Revision history for Perl extension CGI::Simple.

1.282 2025-08-28 MANWAR
      - Sanitize all user-supplied values before inserting into HTTP headers.
        Thanks Maxim Kosenko for raising the issue with recommended solution.
        Thanks breno for the patch.
        Thanks Stig Palmquist for assiginig it CVE-2025-40927.

1.281 2024-01-31 MANWAR
      - RT-151161 Add CGI::Cookie partitioned support, PR #14, thanks @ldevantier-doseme.

1.280 2022-01-11 MANWAR
      - Changed the version format from N.nn to N.nnn as requested.

1.27  2022-01-06 MANWAR
      - Removed unneeded Build.PL #11, thanks @haarg.
      - Moved prereqs to correct phase #12, thanks @haarg.

1.26  2022-01-02 MANWAR
      - Dropped IO::Scalar prereq as suggested in PR #10, thanks @haarg.

1.25  2020-02-10 MANWAR
      - Merged PR #9, thanks @ktat.

1.24  2020-02-07 MANWAR
      - Addressed issue RT #125383 raised by SREZIC.

1.23  2020-02-06 MANWAR
      - Fixed issue RT #131590, samesite parameter can be "None" as well.

1.22  2019-09-07 MANWAR
      - Fixed issue RT #130454, samesite parameter missing from sub cookie().

1.21  2018-10-06 MANWAR
      - Patched issue RT #67061 (handle warning uninitialsed value).

1.20  2018-10-05 MANWAR
      - Merge pull request #4 from jjatria/302-found, changing the
        name of 302 statuses from Moved to Found.

1.19  2018-10-04 MANWAR
      - Merged pull request #3 from jjatria/max-age, which sets max-age
        attribute correctly from constructor.

1.18  2018-10-03 MANWAR
      - Merged pull request #2 from jjatria/samesite, adding
        SameSite support to Cookie handling.

1.17  2018-10-02 MANWAR
      - Merged pull request #7 from asb-capfan/master, should fix
        CPAN Testers fail report on some windows box.

1.16  2018-07-25 MANWAR
      - Made t/manifest.t AUTHOR only (RT #125383).
      - Removed +x bits from test scripts.

1.15  2018-03-04 MANWAR
      - Resolved issue RT #124646 (use vars → our), thanks @SREZIC.

1.14  2018-03-03 MANWAR
      - Resolved issue RT #124645 (undeclared dependencies), thanks @SREZIC.

1.13  2018-03-01 MANWAR
      - Merged PR #1, thanks @level420.
      - Tidied Changes file.
      - Tidied up Makefile.PL script.

1.12
      - add 'use warnings' to code and tests.
      - use File::Temp to create temporary directory for testing. RT #92833
      - Test of RT #64160 (CVE-2010-4410 -- CRLF injection and response splitting via header()) added.
      - depend on Test::Exception

1.115 2014.10.19
      - Replace indirect calling of constructor both in code an documentation
        with direct calling.
        Write  CGI::Simle->new   instead of    new CGI::Simple
      - add tests to make sure the order of value is kept as they were passed in the QUERY_STRING
      - new co-maintainer (SZABGAB)

1.114
      - Drop support for Perls older than 5.6.1.

1.113 2010-12-27
      - (thanks to Yamada Masahiro) randomise multipart boundary string (security).
      - Numerous changes from Mark Stosberg:
        Port max-age support from CGI.pm, to improve compatibility and

        RFC-compliance
        Correct header comment in cookie.t
        It claims that is a simple copy/paste/modify from CGI.pm's test
        by the same name, but this has not been true for some time--

        CGI::Simple added
        httponly tests that CGI.pm lacks, for example.
        Sync cookie references with CGI.pm: add reference to the newer RFC 2695

        "Interface to browse cookies" looks like it was typo for
        "browser". HTTP is more precise.

        Fix awkward "CGI::Simple.pm" language. It looks like it probably
        originated from the CGI.pm form. "CGI::Simple" is used instead.
        Best Practice: eliminate indirect object notation from new(),
        parse() and fetch() calls

        Security: Fix handling of embedded malicious newlines in header
        values This is a direct port of the same security fix that

        Security: use a random MIME boundary by default in
        multipart_init(). This is a direct port of the same issue
        which was addressed in CGI.pm, preventing some kinds of
        potential header injection attacks.

