Received: by taz.hyperreal.com (8.7.5/V2.0) id JAA10951;
 Fri, 6 Sep 1996 09:28:18 -0700 (PDT)
Received: from bcc.louisville.edu by taz.hyperreal.com (8.7.5/V2.0) with SMTP
 id JAA10946; Fri, 6 Sep 1996 09:28:15 -0700 (PDT)
Received: from curie.bcc.louisville.edu (jad@www.bcc.louisville.edu
 [136.165.140.24]) by bcc.louisville.edu (8.6.12/8.6.9) with SMTP id MAA26804
 for <new-httpd@hyperreal.com>; Fri, 6 Sep 1996 12:27:15 -0400
Date: Fri, 6 Sep 1996 12:27:11 -0400 (EDT)
From: "Jason A. Dour" <jad@bcc.louisville.edu>
To: new-httpd@hyperreal.com
Subject: Re: Change to cgi-bin/printenv 
In-Reply-To: <9609051613.aa15943@paris.ics.uci.edu>
Message-ID: 
 <Pine.LNX.3.93.960906122416.26791A-100000@curie.bcc.louisville.edu>
Comments: Getting paid to be a geek is cool...
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-new-httpd@apache.org
Precedence: bulk
Reply-To: new-httpd@hyperreal.com

-----BEGIN PGP SIGNED MESSAGE-----

On Thu, 5 Sep 1996, Roy T. Fielding wrote:
> What are the security implications of revealing the user and group
> ids of the server by way of a semi-standard URL?
> I think adding that would also require adding some sort of authentication,
> in which case it would be better done as a separate script.

If you want a separate script, I've attatched another for consideration.
This one is called Gumshoe...  It's another MotherSoft script for
debugging CGI input from a browser.  Feel free to include it if you wish.

As far as authentication goes, I'm not sure how I feel about that.  Anyone
else want to jump on this one?

Jason
+ Jason A. Dour                       jad@bcc.louisville.edu               +
| Programmer Analyst II               http://www.louisville.edu/~jadour01/ |
| Dept. of Radiation Oncology         Finger for Geek Code, PGP Public Key,|
+ University of Louisville            PJ Harvey info, and other stuff...   +


- -----SNIP!-----
#!/usr/local/bin/perl
#
# GUMSHOE -- version 2.0.0 -- Jason A. Dour -- A MotherSoft Product
#
# Jason A. Dour (jad@bcc.louisville.edu)
# MotherSoft (http://www.louisville.edu/~jadour01/mothersoft/)
#
# Free for distribution, copying, editing, and hacking under the GNU public
# license.  See file 'COPYING' for specific information.  This software
# comes with no guarantees implicit or implied, and the author(s) of this
# software cannot be held responsible for loss, damage, acts of god(s),
# large amounts of small rodentia, deafness, plague, baldness, or
# nose-bleeds occurring as a direct -- or indirect -- result of the use
# of this MotherSoft product.  This software is to be used for MOTHERing,
# weirdness, taking care of animals, peace, love, and spreading genuine 
# feelings of well being.  All other uses are denounced by the author(s).
#
# Love, Peace, Gerbils, & Hair Grease,
# Jason A. Dour
#
#---------------------------------------------------------------------------
#
#   Print MIME type header
#
print "Content-Type: text/html\n\n";
#
print <<PEND;
<HTML>

<HEAD>
<TITLE>GUMSHOE v.1.0</TITLE>
</HEAD>

<BODY BGCOLOR="#FFFFFF"
      TEXT="#000000">

<H1 ALIGN=CENTER>Gumshoe version 1.0.0</H1>

<P ALIGN=CENTER>
<STRONG><BIG>Here's what I've found...</BIG></STRONG>
</P>
PEND
#
#   UID/EUID, GID/EGID values...
#
print <<PEND;
<P ALIGN=LEFT>
<UL>
<LH><STRONG>User/Group Info</STRONG></LH>
PEND
print "<LI><EM>Effective NAME/UID </EM>: ",(getpwuid($<))[0],"/$<</LI>\n";
print "<LI><EM>Actual NAME/UID </EM>: ",(getpwuid($>))[0],"/$></LI>\n";
print "<LI><EM>Effective GROUPS/GIDS </EM>: ";
foreach $group (split(/ /,$()) {
	print "",(getgrgid($group))[0],"/$group ";
}
print "</LI>\n";
print "<LI><EM>Actual GROUPS/GIDS </EM>: ";
foreach $group (split(/ /,$))) {
	print "",(getgrgid($group))[0],"/$group ";
}
print "</LI>\n";
print "</UL>\n";
#
#   Values of environment variables
#
print <<PEND;
<UL>
<LH><STRONG>Environment Variables</STRONG></LH>
PEND
foreach $env_var ( sort keys %ENV ) {
   print("<LI><EM>$env_var</EM> = $ENV{$env_var}</LI>\n");
   };
print "</UL>\n";
#
#     Any data in the Query String?
#
if ( $ENV{'QUERY_STRING'} ) {
   print <<PEND;
<UL>
<LH><STRONG>Query String Elements</STRONG></LH>
PEND
   $buffer = $ENV{'QUERY_STRING'};
   @pairs = split(/&/, $buffer);
   foreach $pair (@pairs) {
      ($name, $value) = split(/=/, $pair);
      $value =~ tr/+/ /;
      $value =~ s/%([a-fA-F0-9][a-fA-F0-9])/pack("C", hex($1))/eg;
      print("<LI><EM>$name</EM> = $value</LI>\n");
      };
   print "</UL>\n";
   };
#
#     Any data on the standard input stream?
#
if ( $ENV{CONTENT_LENGTH} ne "" ) {
   read(STDIN,$content, $ENV{CONTENT_LENGTH});
   print <<PEND;
<UL>
<LH></STRONG>Standard Input Elements -- Not Translated</STRONG></LH>
<LI>
<BLOCKQUOTE>
$content
</BLOCKQUOTE>
</LI>
</UL>
<UL>
<LH><STRONG>Standard Input Elements -- Translated</STRONG></LH>
PEND
   $buffer = $content;
   @pairs = split(/&/, $buffer);
   foreach $pair (@pairs) {
      ($name, $value) = split(/=/, $pair);
      $value =~ tr/+/ /;
      $value =~ s/%([a-fA-F0-9][a-fA-F0-9])/pack("C", hex($1))/eg;
      print("<LI><EM>$name</EM> = $value</LI>\n");
      };
   print "</UL>\n";
   };
#
#     Command line arguments?
#
if ( $#ARGV >= 0 ) {
   print <<PEND;
<UL>
<LH><STRONG>Command Line Arguments</STRONG></LH>
PEND
   foreach $i (0 .. $#ARGV) {
      printf("<LI><EM>ARGV[$i]</EM> = %s</LI>\n", $ARGV[$i]);
      };
   };
#
#   We're done.  Sometimes...it's just too easy.
#
print <<PEND;
</BODY>

</HTML>
PEND
exit(0);


-----BEGIN PGP SIGNATURE-----
Version: 2.6.2

iQCVAwUBMjBQ4po1JaC71RLxAQFRGQP9EU3chJTbvBPiTwkbFb+jGw0ssB+lLpv0
k6QjMxvC+zDUWKSgzLBFanOzoNEBak+R+/dTvzCyYTz0jvxjB+WB3gTzAbaRfhxp
TuBmppmxPzIqNZLFxfA46bLvhoLeIxoCnBvTagWDUtgUBGVhQIOANFQm2CQ4zGH/
9hQrgIUddmc=
=PGFq
-----END PGP SIGNATURE-----