACTION for POSTs as well as GETs.
1003 This may break some browsers, but it no longer violates the HTML
1005 2. CGI.pm now emits XHTML by default. Disable with -no_xhtml.
1006 3. We no longer interpret &#ddd sequences in non-latin character
1011 1. No longer attempts to escape characters when dealing with non
1012 ISO-8861 character sets.
1013 2. checkbox() function now defaults to using -value as its label,
1014 rather than -name. The current behavior is what has been
1015 documented from the beginning.
1016 3. -style accepts array reference to incorporate multiple stylesheets
1019 1. Fixed two bugs that caused the -compile pragma to fail with a
1024 1. Added XHTML support (incomplete; tags need to be lowercased).
1025 2. Fixed CGI/Carp when running under mod_perl. Probably broke in
1027 3. Fixed problems when passing multiple cookies.
1028 4. Suppress warnings from _tableize() that were appearing when using
1029 -w switch with radio_group() and checkbox_group().
1030 5. Support for the header() -attachment argument, which can give
1031 pages a default file name when saving to disk.
1035 1. 2.65 changes in make_attributes() broke HTTP header functions
1036 (including redirect), so made it context sensitive.
1040 1. Fixed regression tests to skip tests that require implicit fork on
1041 machines without fork().
1042 2. Changed make_attributes() to automatically escape any HTML
1043 reserved characters.
1044 3. Minor documentation fix in javascript example.
1048 1. Changes introduced in 2.63 broke param() when retrieving parameter
1049 lists containing only a single argument. This is now fixed.
1050 2. self_url() now defaults to returning parameters delimited with
1051 semicolon. Use the pragma -oldstyle_urls to get the old "&"
1056 1. Fixed CGI::Push to pull out parameters correctly.
1057 2. Fixed redirect() so that it works with default character set
1058 3. Changed param() so as to returned empty string '' when referring
1059 to variables passed in query strings like 'name1=&name2'
1063 1. Fixed broken ReadParse() function, and added regression tests
1064 2. Fixed broken CGI::Pretty, and added regression tests
1068 1. Moved more functions from CGI.pm proper into CGI/Util.pm.
1069 CGI/Cookie should now be standalone.
1070 2. Disabled per-user temporary directories, which were causing grief.
1074 1. Fixed junk appearing in autogenerated HTML functions when using
1075 object-oriented mode.
1079 1. autoescape functionality breaks too much existing code, removed
1081 2. use escapeHTML() manually
1085 This is the release version of 2.57.
1089 1. Added -debug pragma and turned off auto reading of STDIN.
1090 2. Default DTD updated to HTML 4.01 transitional.
1091 3. Added charset() method and the -charset argument to header().
1092 4. Fixed behavior of escapeHTML() to respect charset() and to escape
1093 nasty Windows characters (thanks to Tom Christiansen).
1094 5. Handle REDIRECT_QUERY_STRING correctly.
1095 6. Removed use_named_parameters() because of dependency problems and
1097 7. Fixed problems with bad HREF links generated by url(-relative=>1)
1098 when the url is like /people/.
1099 8. Silenced a warning on upload (patch provided by Jonas Liljegren)
1100 9. Fixed race condition in CGI::Carp when errors occur during parsing
1101 (patch provided by Maurice Aubrey).
1102 10. Fixed failure of url(-path_info=>1) when path contains % signs.
1103 11. Fixed warning from CGI::Cookie when receiving foreign cookies that
1104 don't use name=value format.
1105 12. Fixed incompatibilities with file uploading on VMS systems.
1109 1. Fixed bugs in file upload introduced in version 2.55
1110 2. Fixed long-standing bug that prevented two files with identical
1111 names from being uploaded.
1115 1. Fixed cookie regression test so as not to produce an error.
1116 2. Fixed path_info() and self_url() to work correctly together when
1117 path_info() modified.
1118 3. Removed manify warnings from CGI::{Switch,Apache}.
1122 1. This will be the last release of the monolithic CGI.pm module.
