httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From r..@ai.mit.edu (Robert S. Thau)
Subject Re: QUERY_STRING & #exec cmd bugs
Date Mon, 17 Jul 1995 12:20:49 GMT
   Date: Mon, 17 Jul 95 14:59 BST
   From: drtr@ast.cam.ac.uk (David Robinson)
   Precedence: bulk
   Reply-To: new-httpd@hyperreal.com

   1. Shambhala 0.6.1 ignores any QUERY_STRING after a NULL character which
      making the argv vector for a CGI script.
      e.g. script?text%00word

      sets argv to text
      instead it should set it to text\000word

      A patch is supplied.

Hmmm... backslash-octal escaping doesn't work for me in the
shell-escape context ("cat > /tmp/foo\000bar" gives me a file named
/tmp/foo000bar; the backslash simply gets elided).  Are there other
programs which will treat this sort of backslash escape correctly?
(If not it seems silly to try to use it --- anything which really
requires %00 to work correctly, it can always just use QUERY_STRING in
the CGI context, or QUERY_STRING_UNESCAPED for SSI <!--#exec-->s).

Of course, the whole argv business has always been the shakiest part
of the CGI spec --- the conditions for when argv is even supplied are
vague, and the actual code is at variance with the standard.  Still,
if someone else thinks this is a good fix, I have no *fundamental*
objections, and it'll go in...

   2. Shambhala applies different shell-escaping from Apache & NCSA 1.3 for
      <!-- #exec cmd--> commands.

      Both of these behaviours a wrong, in my opinion; if escaped
      strings are to be provided, they should be called PATH_INFO_ESCAPED
      and PATH_TRANSLATED_ESCAPED.

Hmmm...  the only thing now available to SSI execs in both escaped and
unescaped versions is QUERY_STRING --- and the unescaped version of
that is QUERY_STRING_UNESCAPED, not QUERY_STRING.  Changing PATH_INFO
to be unescaped would break anyone who was counting on escaping there
for safety, and would not be symmetric with treatment of QUERY_STRING
either.  On both counts, adding a new PATH_INFO_UNESCAPED variable
seems like a better solution, if you know anyone who actually wants
one.

      At the very least, the documentation is wrong; it does not mention
      that PATH_INFO and PATH_TRANSLATED are escaped strings.

That might be helpful..

rst

Mime
View raw message