1# This Source Code Form is subject to the terms of the Mozilla Public 2# License, v. 2.0. If a copy of the MPL was not distributed with this 3# file, You can obtain one at http://mozilla.org/MPL/2.0/. 4# 5# This Source Code Form is "Incompatible With Secondary Licenses", as 6# defined by the Mozilla Public License, v. 2.0. 7 8package Bugzilla::CGI; 9 10use 5.10.1; 11use strict; 12use warnings; 13 14use parent qw(CGI); 15 16use Bugzilla::Constants; 17use Bugzilla::Error; 18use Bugzilla::Util; 19use Bugzilla::Hook; 20use Bugzilla::Search::Recent; 21 22use File::Basename; 23 24sub _init_bz_cgi_globals { 25 my $invocant = shift; 26 # We need to disable output buffering - see bug 179174 27 $| = 1; 28 29 # Ignore SIGTERM and SIGPIPE - this prevents DB corruption. If the user closes 30 # their browser window while a script is running, the web server sends these 31 # signals, and we don't want to die half way through a write. 32 $SIG{TERM} = 'IGNORE'; 33 $SIG{PIPE} = 'IGNORE'; 34 35 # We don't precompile any functions here, that's done specially in 36 # mod_perl code. 37 $invocant->_setup_symbols(qw(:no_xhtml :oldstyle_urls :private_tempfiles 38 :unique_headers)); 39} 40 41BEGIN { __PACKAGE__->_init_bz_cgi_globals() if i_am_cgi(); } 42 43sub new { 44 my ($invocant, @args) = @_; 45 my $class = ref($invocant) || $invocant; 46 47 # Under mod_perl, CGI's global variables get reset on each request, 48 # so we need to set them up again every time. 49 $class->_init_bz_cgi_globals() if $ENV{MOD_PERL}; 50 51 my $self = $class->SUPER::new(@args); 52 53 # Make sure our outgoing cookie list is empty on each invocation 54 $self->{Bugzilla_cookie_list} = []; 55 56 # Path-Info is of no use for Bugzilla and interacts badly with IIS. 57 # Moreover, it causes unexpected behaviors, such as totally breaking 58 # the rendering of pages. 59 my $script = basename($0); 60 if (my $path_info = $self->path_info) { 61 my @whitelist = ("rest.cgi"); 62 Bugzilla::Hook::process('path_info_whitelist', { whitelist => \@whitelist }); 63 if (!grep($_ eq $script, @whitelist)) { 64 # IIS includes the full path to the script in PATH_INFO, 65 # so we have to extract the real PATH_INFO from it, 66 # else we will be redirected outside Bugzilla. 67 my $script_name = $self->script_name; 68 $path_info =~ s/^\Q$script_name\E//; 69 if ($script_name && $path_info) { 70 print $self->redirect($self->url(-path => 0, -query => 1)); 71 } 72 } 73 } 74 75 # Send appropriate charset 76 $self->charset(Bugzilla->params->{'utf8'} ? 'UTF-8' : ''); 77 78 # Redirect to urlbase/sslbase if we are not viewing an attachment. 79 if ($self->url_is_attachment_base and $script ne 'attachment.cgi') { 80 $self->redirect_to_urlbase(); 81 } 82 83 # Check for errors 84 # All of the Bugzilla code wants to do this, so do it here instead of 85 # in each script 86 87 my $err = $self->cgi_error; 88 89 if ($err) { 90 # Note that this error block is only triggered by CGI.pm for malformed 91 # multipart requests, and so should never happen unless there is a 92 # browser bug. 93 94 print $self->header(-status => $err); 95 96 # ThrowCodeError wants to print the header, so it grabs Bugzilla->cgi 97 # which creates a new Bugzilla::CGI object, which fails again, which 98 # ends up here, and calls ThrowCodeError, and then recurses forever. 