        Port from CGI.pm: Fix multi-line header parsing.
        This fix is covered by the tests in t/header.t added in
        the previous patch. If you run those tests without this
        patch, you'll see how the headers would be malformed
        without this fix.

        Port CRLF injection prevention from CGI.pm

        Optimize Vars(): Don't build %hash if we aren't going to use it.

        Micro-optimization to Vars(): Don't call "tie" unless we need to.

      - Numerous changes from K. Berov:
        Added "+" to the mime character class.
        Added tests for C<$mime = $q->upload_info( $filename, 'mime' );>
        Fixed wrong match for mimetypes. Example: matched only
        'application/vnd' instead of 'application/vnd.ms-excel'.
        Added "\." to the mime character class

1.112 2009-05-31
      - (thanks bingos) added missing IO::Scalar dependency.

1.111 2009-05-28
      - Implemented Michael Nachbaur fixes for multipart form data handling.

1.110 2009-05-24
      - Added missing test to manifest / distro.
      - Added a test to ensure the manifest is consistent.
      - Migrated to git.

1.109 2009-04-16
      - Added support for HttpOnly to CGI::Simple::Cookie. Thanks to Scott Thomson for the patch.

1.108 2009-03-13
      - Remove bogus references to Selfloader in documenation. No functional changes.

1.107 2009-03-07
      - CGI::Simple::Cookie, fixed bug when cookie had both leading and
        trailing white space (RT#34314, Ron Savage and Mark Stosberg)
      - Accept a comma as well as semi-colon as a cookie separator. This
        is consistent with CGI.pm as well as RFC 2965, which states: "A
        server SHOULD also accept comma (,) as the separator between cookie-
        values for future compatibility." (Mark Stosberg)
      - Support cookies which have an equals sign in the value. Ported
        from CGI.pm (Mark Stosberg)
      - Support cookies in which one of multiple values is empty. Ported
        from CGI.pm (Mark Stosberg)
      - Fixed bug when calling unescapeHTML on HTML that wasn't
        properly escaped in the first place. Thanks to M-Uchino and Mark Stosberg.
      - Removed bogus dependency on version.pm.
      - Add heuristic to upload to handle the case where no boundary is
        specified in CONTENT_TYPE. See #14838.

1.106 2008-09-14
      - Added missing Apache2 modules. Refs #39146 and #38931. Thanks to RSAVAGE.
      - Applied BEROV's patch for UTF-8 form data handling. Refs #12481. Thanks to BEROV.

1.105 2008-05-16
      - Fixed skip count in t/040.request.t. Fixes #35945. Thanks to snaury.

1.104 2008-05-13
      - Switched from sysread to read. Fixes #35844: sysread used in
        CGI::Simple blocks on re-directed STDIO reads. Thanks to Damjan Pelemis.

1.103 2007-07-31
      - Version number chaos continues. One tends to forget that there
        is a strange universe in which 1.1 > 1.1.2.

1.1.2 2007-07-31
      - Fixed module names in POD for CGI::Simple::Cookie,
        CGI::Simple::Util [#27597]. Thanks to BRICAS for reporting it.

1.1.1 2007-07-31
      - Removed nasty global trap of __DIE__ in CGI::Standard. Thanks to Jeremy Morton for reporting it.

1.1   2007-07-13
      - Added support for Set-Cookie as per CGI.pm patch 15065. Thanks to Patrick M. Jordan for the suggestion.

1.0   2007-05-24
      - Another big version jump. I think we're about ready for 1.0.
      - Fixed skip count under Win32 in t/40.request.t [27257]. Thanks to ISHIGAKI for the patch.

0.83  2007-05-22
      - Big version jump to move version past badly formatted version in Cookie, Util.

0.082 2007-05-22
      - Added REST support. Thanks to Mike Barry for the patch.

0.081 2007-05-20
      - Fix for sysread under mod_perl. Thanks to Joshua N Pritikin for the patch.

0.080 2007-03-30
      - Fixed problem parsing query args containing '='. Thanks to Ewan Edwards for the patch.