1123 Later versions will be modularized and optimized.
1124 2. DOMAIN tag no longer added to cookies by default. This will break
1125 some versions of Internet Explorer, but will avoid breaking
1126 networks which use host tables without fully qualified domain
1127 names. For compatibility, please always add the -domain tag when
1129 3. Fixed escape() method so that +'s are treated correctly.
1130 4. Updated CGI::Pretty module.
1134 1. Forgot to upgrade regression tests before releasing 2.52. NOTHING
1135 ELSE HAS CHANGED IN LIBRARY
1139 1. Spurious newline in checkbox() routine removed. (courtesy John
1141 2. TEXTAREA linebreaks now respected in dump() routine. (courtesy
1143 3. Patches for DOS ports (courtesy Robert Davies)
1145 5. More fixes for cookie problems
1146 6. Fix CGI::Carp so that it doesn't affect eval{} blocks (courtesy
1151 1. Fixed problems with cookies not being remembered when sent to IE
1152 5.0 (and Netscape 5.0 too?)
1153 2. Numerous HTML compliance problems in cgi_docs.html; fixed thanks
1158 1. Added a new Vars() method to retrieve all parameters as a tied
1160 2. Untainted tainted tempfile name so that script doesn't fail on
1162 3. Made picking of upload tempfile name more intelligent so that
1163 doesn't fail in case of name collision.
1164 4. Fixed handling of expire times when passed an absolute timestamp.
1165 5. Changed dump() to Dump() to avoid name clashes.
1169 1. Fixes for FastCGI (globals not getting reset)
1170 2. Fixed url() to correctly handle query string and path under
1175 1. Reverted detection of MOD_PERL to avoid breaking PerlEX.
1179 1. Patch to fix file upload bug appearing in IE 3.01 for
1181 2. Replaced use of $ENV{SCRIPT_NAME} with $ENV{REQUEST_URI} when
1182 running under Apache, to fix self-referencing URIs.
1183 3. Fixed bug in escapeHTML() which caused certain constructs, such as
1184 CGI->image_button(), to fail.
1185 4. Fixed bug which caused strong('CGI') to fail. Be careful to use
1186 CGI::strong('CGI') and not CGI->strong('CGI'). The latter will
1187 produce confusing results.
1188 5. Added upload() function, as a preferred replacement for the
1189 "filehandle as string" feature.
1190 6. Added cgi_error() function.
1191 7. Rewrote file upload handling to return undef rather than dieing
1192 when an error is encountered. Be sure to call cgi_error() to find
1193 out what went wrong.
1197 1. Fix for failure of the "include" tests under mod_perl
1198 2. Added end_multipart_form to prevent failures during qw(-compile
1203 1. Multiple small documentation fixes
1204 2. CGI::Pretty didn't get into 2.44. Fixed now.
1208 1. Fixed file descriptor leak in upload function.
1209 2. Fixed bug in header() that prevented fields from containing double
1211 3. Added Brian Paulsen's CGI::Pretty package for pretty-printing
1213 4. Removed CGI::Apache and CGI::Switch from the distribution.
1214 5. Generated start_* shortcuts so that start_table(), end_table(),
1215 start_ol(), end_ol(), and so forth now work (see the docs on how
1216 to enable this feature).
1217 6. Changed accept() to Accept(), sub() to Sub(). There's still a
1218 conflict with reset(), but this will break too many existing
1223 1. Fixed problem with "use strict" and file uploads (thanks to Peter
1225 2. Fixed problem with not MSIE 3.01 for the power_mac not doing file
1227 3. Fixed problem with file upload on IIS 4.0 when authorization in
1229 4. -content_type and '-content-type' can now be provided to header()
1230 as synonyms for -type.
1231 5. CGI::Carp now escapes the ampersand BEFORE escaping the > and <
1233 6. Fixed "not an array reference" error when passing a hash reference
1235 7. Fixed non-removal of uploaded TMP files on NT platforms which
1236 occurs when server runs on non-C drive (thanks to Steve Kilbane
1237 for finding this one).
