Mailing-List: contact apache-bugdb-help@apache.org; run by ezmlm
Precedence: bulk
Reply-To: apache-bugdb@apache.org
Resent-Date: 22 Nov 2000 21:10:01 -0000
Resent-Message-ID: <20001122211001.70703.qmail@locus.apache.org>
Resent-From: gnats-admin@bugz.apache.org (GNATS Management)
Resent-To: apache-bugdb@apache.org
Resent-Cc: apache-bugdb@apache.org
Resent-Reply-To: gnats-admin@bugz.apache.org, Jim.Patterson@Cognos.COM
Message-Id: <20001122210717.70051.qmail@locus.apache.org>
Date: 22 Nov 2000 21:07:17 -0000
From: Jim Patterson <Jim.Patterson@Cognos.COM>
Reply-To: Jim.Patterson@Cognos.COM
To: submit@bugz.apache.org
Subject: os-windows/6880: CGI applications always fail


>Number:         6880
>Category:       os-windows
>Synopsis:       CGI applications always fail
>Confidential:   no
>Severity:       critical
>Priority:       medium
>Responsible:    apache
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   apache
>Arrival-Date:   Wed Nov 22 13:10:01 PST 2000
>Closed-Date:
>Last-Modified:
>Originator:     Jim.Patterson@Cognos.COM
>Release:        2.0a8
>Organization:
apache
>Environment:
Windows 2000 SP1
Visual C++ 5.0 SP3
>Description:
Any CGI executable that I run via a common cgi-bin URL will fail for Apache running on the Windows platform.  It appears that Apache is putting quotes around the unqualified part of the filename. If a shell were being run, that might work. However, actual programs are run under Win32 with CreateProcess which expects a valid filename. Embedded quotes are taken as part of the filename, not as "meta-characters" to be stripped off.
>How-To-Repeat:
This needs to be attempted on the Win32 platform.
Create an executable CGI application and put it in the configured cgi-bin directory e.g. C:/Apache/cgi-bin. I'm using one called "printenv.cgi". 
Invoke it with a URL like:
    http://localhost/cgi-bin/printenv.cgi

You will get an error in the browser, and the error log will contain a message such as the following:
[Wed Nov 22 15:04:44 2000] [error] [client 0.0.0.0] (22123)The filename, directory name, or volume label syntax is incorrect.  : couldn't create child process: 22123: e:/apache/cgi-bin/printenv.cgi
[Wed Nov 22 15:04:44 2000] [error] [client 0.0.0.0] couldn't spawn child process: c:/apache/cgi-bin/printenv.cgi
>Fix:
Line 471 of src/modules/standard/mod_cgi.c (specific to WIN32). Change it to
    quoted_filename = apr_pstrcat(p, "\"", r->filename, "\"", NULL);

It seems to be okay to quote the entire filename, but not just the tail.

I don't know why the filename is being quoted, though. This fix may affect scripts that need to be passed to an interpreter of some sort.
>Release-Note:
>Audit-Trail:
>Unformatted:
 [In order for any reply to be added to the PR database, you need]
 [to include <apbugs@Apache.Org> in the Cc line and make sure the]
 [subject line starts with the report component and number, with ]
 [or without any 'Re:' prefixes (such as "general/1098:" or      ]
 ["Re: general/1098:").  If the subject doesn't match this       ]
 [pattern, your message will be misfiled and ignored.  The       ]
 ["apbugs" address is not added to the Cc line of messages from  ]
 [the database automatically because of the potential for mail   ]
 [loops.  If you do not include this Cc, your reply may be ig-   ]
 [nored unless you are responding to an explicit request from a  ]
 [developer.  Reply only with text; DO NOT SEND ATTACHMENTS!     ]