0.078 2007-01-09
      - Maintenance release by Andy Armstrong <andy@hexten.net>
      - Rewrote tests to use Test::More
      - Implemented mod_perl 2 support

0.077 Tue 23 Nov 2004
      - Bugfix patches.
      - José Micó supplied patch that relates to character set allowed in headers.
        TAB and high ascii chars are definitivelly allowed in headers, and not
        accepting them prevents the upload of files with filenames like "España.txt".
      - José Micó also notes that some versions of IE send extra boundaries in
        POSTed data before real ones. New patch should be fix this IE issue.
      - Lars Thegler supplied some patches.
      - head2/head3 pod changed to head1/head2 for the benefit of some older
        tools that exepect this.
      - Resolved issue with manpages not being installed on FREEBSD via Makefile hack
      - Steve Purkis supplied a patch for a serious POST_MAX bug. A small modification
        to control flow was used instead but this was a serious bug. If you are reading
        this you are probably upgrading which is good.

0.076
       - Went missing in action.

0.075 Tue June 1 2004
      - Meant to upload 0.73 and 0.074 but just never got around to it
      - Fixed upload hang bug in certain circumstances
      - Added upload_fieldnames() method by request
      - Added support for $fh = upload('field_name') but this has the issue
        of what to do if 'field_name' is duplicated. You can only ever get one
        fh from this method unlike the favoured approach using param() to get
        the filename(s) which will let you get to all the files.
      - José Micó deserves plaudits as does PodMaster.

0.072 Tue Sept 9 2003
      - Patched issue with large POSTs where data may not be on STDIN for single
        read call. Bug exists in CGI.pm as well. Thanks to Jason Luther
      - Added tests for slow post behaviour

0.071 Sat Aug 2 2003
      - Oops, changed $VERSION to 0.007 not 0.07 so have to change to 0.071 to upload again. ;-)
      - no significant changes since 0.07 (aka 0.007) ;-)

0.07  Sat Aug 2 2003
      - i admit to abject slackness, but anyway finally allocated a few hours
        to apply a number of bug fixes which are (in no particular order)
      - mod_perl compliant, patched by Mathew Albright
      - still need to comment out use Selfloader and __DATA__ token
      - still thinking about other solutions to this
      - Blessed globs now possible in the constructor thanks to chromatic
      - Unicode error  0xfe |  ($c >> 30) -> 0xfc | ($c >>30 ) fixed thanks to
        Thomas L. Shinnick
      - s/$value ||= 0/$value = defined $value ? $value : ''/ in raw_fetch() method
        in Cookie.pm to allow value 0.
      - Added missing $VERSION to Util.pm
      - Added P3P support as suggested by Marc Bauer (parallels CGI.pm)
      - updated header() and redirect() methods in Simple.pm

0.06  Fri Nov 8 2002
      - finally found someone with a solaris box to work out reason for
        unexpected test failures. Thanks to John D. Robinson and Jeroen Latour
        Details available at: http://www.perlmonks.org/index.pl?node_id=211401
      - Removed another new bug relating to test scripts rather than core code
        thanks to the combined effors of Perlmonks tommyw, grinder, Jaap, vek,
        erasei, jlongino and strider_corinth

0.05  Wed Nov 6 2002
      - nasty upload bug reported (with solution) by Brandon Black fixed. Perl would
        hang if upload terminated by browser before completion
      - also odity with IO::file fixed (Brandon Black once again)

0.04  Sat Apr 12 2002
      - test bug on Solaris reported by robc@stamps.stortek.com and fixed

0.03  Fri Apr 12 2002
      - modifed test so skipping fork() test is noted as such
      - allow '0' as a valid param name
      - renamed concur.t to concur.test so that it does not rub by default
      - added speed tests comparing CGI.pm to CGI::Simple in  the file
        cgi-simple_vs_cgi-pm.html in the root dir

0.02  Fri Dec 21 2001
      - added cgi_error() if upload called but CONTENT_TYPE not multipart/form-data
      - changed inernal storage names of globals by droping $
      - added mod_perl notes re Selfloader and __DATA__ token
      - as per suggestions from Curtis Poe

0.01  Thu Nov  1 12:21:48 2001
      - original version; created by h2xs 1.21 with options -X CGI::Simple