99 # So don't use it. 100 # In fact, we can't use templates at all, because we need a CGI object 101 # to determine the template lang as well as the current url (from the 102 # template) 103 # Since this is an internal error which indicates a severe browser bug, 104 # just die. 105 die "CGI parsing error: $err"; 106 } 107 108 return $self; 109} 110 111# We want this sorted plus the ability to exclude certain params 112sub canonicalise_query { 113 my ($self, @exclude) = @_; 114 115 # Reconstruct the URL by concatenating the sorted param=value pairs 116 my @parameters; 117 foreach my $key (sort($self->param())) { 118 # Leave this key out if it's in the exclude list 119 next if grep { $_ eq $key } @exclude; 120 121 # Remove the Boolean Charts for standard query.cgi fields 122 # They are listed in the query URL already 123 next if $key =~ /^(field|type|value)(-\d+){3}$/; 124 125 my $esc_key = url_quote($key); 126 127 foreach my $value ($self->param($key)) { 128 # Omit params with an empty value 129 if (defined($value) && $value ne '') { 130 my $esc_value = url_quote($value); 131 132 push(@parameters, "$esc_key=$esc_value"); 133 } 134 } 135 } 136 137 return join("&", @parameters); 138} 139 140sub clean_search_url { 141 my $self = shift; 142 # Delete any empty URL parameter. 143 my @cgi_params = $self->param; 144 145 foreach my $param (@cgi_params) { 146 if (defined $self->param($param) && $self->param($param) eq '') { 147 $self->delete($param); 148 $self->delete("${param}_type"); 149 } 150 151 # Custom Search stuff is empty if it's "noop". We also keep around 152 # the old Boolean Chart syntax for backwards-compatibility. 153 if (($param =~ /\d-\d-\d/ || $param =~ /^[[:alpha:]]\d+$/) 154 && defined $self->param($param) && $self->param($param) eq 'noop') 155 { 156 $self->delete($param); 157 } 158 159 # Any "join" for custom search that's an AND can be removed, because 160 # that's the default. 161 if (($param =~ /^j\d+$/ || $param eq 'j_top') 162 && $self->param($param) eq 'AND') 163 { 164 $self->delete($param); 165 } 166 } 167 168 # Delete leftovers from the login form 169 $self->delete('Bugzilla_remember', 'GoAheadAndLogIn'); 170 171 # Delete the token if we're not performing an action which needs it 172 unless ((defined $self->param('remtype') 173 && ($self->param('remtype') eq 'asdefault' 174 || $self->param('remtype') eq 'asnamed')) 175 || (defined $self->param('remaction') 176 && $self->param('remaction') eq 'forget')) 177 { 178 $self->delete("token"); 179 } 180 181 foreach my $num (1,2,3) { 182 # If there's no value in the email field, delete the related fields. 183 if (!$self->param("email$num")) { 184 foreach my $field (qw(type assigned_to reporter qa_contact cc longdesc)) { 185 $self->delete("email$field$num"); 186 } 187 } 188 } 189 190 # chfieldto is set to "Now" by default in query.cgi. But if none 191 # of the other chfield parameters are set, it's meaningless. 192 if (!defined $self->param('chfieldfrom') && !$self->param('chfield') 193 && !defined $self->param('chfieldvalue') && $self->param('chfieldto') 194 && lc($self->param('chfieldto')) eq 'now') 195 { 196 $self->delete('chfieldto'); 197 } 198 199 # cmdtype "doit" is the default from query.cgi, but it's only meaningful 200 # if there's a remtype parameter. 201 if (defined $self->param('cmdtype') && $self->param('cmdtype') eq 'doit' 202 && !defined $self->param('remtype')) 203 { 204 $self->delete('cmdtype'); 205 } 206 207 # "Reuse same sort as last time" is actually the default, so we don't 208 # need it in the URL. 209 if ($self->param('order') 210 && $self->param('order') eq 'Reuse same sort as last time') 211 { 212 $self->delete('order'); 213 } 214 215 # list_id is added in buglist.cgi after calling clean_search_url, 216 # and doesn't need to be saved in saved searches. 217 $self->delete('list_id'); 218 219 # no_redirect is used internally by redirect_search_url(). 220 $self->delete('no_redirect'); 221 222 # And now finally, if query_format is our only parameter, that 223 # really means we have no parameters, so we should delete query_format. 