1241 1. Too many screams of anguish at changed behavior of url(). Is now
1242 back to its old behavior by default, with options to generate all
1244 2. Added regression tests. "make test" now works.
1245 3. Documentation fixes.
1246 4. Fixes for Macintosh uploads, but uploads STILL do not work pending
1251 1. url() method now includes the path info. Use script_name() to get
1252 it without path info().
1253 2. Changed handling of empty attributes in HTML tag generation. Be
1254 warned! Use table({-border=>undef}) rather than
1255 table({-border=>''}).
1256 3. Changes to allow uploaded filenames to be compared to other
1257 strings with "eq", "cmp" and "ne".
1258 4. Changes to allow CGI.pm to coexist more peacefully with
1260 5. Changes to prevent exported variables from clashing when importing
1261 ":all" set in combination with cookies.
1265 1. CGI::Carp patched to work better with mod_perl (thanks to Chris
1267 2. Uploads of files whose names begin with numbers or the Windows
1268 \\UNC\shared\file nomenclature should no longer fail.
1269 3. The <STYLE> tag (for cascading style sheets) now generates the
1270 required TYPE attribute.
1271 4. Server push primitives added, thanks to Ed Jordan.
1272 5. Table and other HTML3 functions are now part of the :standard set.
1273 6. Small documentation fixes.
1276 1. Do something about the DTD mess. The module should generate
1277 correct DTDs, or at least offer the programmer a way to specify
1279 2. Split CGI.pm into CGI processing and HTML-generating modules.
1280 3. More robust file upload (?still not working on the Macintosh?).
1281 4. Bring in all the HTML4 functionality, particular the accessibility
1286 1. file uploads failing because of VMS patch; fixed.
1287 2. -dtd parameter was not being properly processed.
1291 I finally got tired of all the 2.37 betas and released 2.38. The main
1292 difference between this version and the last 2.37 beta (2.37b30) are
1293 some fixes for VMS. This should allow file upload to work properly on
1294 all VMS Web servers.
1296 Version 2.37, various beta versions
1298 1. Added a CGI::Cookie::parse() method for lucky mod_perl users.
1299 2. No longer need separate -values and -labels arguments for
1300 multi-valued form elements.
1301 3. Added better interface to raw cookies (fix courtesy Ken Fox,
1303 4. Added param_fetch() function for direct access to parameter list.
1304 5. Fix to checkbox() to allow for multi-valued single checkboxes
1306 6. Added a compile() method for those who want to compile without
1308 7. Documented the import pragmas a little better.
1309 8. Added a -compile switch to the use clause for the long-suffering
1310 mod_perl and Perl compiler users.
1311 9. Fixed initialization routines so that FileHandle and type globs
1312 work correctly (and hash initialization doesn't fail!).
1313 10. Better deletion of temporary files on NT systems.
1314 11. Added documentation on escape(), unescape(), unescapeHTML() and
1315 unescapeHTML() subroutines.
1316 12. Added documentation on creating subclasses.
1317 13. Fixed problem when calling $self->SUPER::foo() from inheriting
1319 14. Fixed problem using filehandles from within subroutines.
1320 15. Fixed inability to use the string "CGI" as a parameter.
1321 16. Fixed exponentially growing $FILLUNIT bug
1322 17. Check for undef filehandle in read_from_client()
1323 18. Now requires the UNIVERSAL.pm module, present in Perl 5.003_7 or
1325 19. Fixed problem with uppercase-only parameters being ignored.
1326 20. Fixed vanishing cookie problem.
1327 21. Fixed warning in initialize_globals() under mod_perl.
1328 22. File uploads from Macintosh versions of MSIE should now work.
1329 23. Pragmas now preceded by dashes (-nph) rather than colons (:nph).
1330 Old style is supported for backward compatibility.
1331 24. Can now pass arguments to all functions using {} brackets,
1332 resolving historical inconsistencies.
1333 25. Removed autoloader warnings about absent MultipartBuffer::DESTROY.
1334 26. Fixed non-sticky checkbox() when -name used without -value.
1335 27. Hack to fix path_info() in IIS 2.0. Doesn't help with IIS 3.0.
