httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Alexei Kosut <ako...@organic.com>
Subject Re: Bug?
Date Mon, 29 Jul 1996 00:02:21 GMT
On Sun, 28 Jul 1996, Ben Laurie wrote:

> Because its easier. argv[1] is shorter than getenv("QUERY_STRING") and a pile
> of stuff to parse it. It also means that I can test the CGIs more easily. OK,
> so I'm being lazy, but isn't that what software is for?

So write more software. Don't break existing software.

> And since I do use them, it ain't true that noone uses them anymore ;-)

You're probably right. In fact, I know you're right. That's exactly why
the behavior *has* to stay the way it is. Because it's defined that way.
If you take a look at the original CGI spec, on either NCSA or CERN's
sites (probably David Robinson's internet draft, too), you'll see that
argv is defined as being shell-escaped arguments.

People are no doubt passing these arguments directly to the shell. The
cgi-bin and cgi-src programs that NCSA and Apache including with their
distributions for years did exactly that. Rememeber all those CERT
advisories? Those came about exactly because we didn't escape *enough*
characters. If we remove the escaping, then suddenly a lot of CGI scripts
become targets for attack. Oops.

I will veto any change that makes Apache incompatible with the CGI/1.1
spec.

-- Alexei Kosut <akosut@organic.com>            The Apache HTTP Server 
   http://www.nueva.pvt.k12.ca.us/~akosut/      http://www.apache.org/


Mime
View raw message