224 if ($self->param('query_format') && scalar($self->param()) == 1) { 225 $self->delete('query_format'); 226 } 227} 228 229sub check_etag { 230 my ($self, $valid_etag) = @_; 231 232 # ETag support. 233 my $if_none_match = $self->http('If-None-Match'); 234 return if !$if_none_match; 235 236 my @if_none = split(/[\s,]+/, $if_none_match); 237 foreach my $possible_etag (@if_none) { 238 # remove quotes from begin and end of the string 239 $possible_etag =~ s/^\"//g; 240 $possible_etag =~ s/\"$//g; 241 if ($possible_etag eq $valid_etag or $possible_etag eq '*') { 242 return 1; 243 } 244 } 245 246 return 0; 247} 248 249# Have to add the cookies in. 250sub multipart_start { 251 my $self = shift; 252 253 my %args = @_; 254 255 # CGI.pm::multipart_start doesn't honour its own charset information, so 256 # we do it ourselves here 257 if (defined $self->charset() && defined $args{-type}) { 258 # Remove any existing charset specifier 259 $args{-type} =~ s/;.*$//; 260 # and add the specified one 261 $args{-type} .= '; charset=' . $self->charset(); 262 } 263 264 my $headers = $self->SUPER::multipart_start(%args); 265 # Eliminate the one extra CRLF at the end. 266 $headers =~ s/$CGI::CRLF$//; 267 # Add the cookies. We have to do it this way instead of 268 # passing them to multpart_start, because CGI.pm's multipart_start 269 # doesn't understand a '-cookie' argument pointing to an arrayref. 270 foreach my $cookie (@{$self->{Bugzilla_cookie_list}}) { 271 $headers .= "Set-Cookie: ${cookie}${CGI::CRLF}"; 272 } 273 $headers .= $CGI::CRLF; 274 $self->{_multipart_in_progress} = 1; 275 return $headers; 276} 277 278sub close_standby_message { 279 my ($self, $contenttype, $disp, $disp_prefix, $extension) = @_; 280 $self->set_dated_content_disp($disp, $disp_prefix, $extension); 281 282 if ($self->{_multipart_in_progress}) { 283 print $self->multipart_end(); 284 print $self->multipart_start(-type => $contenttype); 285 } 286 elsif (!$self->{_header_done}) { 287 print $self->header($contenttype); 288 } 289} 290 291our $ALLOW_UNSAFE_RESPONSE = 0; 292# responding to text/plain or text/html is safe 293# responding to any request with a referer header is safe 294# some things need to have unsafe responses (attachment.cgi) 295# everything else should get a 403. 296sub _prevent_unsafe_response { 297 my ($self, $headers) = @_; 298 my $safe_content_type_re = qr{ 299 ^ (*COMMIT) # COMMIT makes the regex faster 300 # by preventing back-tracking. see also perldoc pelre. 301 # application/x-javascript, xml, atom+xml, rdf+xml, xml-dtd, and json 302 (?: application/ (?: x(?: -javascript | ml (?: -dtd )? ) 303 | (?: atom | rdf) \+ xml 304 | json ) 305 # text/csv, text/calendar, text/plain, and text/html 306 | text/ (?: c (?: alendar | sv ) 307 | plain 308 | html ) 309 # used for HTTP push responses 310 | multipart/x-mixed-replace) 311 }sx; 312 my $safe_referer_re = do { 313 # Note that urlbase must end with a /. 314 # It almost certainly does, but let's be extra careful. 315 my $urlbase = correct_urlbase(); 316 $urlbase =~ s{/$}{}; 317 qr{ 318 # Begins with literal urlbase 319 ^ (*COMMIT) 320 \Q$urlbase\E 321 # followed by a slash or end of string 322 (?: / 323 | $ ) 324 }sx 325 }; 326 327 return if $ALLOW_UNSAFE_RESPONSE; 328 329 if (Bugzilla->usage_mode == USAGE_MODE_BROWSER) { 330 # Safe content types are ones that arn't images. 331 # For now let's assume plain text and html are not valid images. 332 my $content_type = $headers->{'-type'} // $headers->{'-content_type'} // 'text/html'; 333 my $is_safe_content_type = $content_type =~ $safe_content_type_re; 334 335 # Safe referers are ones that begin with the urlbase. 