httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From (Robert S. Thau)
Subject Re: #exec cgi PATH_INFO bugs (repost)
Date Tue, 08 Aug 1995 12:19:07 GMT
   Date: Tue, 8 Aug 95 11:03 BST
   From: (David Robinson)
   Precedence: bulk

   I'm reposting this patch, because I missed bug.

   In apache 0.8.7 and 0.8.8 (and earlier versions), for a parsed html file
   containing a <!--#exec cmd -->

   PATH_INFO was set, even if NULL.
   PATH_INFO was erroneously shell-escaped. (Fixed with new patch)

Sigh... once again, this is not "erroneous", and "fixing" it would be
both improper and dangerous.  Anyone with a shell script invoked
through <!--#exec cmd-->, who is counting on the escaping to keep it
safe, would not view naked shell metasyntax as a favor.

If you want to "fix" this, the way to do it is to add a new variable,
PATH_INFO_UNESCAPED (which would parallel the way that QUERY_STRING
is dealt with by <!--#exec cmd=""-->).  With regard to this patch, I
have to give it a -1.

   Fix: copy the code for setting PATH_INFO and PATH_TRANSLATED from
   mod_cgi.c to mod_include.c, replacing the code in include_cmd_child.
   This guarantees that the two methods of invoking CGI scripts are
   (bug for bug) compatible.

<!--#exec cmd=""--> commands are *not* CGI scripts, so there is no
compatibility issue; for instance QUERY_STRING is also handled
differently by the two mechanisms, as mentioned above.


View raw message