1336 28. Parameter syntax for debugging from command line now more
1338 29. Added $DISABLE_UPLOAD to disable file uploads.
1339 30. Added $POST_MAX to error out if POSTings exceed some ceiling.
1340 31. Fixed url_param(), which wasn't working at all.
1341 32. Fixed variable suicide problem in s///e expressions, where the
1342 autoloader was needed during evaluation.
1343 33. Removed excess spaces between elements of checkbox and radio
1345 34. Can now create "valueless" submit buttons
1346 35. Can now set path_info as well as read it.
1347 36. ReadParse() now returns a useful function result.
1348 37. import_names() now allows you to optionally clear out the
1349 namespace before importing (for mod_perl users)
1350 38. Made it possible to have a popup menu or radio button with a value
1352 39. link() changed to Link() to avoid overriding native link function.
1353 40. Takes advantage of mod_perl's register_cleanup() function to clear
1355 41. <LAYER> and <ILAYER> added to :html3 functions.
1356 42. Fixed problems with private tempfiles and NT/IIS systems.
1357 43. No longer prints the DTD by default (I bet no one will complain).
1358 44. Allow underscores to replace internal hyphens in parameter names.
1359 45. CGI::Push supports heterogeneous MIME types and adjustable delays
1361 46. url_param() method added for retrieving URL parameters even when a
1362 fill-out form is POSTed.
1363 47. Got rid of warnings when radio_group() is called.
1364 48. Cookies now moved to their very own module.
1365 49. Fixed documentation bug in CGI::Fast.
1366 50. Added a :no_debug pragma to the import list.
1370 1. Expanded JavaScript functionality
1371 2. Preliminary support for cascading stylesheets
1372 3. Security fixes for file uploads:
1373 + Module will bail out if its temporary file already exists
1374 + Temporary files can now be made completely private to avoid
1375 peeking by other users or CGI scripts.
1376 4. use CGI qw/:nph/ wasn't working correctly. Now it is.
1377 5. Cookie and HTTP date formats didn't meet spec. Thanks to Mark
1378 Fisher (fisherm@indy.tce.com) for catching and fixing this.
1384 1. Robustified multipart file upload against incorrect syntax in
1386 2. Fixed more problems with mod_perl.
1387 3. Added -noScript parameter to start_html().
1388 4. Documentation fixes.
1396 1. Fixed a warning about an undefined environment variable.
1397 2. Doug's patch for redirect() under mod_perl
1398 3. Partial fix for busted inheritence from CGI::Apache
1399 4. Documentation fixes.
1403 1. Improved support for Apache's mod_perl.
1404 2. Changes to better support inheritance.
1405 3. Support for OS/2.
1409 1. New uploadInfo() method to obtain header information from uploaded
1411 2. cookie() without any arguments returns all the cookies passed to a
1413 3. Removed annoying warnings about $ENV{NPH} when running with the -w
1415 4. Removed operator overloading throughout to make compatible with
1416 new versions of perl.
1417 5. -expires now implies the -date header, to avoid clock skew.
1418 6. WebSite passes cookies in $ENV{COOKIE} rather than
1419 $ENV{HTTP_COOKIE}. We now handle this, even though it's O'Reilly's
1421 7. Tested successfully against new sfio I/O layer.
1422 8. Documentation fixes.
1426 1. Automatic detection of operating system at load time.
1427 2. Changed select() function to Select() in order to avoid conflict
1429 3. Added Tr() as an alternative to TR(); some people think it looks
1431 4. Fixed problem with autoloading of MultipartBuffer::DESTROY code.
1432 5. Added the following methods:
1435 6. Automatic NPH mode when running under Microsoft IIS server.
1439 1. Fixed cookie bugs
1440 2. Fixed problems that cropped up when useNamedParameters was set to
1442 3. Prevent CGI::Carp::fatalsToBrowser() from crapping out when
1443 encountering a die() within an eval().
1444 4. Fixed problems with filehandle initializers.
