You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@httpd.apache.org by "Jason A. Dour" <ja...@bcc.louisville.edu> on 1996/06/10 17:47:22 UTC

Mmmm, Donuts...no PATH_INFO or QUERY_STRING

-----BEGIN PGP SIGNED MESSAGE-----

I hate to be a nuisance...but...  (Actually, I love being one, but I
thought I should say that anyway.)

I have a CGI developer in our IT department calling me about the
following:  PATH_INFO and QUERY_STRING for CGI programs included as exec's
through mod_include.c.  This relates to this bit of code:

====snip!====
int include_cgi(char *s, request_rec *r)
{
    request_rec *rr = sub_req_lookup_uri (s, r);
    
    if (rr->status != 200) return -1;
    
    /* No hardwired path info or query allowed */
    
    if ((rr->path_info && rr->path_info[0]) || rr->args) return -1;
    if (rr->finfo.st_mode == 0) return -1;
. . .
}
====snip!====

I was wondering why path information and the query string were disabled. 
I assume for security purposes?  If so, could someone tell me how this can
be subverted, or other information that might help me patch it so that it
can safely pass PATH_INFO and QUERY_STRING?  I realize this might be a low
priority...but at UofL, we have several CGI programs that rely on this
information...and we want them to be callable from SSI. 

Any information would be appreciated.  Thanks.

Jason
+ Jason A. Dour                       jad@bcc.louisville.edu               +
| Programmer Analyst II               http://www.louisville.edu/~jadour01/ |
| Dept. of Radiation Oncology         Finger for Geek Code, PGP Public Key,|
+ University of Louisville            PJ Harvey info, and other stuff...   +

-----BEGIN PGP SIGNATURE-----
Version: 2.6.2

iQCVAwUBMbxDjZo1JaC71RLxAQGIBAP+ONO6SIZo0TzakFM9Aev1W/93mlzKOHGC
T9+4irBEV/OQL2XstxGLdNLAWPzDaVr6ilB6wYcoasU3bojG+fIKJkqIKo80J1t8
HN2M/uQyxwVDNWOjS4t7a1iPpe+47CH7pnOx76tcS4UxUENvQdBvNByd6X4BhAyX
/RKpEKcd+yg=
=Sjfd
-----END PGP SIGNATURE-----