You are viewing a plain text version of this content. The canonical link for it is here.

Posted to bugs@httpd.apache.org by bu...@apache.org on 2011/03/06 18:34:26 UTC

DO NOT REPLY [Bug 50880] New: mod_proxy_scgi does not comply with RFC 3875 (CGI 1.1)

https://issues.apache.org/bugzilla/show_bug.cgi?id=50880

           Summary: mod_proxy_scgi does not comply with RFC 3875 (CGI 1.1)
           Product: Apache httpd-2
           Version: 2.3-HEAD
          Platform: PC
        OS/Version: Linux
            Status: NEW
          Severity: minor
          Priority: P2
         Component: Other Modules
        AssignedTo: bugs@httpd.apache.org
        ReportedBy: mark@catseye.org


Created an attachment (id=26733)
 --> (https://issues.apache.org/bugzilla/attachment.cgi?id=26733)
Perl script for a test SCGI server that returns the environment passed to it by
mod_proxy_scgi

mod_proxy_scgi in trunk currently sets PATH_INFO, SCRIPT_NAME, and
PATH_TRANSLATED incorrectly per RFC 3875 (CGI 1.1).

This bug report is for completeness and consistency with respect to
the fix for bug 50851.

To reproduce the problem, run the attached 28 line Perl script, which
will create an SCGI server listening on port 4000.  This SCGI server
just returns environment variables passed to it by mod_proxy_scgi.
Then configure mod_proxy_scgi with

ProxyPass /scgi-test/ scgi://127.0.0.1:4000/www/perl-ssl/

This presumes that a directory /www/perl-ssl exists in the filesystem,
under which are Perl scripts executed by the SCGI server.  However,
the SCGI server in the attachment does not actually execute external
scripts and hence the directory /www/perl-ssl does not need to exist.

When the end user requests

https://f14dev1.catseye.org/scgi-test/some-script.pl/extra/stuff?foo=1&bar=2

mod_proxy_scgi passes the following environment variables to the SCGI server:

CONTENT_LENGTH="0"
DOCUMENT_ROOT="/www/html-ssl"
HTTPS="on"
HTTP_ACCEPT="text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8"
HTTP_ACCEPT_CHARSET="ISO-8859-1,utf-8;q=0.7,*;q=0.7"
HTTP_ACCEPT_ENCODING="gzip,deflate"
HTTP_ACCEPT_LANGUAGE="en-us,en;q=0.7,ja;q=0.3"
HTTP_CONNECTION="keep-alive"
HTTP_HOST="f14dev1.catseye.org"
HTTP_KEEP_ALIVE="115"
HTTP_USER_AGENT="Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US;
rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15"
PATH="/sbin:/usr/sbin:/bin:/usr/bin"
PATH_INFO="/www/perl-ssl/some-script.pl/extra/stuff"
PATH_TRANSLATED="/www/html-ssl/www/perl-ssl/some-script.pl/extra/stuff"
QUERY_STRING="foo=1&bar=2"
REMOTE_ADDR="172.16.168.1"
REMOTE_PORT="49651"
REMOTE_USER="markmont"
REQUEST_METHOD="GET"
REQUEST_SCHEME="https"
REQUEST_URI="/scgi-test/some-script.pl/extra/stuff?foo=1&bar=2"
SCGI="1"
SCRIPT_FILENAME="proxy:scgi://127.0.0.1:4000/www/perl-ssl/some-script.pl/extra/stuff"
SCRIPT_NAME="/scgi-test"
SERVER_ADDR="172.16.168.128"
SERVER_ADMIN="webmaster@catseye.org"
SERVER_NAME="f14dev1.catseye.org"
SERVER_PORT="443"
SERVER_PROTOCOL="HTTP/1.1"
SERVER_SIGNATURE="<address>Apache/2.3.12-dev (Fedora) Server at <a
href=\"mailto:webmaster@catseye.org\">f14dev1.catseye.org</a> Port
443</address>\n"
SERVER_SOFTWARE="Apache/2.3.12-dev (Fedora)"
SSL_TLS_SNI="f14dev1.catseye.org"

This violates the requirement for script-URI in section 3.3 of RFC 3875,
resulting in a script-URI of

https://f14dev1.catseye.org:443/scgi-test/www/perl-ssl/some-script.pl/extra/stuff?foo=1&bar=2

instead of the correct script-URI, which is

https://f14dev1.catseye.org:443/scgi-test/some-script.pl/extra/stuff?foo=1&bar=2

See bug 50851 for additional discussion.

-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org

DO NOT REPLY [Bug 50880] mod_proxy_scgi does not comply with RFC 3875 (CGI 1.1)

Posted by bu...@apache.org.

https://issues.apache.org/bugzilla/show_bug.cgi?id=50880

--- Comment #1 from Mark Montague <ma...@catseye.org> 2011-03-06 12:39:20 EST ---
Created an attachment (id=26734)
 --> (https://issues.apache.org/bugzilla/attachment.cgi?id=26734)
Prevent mod_proxy_scgi from setting PATH_INFO unless requested

The attached patch fixes the problem with mod_proxy_scgi in the same way
that r1078089 fixes the same problem for mod_proxy_fcgi.  Thanks to
Jim Jagielski for creating the mod_proxy_fcgi patch.

A new mod_proxy_scgi env-var, proxy-scgi-pathinfo, allows for PATH_INFO
to be exposed. Otherwise, it's not.

See bug 50581 for additional details and discussion.

I have looked for other modules with similar problems and have not found
any.

-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org

DO NOT REPLY [Bug 50880] mod_proxy_scgi does not comply with RFC 3875 (CGI 1.1)

Posted by bu...@apache.org.

https://issues.apache.org/bugzilla/show_bug.cgi?id=50880

Jim Jagielski <ji...@apache.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|                            |FIXED

--- Comment #2 from Jim Jagielski <ji...@apache.org> 2011-05-19 16:04:05 UTC ---
r1124979

-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org

DO NOT REPLY [Bug 50880] mod_proxy_scgi does not comply with RFC 3875 (CGI 1.1)

Posted by bu...@apache.org.

https://issues.apache.org/bugzilla/show_bug.cgi?id=50880

Mark Montague <ma...@catseye.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
           Keywords|                            |PatchAvailable
                 CC|                            |mark@catseye.org

-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org