1448 1. Added support for NPH scripts; also fixes problems with Microsoft
1450 2. Fixed a problem with checkbox() values not being correctly saved
1452 3. Fixed a bug in which CGI objects created with empty string
1453 initializers took on default values from earlier CGI objects.
1454 4. Documentation fixes.
1458 1. Small but important bug fix: the automatic capitalization of tag
1459 attributes was accidentally capitalizing the VALUES as well as the
1460 ATTRIBUTE names (oops).
1464 1. Changed behavior of scrolling_list(), checkbox() and
1465 checkbox_group() methods so that defaults are honored correctly.
1466 The "fix" causes endform() to generate additional <INPUT
1467 TYPE="HIDDEN"> tags -- don't be surpised.
1468 2. Fixed bug involving the detection of the SSL protocol.
1469 3. Fixed documentation error in position of the -meta argument in
1471 4. HTML shortcuts now generate tags in ALL UPPERCASE.
1472 5. start_html() now generates correct SGML header:
1473 <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML//EN">
1475 6. CGI::Carp no longer fails "use strict refs" pragma.
1479 1. Fixed bug that caused bad redirection on destination URLs with
1481 2. Fixed bug involving use_named_parameters() followed by
1482 start_multipart_form()
1483 3. Fixed bug that caused incorrect determination of binmode for
1485 4. Spelling fixes on documentation.
1489 1. Fixed bug that caused generation of lousy HTML for some form
1491 2. Fixed uploading bug in Windows NT
1492 3. Some code cleanup (not enough)
1496 1. Fixed an obscure bug that caused scripts to fail mysteriously.
1497 2. Fixed auto-caching bug.
1498 3. Fixed bug that prevented HTML shortcuts from passing taint checks.
1499 4. Fixed some -w warning problems.
1503 1. New CGI::Fast module for use with FastCGI protocol. See pod
1504 documentation for details.
1505 2. Fixed problems with inheritance and autoloading.
1506 3. Added TR() (<tr>) and PARAM() (<param>) methods to list of
1507 exported HTML tag-generating functions.
1508 4. Moved all CGI-related I/O to a bottleneck method so that this can
1509 be overridden more easily in mod_perl (thanks to Doug MacEachern).
1510 5. put() method as substitute for print() for use in mod_perl.
1511 6. Fixed crash in tmpFileName() method.
1512 7. Added tmpFileName(), startform() and endform() to export list.
1513 8. Fixed problems with attributes in HTML shortcuts.
1514 9. Functions that don't actually need access to the CGI object now no
1515 longer generate a default one. May speed things up slightly.
1516 10. Aesthetic improvements in generated HTML.
1521 1. Added the -meta argument to start_html().
1522 2. Fixed hidden fields (again).
1523 3. Radio_group() and checkbox_group() now return an appropriate
1524 scalar value when called in a scalar context, rather than
1525 returning a numeric value!
1526 4. Cleaned up the formatting of form elements to avoid unesthetic
1527 extra spaces within the attributes.
1528 5. HTML elements now correctly include the closing tag when
1529 parameters are present but null: em('')
1530 6. Added password_field() to the export list.
1534 1. Dumped the SelfLoader because of problems with running with taint
1535 checks and rolled my own. Performance is now significantly
1537 2. Added HTML shortcuts.
1538 3. import() now adheres to the Perl module conventions, allowing
1539 CGI.pm to import any or all method names into the user's name
1541 4. Added the ability to initialize CGI objects from strings and
1543 5. Made it possible to initialize CGI objects with filehandle
1544 references rather than filehandle strings.
1545 6. Added the delete_all() and append() methods.
1546 7. CGI objects correctly initialize from filehandles on NT/95 systems
1548 8. Fixed the problem with binary file uploads on NT/95 systems.
1549 9. Fixed bug in redirect().
1550 10. Added '-Window-target' parameter to redirect().
1551 11. Fixed import_names() so that parameter names containing funny
1553 12. Broke the unfortunate connection between cookie and CGI parameter
1555 13. Fixed problems with hidden fields whose values are 0.
1556 14. Cleaned up the documentation somewhat.