336 my $referer = $self->referer; 337 my $is_safe_referer = $referer && $referer =~ $safe_referer_re; 338 339 if (!$is_safe_referer && !$is_safe_content_type) { 340 print $self->SUPER::header(-type => 'text/html', -status => '403 Forbidden'); 341 if ($content_type ne 'text/html') { 342 print "Untrusted Referer Header\n"; 343 if ($ENV{MOD_PERL}) { 344 my $r = $self->r; 345 $r->rflush; 346 $r->status(200); 347 } 348 } 349 exit; 350 } 351 } 352} 353 354# Override header so we can add the cookies in 355sub header { 356 my $self = shift; 357 358 my %headers; 359 my $user = Bugzilla->user; 360 361 # If there's only one parameter, then it's a Content-Type. 362 if (scalar(@_) == 1) { 363 %headers = ('-type' => shift(@_)); 364 } 365 else { 366 %headers = @_; 367 } 368 $self->_prevent_unsafe_response(\%headers); 369 370 if ($self->{'_content_disp'}) { 371 $headers{'-content_disposition'} = $self->{'_content_disp'}; 372 } 373 374 if (!$user->id && $user->authorizer->can_login 375 && !$self->cookie('Bugzilla_login_request_cookie')) 376 { 377 my %args; 378 $args{'-secure'} = 1 if Bugzilla->params->{ssl_redirect}; 379 380 $self->send_cookie(-name => 'Bugzilla_login_request_cookie', 381 -value => generate_random_password(), 382 -httponly => 1, 383 %args); 384 } 385 386 # Add the cookies in if we have any 387 if (scalar(@{$self->{Bugzilla_cookie_list}})) { 388 $headers{'-cookie'} = $self->{Bugzilla_cookie_list}; 389 } 390 391 # Add Strict-Transport-Security (STS) header if this response 392 # is over SSL and the strict_transport_security param is turned on. 393 if ($self->https && !$self->url_is_attachment_base 394 && Bugzilla->params->{'strict_transport_security'} ne 'off') 395 { 396 my $sts_opts = 'max-age=' . MAX_STS_AGE; 397 if (Bugzilla->params->{'strict_transport_security'} 398 eq 'include_subdomains') 399 { 400 $sts_opts .= '; includeSubDomains'; 401 } 402 403 $headers{'-strict_transport_security'} = $sts_opts; 404 } 405 406 # Add X-Frame-Options header to prevent framing and subsequent 407 # possible clickjacking problems. 408 unless ($self->url_is_attachment_base) { 409 $headers{'-x_frame_options'} = 'SAMEORIGIN'; 410 } 411 412 # Add X-XSS-Protection header to prevent simple XSS attacks 413 # and enforce the blocking (rather than the rewriting) mode. 414 $headers{'-x_xss_protection'} = '1; mode=block'; 415 416 # Add X-Content-Type-Options header to prevent browsers sniffing 417 # the MIME type away from the declared Content-Type. 418 $headers{'-x_content_type_options'} = 'nosniff'; 419 420 Bugzilla::Hook::process('cgi_headers', 421 { cgi => $self, headers => \%headers } 422 ); 423 $self->{_header_done} = 1; 424 425 return $self->SUPER::header(%headers) || ""; 426} 427 428sub param { 429 my $self = shift; 430 local $CGI::LIST_CONTEXT_WARN = 0; 431 432 # When we are just requesting the value of a parameter... 433 if (scalar(@_) == 1) { 434 my @result = $self->SUPER::param(@_); 435 436 # Also look at the URL parameters, after we look at the POST 437 # parameters. This is to allow things like login-form submissions 438 # with URL parameters in the form's "target" attribute. 439 if (!scalar(@result) 440 && $self->request_method && $self->request_method eq 'POST') 441 { 442 @result = $self->url_param(@_); 443 } 444 445 # Fix UTF-8-ness of input parameters. 446 if (Bugzilla->params->{'utf8'}) { 447 @result = map { _fix_utf8($_) } @result; 448 } 449 450 return wantarray ? @result : $result[0]; 451 } 452 # And for various other functions in CGI.pm, we need to correctly 453 # return the URL parameters in addition to the POST parameters when 454 # asked for the list of parameters. 