You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@httpd.apache.org by Volker Lüdeling <ma...@vluedeling.de> on 2002/11/14 22:51:39 UTC

[users@httpd] Strange character escaping in query string parameter

Hi there,

I have a problem with CGI parameters in Apache 2.0.43.

Our company is running a CGI-based shop server, which we recently upgraded
from version 1.3.x to 2.0.43. After the upgrade, some scripts no longer
work.

The shop scripts are placed in ScriptAliased directories. When one of the
scripts is called, Apache passes the query string in two ways. First, the
query is stored in the environment variable QUERY_STRING. Second, it is
passed as a command line parameter to the script. Here's where the strange
thing happens.

Look at the following simple Perl script:

<-- begin script -->

#!/usr/bin/perl
print "Content-Type: text/plain\n\n";
print "Query-String: $ENV{QUERY_STRING}\n";
print "Query-Param : $ARGV[0]\n";

<-- end script -->

Calling that script by
"/cgi-bin/script?HTML=basket/vs_framebasket.htm&ID=huToQNKozM5CoF0i.0.103730
3713" returns:

<-- begin output -->

Query-String:
HTML=basket/vs_framebasket.htm&ID=huToQNKozM5CoF0i.0.1037303713
Query-Param :
HTML=basket/vs_framebasket.htm\&ID=huToQNKozM5CoF0i.0.1037303713

<-- end output -->

In Query-Param, the Ampersand character was replaced by "\&", while
Query-String remains unchanged. I verified that behaviour on two independent
systems, so I'm sure that Apache is responsible.

Does anyone know if this is intended behaviour, or if there is a way to
disable this "feature"?

Changing the shop scripts is not an option, since they are binaries and we
don't have access to the source code.


Thanks,

Volker


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] Strange character escaping in query string parameter

Posted by Joshua Slive <jo...@slive.ca>.

On Thu, 14 Nov 2002, Volker Lüdeling wrote:
> <-- begin output -->
>
> Query-String:
> HTML=basket/vs_framebasket.htm&ID=huToQNKozM5CoF0i.0.1037303713
> Query-Param :
> HTML=basket/vs_framebasket.htm\&ID=huToQNKozM5CoF0i.0.1037303713
>
> <-- end output -->
>
> In Query-Param, the Ampersand character was replaced by "\&", while
> Query-String remains unchanged. I verified that behaviour on two independent
> systems, so I'm sure that Apache is responsible.
>
> Does anyone know if this is intended behaviour, or if there is a way to
> disable this "feature"?
>
> Changing the shop scripts is not an option, since they are binaries and we
> don't have access to the source code.

I seem to remember some change made to the apache source code
in relation to this.  Something about this vulnerability I think:
http://httpd.apache.org/info/security_bulletin_20020809a.txt
but I can't track down the exact change.

In general, using the argv is not a good idea, but that doesn't help you
with your problem.

Sorry I don't remember any more details.

Joshua.


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org