1560 1. Added cookie() support routines.
1561 2. Added -expires parameter to header().
1562 3. Added cgi-lib.pl compatibility mode.
1563 4. Made the module more configurable for different operating systems.
1564 5. Fixed a dumb bug in JavaScript button() method.
1568 1. Fixed a bug that corrects a hang that occurs on some platforms
1569 when processing file uploads. Unfortunately this disables the
1570 check for bad Netscape uploads.
1571 2. Fixed bizarre problem involving the inability to process uploaded
1572 files that begin with a non alphabetic character in the file name.
1573 3. Fixed a bug in the hidden fields involving the -override directive
1574 being ignored when scalar defaults were passed.
1575 4. Added documentation on how to disable the SelfLoader features.
1579 1. Added support for the SelfLoader module.
1580 2. Added oodles of JavaScript support routines.
1581 3. Fixed bad bug in query_string() method that caused some parameters
1582 to be silently dropped.
1583 4. Robustified file upload code to handle premature termination by
1585 5. Exported temporary file names on file upload.
1586 6. Removed spurious "uninitialized variable" warnings that appeared
1587 when running under 5.002.
1588 7. Added the Carp.pm library to the standard distribution.
1589 8. Fixed a number of errors in this documentation, and probably added
1591 9. Checkbox_group() and radio_group() now return the buttons as
1592 arrays, so that you can incorporate the individual buttons into
1594 10. Added the '-nolabels' option to checkbox_group() and
1595 radio_group(). Probably should be added to all the other
1596 HTML-generating routines.
1597 11. Added the url() method to recover the URL without the entire query
1599 12. Added request_method() to list of environment variables available.
1600 13. Would you believe it? Fixed hidden fields again!
1604 1. Fixed hidden fields yet again.
1605 2. Fixed subtle problems in the file upload method that caused
1606 intermittent failures (thanks to Keven Hendrick for this one).
1607 3. Made file upload more robust in the face of bizarre behavior by
1608 the Macintosh and Windows Netscape clients.
1609 4. Moved the POD documentation to the bottom of the module at the
1610 request of Stephen Dahmen.
1611 5. Added the -xbase parameter to the start_html() method, also at the
1612 request of Stephen Dahmen.
1613 6. Added JavaScript form buttons at Stephen's request. I'm not sure
1614 how to use this Netscape extension correctly, however, so for now
1615 the form() method is in the module as an undocumented feature. Use
1620 1. Added the -override parameter to all field-generating methods.
1621 2. Documented the user_name() and remote_user() methods.
1622 3. Fixed bugs that prevented empty strings from being recognized as
1623 valid textfield contents.
1624 4. Documented the use of framesets and added a frameset example.
1628 This was an internal experimental version that was never released.
1632 1. Fixed a bug that interfered with the value "0" being entered into
1637 1. Added -rows and -columns to the radio and checkbox groups. No
1638 doubt this will cause much grief because it seems to promise a
1639 level of meta-organization that it doesn't actually provide.
1640 2. Fixed a bug in the redirect() method -- it was not truly HTTP/1.0
1645 The changes seemed to touch every line of code, so I decided to bump
1646 up the major version number.
1647 1. Support for named parameter style method calls. This turns out
1648 to be a big win for extending CGI.pm when Netscape adds new HTML
1650 2. Changed behavior of hidden fields back to the correct "sticky"
1651 behavior. This is going to break some programs, but it is for
1652 the best in the long run.
1653 3. Netscape 2.0b2 broke the file upload feature. CGI.pm now handles
1654 both 2.0b1 and 2.0b2-style uploading. It will probably break again
1656 4. There were still problems with library being unable to distinguish
1657 between a form being loaded for the first time, and a subsequent
1658 loading with all fields blank. We now forcibly create a default
1659 name for the Submit button (if not provided) so that there's
1660 always at least one parameter.
1661 5. More workarounds to prevent annoying spurious warning messages
1662 when run under the -w switch. -w is seriously broken in perl
1667 1. Support for the Netscape 2.0 "File upload" field.