455 elsif (!scalar(@_) && $self->request_method 456 && $self->request_method eq 'POST') 457 { 458 my @post_params = $self->SUPER::param; 459 my @url_params = $self->url_param; 460 my %params = map { $_ => 1 } (@post_params, @url_params); 461 return keys %params; 462 } 463 464 return $self->SUPER::param(@_); 465} 466 467sub url_param { 468 my $self = shift; 469 # Some servers fail to set the QUERY_STRING parameter, which 470 # causes undef issues 471 $ENV{'QUERY_STRING'} //= ''; 472 return $self->SUPER::url_param(@_); 473} 474 475sub _fix_utf8 { 476 my $input = shift; 477 # The is_utf8 is here in case CGI gets smart about utf8 someday. 478 utf8::decode($input) if defined $input && !ref $input && !utf8::is_utf8($input); 479 return $input; 480} 481 482sub should_set { 483 my ($self, $param) = @_; 484 my $set = (defined $self->param($param) 485 or defined $self->param("defined_$param")) 486 ? 1 : 0; 487 return $set; 488} 489 490# The various parts of Bugzilla which create cookies don't want to have to 491# pass them around to all of the callers. Instead, store them locally here, 492# and then output as required from |header|. 493sub send_cookie { 494 my $self = shift; 495 496 # Move the param list into a hash for easier handling. 497 my %paramhash; 498 my @paramlist; 499 my ($key, $value); 500 while ($key = shift) { 501 $value = shift; 502 $paramhash{$key} = $value; 503 } 504 505 # Complain if -value is not given or empty (bug 268146). 506 if (!exists($paramhash{'-value'}) || !$paramhash{'-value'}) { 507 ThrowCodeError('cookies_need_value'); 508 } 509 510 # Add the default path and the domain in. 511 $paramhash{'-path'} = Bugzilla->params->{'cookiepath'}; 512 $paramhash{'-domain'} = Bugzilla->params->{'cookiedomain'} 513 if Bugzilla->params->{'cookiedomain'}; 514 515 # Move the param list back into an array for the call to cookie(). 516 foreach (keys(%paramhash)) { 517 unshift(@paramlist, $_ => $paramhash{$_}); 518 } 519 520 push(@{$self->{'Bugzilla_cookie_list'}}, $self->cookie(@paramlist)); 521} 522 523# Cookies are removed by setting an expiry date in the past. 524# This method is a send_cookie wrapper doing exactly this. 525sub remove_cookie { 526 my $self = shift; 527 my ($cookiename) = (@_); 528 529 # Expire the cookie, giving a non-empty dummy value (bug 268146). 530 $self->send_cookie('-name' => $cookiename, 531 '-expires' => 'Tue, 15-Sep-1998 21:49:00 GMT', 532 '-value' => 'X'); 533} 534 535# This helps implement Bugzilla::Search::Recent, and also shortens search 536# URLs that get POSTed to buglist.cgi. 537sub redirect_search_url { 538 my $self = shift; 539 540 # If there is no parameter, there is nothing to do. 541 return unless $self->param; 542 543 # If we're retreiving an old list, we never need to redirect or 544 # do anything related to Bugzilla::Search::Recent. 545 return if $self->param('regetlastlist'); 546 547 my $user = Bugzilla->user; 548 549 if ($user->id) { 550 # There are two conditions that could happen here--we could get a URL 551 # with no list id, and we could get a URL with a list_id that isn't 552 # ours. 553 my $list_id = $self->param('list_id'); 554 if ($list_id) { 555 # If we have a valid list_id, no need to redirect or clean. 556 return if Bugzilla::Search::Recent->check_quietly( 557 { id => $list_id }); 558 } 559 } 560 elsif ($self->request_method ne 'POST') { 561 # Logged-out users who do a GET don't get a list_id, don't get 562 # their URLs cleaned, and don't get redirected. 563 return; 564 } 565 566 my $no_redirect = $self->param('no_redirect'); 567 $self->clean_search_url(); 568 569 # Make sure we still have params still after cleaning otherwise we 570 # do not want to store a list_id for an empty search. 571 if ($user->id && $self->param) { 572 # Insert a placeholder Bugzilla::Search::Recent, so that we know what 573 # the id of the resulting search will be. This is then pulled out 574 # of the Referer header when viewing show_bug.cgi to know what 575 # bug list we came from. 576 my $recent_search = Bugzilla::Search::Recent->create_placeholder; 577 $self->param('list_id', $recent_search->id); 578 } 579 580 # Browsers which support history.replaceState do not need to be 581 # redirected. We can fix the URL on the fly. 582 return if $no_redirect; 583 584 # GET requests that lacked a list_id are always redirected. POST requests 585 # are only redirected if they're under the CGI_URI_LIMIT though. 586 my $self_url = $self->self_url(); 587 if ($self->request_method() ne 'POST' or length($self_url) < CGI_URI_LIMIT) { 588 print $self->redirect(-url => $self_url); 589 exit; 590 } 591} 592 593sub redirect_to_https { 594 my $self = shift; 595 my $sslbase = Bugzilla->params->{'sslbase'}; 596 # If this is a POST, we don't want ?POSTDATA in the query string. 597 # We expect the client to re-POST, which may be a violation of 598 # the HTTP spec, but the only time we're expecting it often is 599 # in the WebService, and WebService clients usually handle this 600 # correctly. 601 $self->delete('POSTDATA'); 602 my $url = $sslbase . $self->url('-path_info' => 1, '-query' => 1, 603 '-relative' => 1); 604 605 # XML-RPC clients (SOAP::Lite at least) require a 301 to redirect properly 606 # and do not work with 302. Our redirect really is permanent anyhow, so 607 # it doesn't hurt to make it a 301. 608 print $self->redirect(-location => $url, -status => 301); 609 610 # When using XML-RPC with mod_perl, we need the headers sent immediately. 611 $self->r->rflush if $ENV{MOD_PERL}; 612 exit; 613} 614 615# Redirect to the urlbase version of the current URL. 616sub redirect_to_urlbase { 617 my $self = shift; 618 my $path = $self->url('-path_info' => 1, '-query' => 1, '-relative' => 1); 619 print $self->redirect('-location' => correct_urlbase() . $path); 620 exit; 621} 622 623sub url_is_attachment_base { 624 my ($self, $id) = @_; 625 return 0 if !use_attachbase() or !i_am_cgi(); 626 my $attach_base = Bugzilla->params->{'attachment_base'}; 627 # If we're passed an id, we only want one specific attachment base 628 # for a particular bug. If we're not passed an ID, we just want to 629 # know if our current URL matches the attachment_base *pattern*. 630 my $regex; 631 if ($id) { 632 $attach_base =~ s/\%bugid\%/$id/; 633 $regex = quotemeta($attach_base); 634 } 635 else { 636 # In this circumstance we run quotemeta first because we need to 637 # insert an active regex meta-character afterward. 638 $regex = quotemeta($attach_base); 639 $regex =~ s/\\\%bugid\\\%/\\d+/; 640 } 641 $regex = "^$regex"; 642 return ($self->url =~ $regex) ? 1 : 0; 643} 644 645sub set_dated_content_disp { 646 my ($self, $type, $prefix, $ext) = @_; 647 648 my @time = localtime(time()); 649 my $date = sprintf "%04d-%02d-%02d", 1900+$time[5], $time[4]+1, $time[3]; 650 my $filename = "$prefix-$date.$ext"; 651 652 $filename =~ s/\s/_/g; # Remove whitespace to avoid HTTP header tampering 653 $filename =~ s/\\/_/g; # Remove backslashes as well 654 $filename =~ s/"/\\"/g; # escape quotes 655 656 my $disposition = "$type; filename=\"$filename\""; 657 658 $self->{'_content_disp'} = $disposition; 659} 660 661########################## 662# Vars TIEHASH Interface # 663########################## 664 665# Fix the TIEHASH interface (scalar $cgi->Vars) to return and accept 666# arrayrefs. 