1668 2. The handling of defaults for selected items in scrolling lists and
1669 multiple checkboxes is now consistent.
1673 1. Created true "pod" documentation for the module.
1674 2. Cleaned up the code to avoid many of the spurious "use of
1675 uninitialized variable" warnings when running with the -w switch.
1676 3. Added the autoEscape() method. v
1677 4. Added string interpolation of the CGI object.
1678 5. Added the ability to pass additional parameters to the <BODY> tag.
1679 6. Added the ability to specify the status code in the HTTP header.
1681 Bug fixes in version 1.55
1683 1. Every time self_url() was called, the parameter list would grow.
1684 This was a bad "feature".
1685 2. Documented the fact that you can pass "-" to radio_group() in
1686 order to prevent any button from being highlighted by default.
1688 Bug fixes in version 1.54
1690 1. The user_agent() method is now documented;
1691 2. A potential security hole in import() is now plugged.
1692 3. Changed name of import() to import_names() for compatibility with
1695 Bug fixes in version 1.53
1697 1. Fixed several typos in the code that were causing the following
1698 subroutines to fail in some circumstances
1701 2. No features added
1703 New features added in version 1.52
1705 1. Added backslashing, quotation marks, and other shell-style escape
1706 sequences to the parameters passed in during debugging off-line.
1707 2. Changed the way that the hidden() method works so that the default
1708 value always overrides the current one.
1709 3. Improved the handling of sticky values in forms. It's now less
1710 likely that sticky values will get stuck.
1711 4. If you call server_name(), script_name() and several other methods
1712 when running offline, the methods now create "dummy" values to
1715 Bugs fixed in version 1.51
1717 1. param() when called without arguments was returning an array of
1718 length 1 even when there were no parameters to be had. Bad bug!
1720 2. The HTML code generated would break if input fields contained the
1721 forbidden characters ">< or &. You can now use these characters
1724 New features added in version 1.50
1726 1. import() method allows all the parameters to be imported into a
1727 namespace in one fell swoop.
1728 2. Parameters are now returned in the same order in which they were
1731 Bugs fixed in version 1.45
1733 1. delete() method didn't work correctly. This is now fixed.
1734 2. reset() method didn't allow you to set the name of the button.
1737 Bugs fixed in version 1.44
1739 1. self_url() didn't include the path information. This is now fixed.
1741 New features added in version 1.43
1743 1. Added the delete() method.
1745 New features added in version 1.42
1747 1. The image_button() method to create clickable images.
1748 2. A few bug fixes involving forms embedded in <PRE> blocks.
1750 New features added in version 1.4
1752 1. New header shortcut methods
1753 + redirect() to create HTTP redirection messages.
1754 + start_html() to create the HTML title, complete with the
1755 recommended <LINK> tag that no one ever remembers to include.
1756 + end_html() for completeness' sake.
1757 2. A new save() method that allows you to write out the state of an
1758 script to a file or pipe.
1759 3. An improved version of the new() method that allows you to restore
1760 the state of a script from a file or pipe. With (2) this gives you
1761 dump and restore capabilities! (Wow, you can put a "121,931
1762 customers served" banner at the bottom of your pages!)
1763 4. A self_url() method that allows you to create state-maintaining
1764 hypertext links. In addition to allowing you to maintain the state
1765 of your scripts between invocations, this lets you work around a
1766 problem that some browsers have when jumping to internal links in
1767 a document that contains a form -- the form information gets lost.
1768 5. The user-visible labels in checkboxes, radio buttons, popup menus
1769 and scrolling lists have now been decoupled from the values sent
1770 to your CGI script. Your script can know a checkbox by the name of
1771 "cb1" while the user knows it by a more descriptive name. I've
1772 also added some parameters that were missing from the text fields,
1774 6. A whole bunch of methods have been added to get at environment
1775 variables involved in user verification and other obscure
1780 1. The problems with the hidden fields have (I hope at last) been
1782 2. You can create multiple query objects and they will all be
1783 initialized correctly. This simplifies the creation of multiple
1785 3. The URL unescaping code works correctly now.