667sub STORE { 668 my $self = shift; 669 my ($param, $value) = @_; 670 if (defined $value and ref $value eq 'ARRAY') { 671 return $self->param(-name => $param, -value => $value); 672 } 673 return $self->SUPER::STORE(@_); 674} 675 676sub FETCH { 677 my ($self, $param) = @_; 678 return $self if $param eq 'CGI'; # CGI.pm did this, so we do too. 679 my @result = $self->param($param); 680 return undef if !scalar(@result); 681 return $result[0] if scalar(@result) == 1; 682 return \@result; 683} 684 685# For the Vars TIEHASH interface: the normal CGI.pm DELETE doesn't return 686# the value deleted, but Perl's "delete" expects that value. 687sub DELETE { 688 my ($self, $param) = @_; 689 my $value = $self->FETCH($param); 690 $self->delete($param); 691 return $value; 692} 693 6941; 695 696__END__ 697 698=head1 NAME 699 700Bugzilla::CGI - CGI handling for Bugzilla 701 702=head1 SYNOPSIS 703 704 use Bugzilla::CGI; 705 706 my $cgi = new Bugzilla::CGI(); 707 708=head1 DESCRIPTION 709 710This package inherits from the standard CGI module, to provide additional 711Bugzilla-specific functionality. In general, see L<the CGI.pm docs|CGI> for 712documention. 713 714=head1 CHANGES FROM L<CGI.PM|CGI> 715 716Bugzilla::CGI has some differences from L<CGI.pm|CGI>. 717 718=over 4 719 720=item C<cgi_error> is automatically checked 721 722After creating the CGI object, C<Bugzilla::CGI> automatically checks 723I<cgi_error>, and throws a CodeError if a problem is detected. 724 725=back 726 727=head1 ADDITIONAL FUNCTIONS 728 729I<Bugzilla::CGI> also includes additional functions. 730 731=over 4 732 733=item C<canonicalise_query(@exclude)> 734 735This returns a sorted string of the parameters whose values are non-empty, 736suitable for use in a url. 737 738Values in C<@exclude> are not included in the result. 739 740=item C<send_cookie> 741 742This routine is identical to the cookie generation part of CGI.pm's C<cookie> 743routine, except that it knows about Bugzilla's cookie_path and cookie_domain 744parameters and takes them into account if necessary. 745This should be used by all Bugzilla code (instead of C<cookie> or the C<-cookie> 746argument to C<header>), so that under mod_perl the headers can be sent 747correctly, using C<print> or the mod_perl APIs as appropriate. 748 749To remove (expire) a cookie, use C<remove_cookie>. 750 751=item C<remove_cookie> 752 753This is a wrapper around send_cookie, setting an expiry date in the past, 754effectively removing the cookie. 755 756As its only argument, it takes the name of the cookie to expire. 757 758=item C<redirect_to_https> 759 760This routine redirects the client to the https version of the page that 761they're looking at, using the C<sslbase> parameter for the redirection. 762 763Generally you should use L<Bugzilla::Util/do_ssl_redirect_if_required> 764instead of calling this directly. 765 766=item C<redirect_to_urlbase> 767 768Redirects from the current URL to one prefixed by the urlbase parameter. 769 770=item C<multipart_start> 771 772Starts a new part of the multipart document using the specified MIME type. 773If not specified, text/html is assumed. 774 775=item C<close_standby_message> 776 777Ends a part of the multipart document, and starts another part. 778 779=item C<set_dated_content_disp> 780 781Sets an appropriate date-dependent value for the Content Disposition header 782for a downloadable resource. 783 784=back 785 786=head1 SEE ALSO 787 788L<CGI|CGI>, L<CGI::Cookie|CGI::Cookie> 789 790=head1 B<Methods in need of POD> 791 792=over 793 794=item check_etag 795 796=item clean_search_url 797 798=item url_is_attachment_base 799 800=item should_set 801 802=item redirect_search_url 803 804=item param 805 806=item url_param 807 808=item header 809 810=back 811