You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@httpd.apache.org by Eric Covener <co...@gmail.com> on 2008/07/24 14:01:49 UTC

mod_cgid doesn't pass null arguments on command line

Background: When a query string doesn't have key/value pairs, the
query string is tokenized on the '+' character and the values are sent
as argv to the CGI script.


It looks like a change to discard null tokens snuck in along with a
suexec patch, r87905 (look for strcmp)

http://svn.apache.org/viewvc/httpd/httpd/branches/2.0.x/modules/generators/mod_cgid.c?r1=87851&r2=87905

pre-r87905:
foo.cgi?foo++bar results in 3 positional parameters "foo", "", "bar".

post-r87905:
foo.cgi?foo++bar results in 2 positional parameters "foo", "bar".

While it might be disruptive to flip it back, could it be offered as
an option?  AIUI 1.3.x behaves like the pre-r87905.

-- 
Eric Covener
covener@gmail.com

Re: mod_cgid doesn't pass null arguments on command line

Posted by "Roy T. Fielding" <fi...@gbiv.com>.

On Jul 24, 2008, at 2:18 PM, Eric Covener wrote:
> On Thu, Jul 24, 2008 at 4:06 PM, Ruediger Pluem <rp...@apache.org>  
> wrote:
>> On 07/24/2008 09:32 PM, Eric Covener wrote:
>>> On Thu, Jul 24, 2008 at 3:01 PM, Ruediger Pluem  
>>> <rp...@apache.org> wrote:
>>>>
>>>> +1, but who is behaving correctly currently mod_cgi or mod_cgid?
>>>>
>>>
>>> The BNF from Ken's CGI RFC site seems to support the 1.3/mod_cgi
>>> interpretation (++ results in null strings in argv)
>>>
>>> http://ken.coar.org/cgi/draft-coar-cgi-v11-03.html#5.0
>>>
>>>  search-string = search-word *( "+" search-word )
>>>  search-word   = 1*schar
>>
>> Doesn't this mean search-word must contain at least one schar?
>> So ++ would be invalid.
>
> I misread what the * was attached to  -- I agree with you (favoring  
> mod_cgid)

It makes more sense to think in terms of recreating the URI from
whatever is passed.  The mod_cgid behavior is losing data if you
look at it that way.  I don't know if it matters, but I would prefer
the old mod_cgi behavior be retained.

....Roy

Re: mod_cgid doesn't pass null arguments on command line

Posted by Eric Covener <co...@gmail.com>.

On Thu, Jul 24, 2008 at 4:06 PM, Ruediger Pluem <rp...@apache.org> wrote:
>
>
> On 07/24/2008 09:32 PM, Eric Covener wrote:
>>
>> On Thu, Jul 24, 2008 at 3:01 PM, Ruediger Pluem <rp...@apache.org> wrote:
>>>
>>> +1, but who is behaving correctly currently mod_cgi or mod_cgid?
>>>
>>
>> The BNF from Ken's CGI RFC site seems to support the 1.3/mod_cgi
>> interpretation (++ results in null strings in argv)
>>
>> http://ken.coar.org/cgi/draft-coar-cgi-v11-03.html#5.0
>>
>>  search-string = search-word *( "+" search-word )
>>  search-word   = 1*schar
>
> Doesn't this mean search-word must contain at least one schar?
> So ++ would be invalid.

I misread what the * was attached to  -- I agree with you (favoring mod_cgid)


-- 
Eric Covener
covener@gmail.com

Re: mod_cgid doesn't pass null arguments on command line

Posted by Ruediger Pluem <rp...@apache.org>.


On 07/24/2008 09:32 PM, Eric Covener wrote:
> On Thu, Jul 24, 2008 at 3:01 PM, Ruediger Pluem <rp...@apache.org> wrote:
>> +1, but who is behaving correctly currently mod_cgi or mod_cgid?
>>
> 
> The BNF from Ken's CGI RFC site seems to support the 1.3/mod_cgi
> interpretation (++ results in null strings in argv)
> 
> http://ken.coar.org/cgi/draft-coar-cgi-v11-03.html#5.0
> 
>  search-string = search-word *( "+" search-word )
>  search-word   = 1*schar

Doesn't this mean search-word must contain at least one schar?
So ++ would be invalid.

Regards

Rüdiger

Re: mod_cgid doesn't pass null arguments on command line

Posted by Eric Covener <co...@gmail.com>.

On Thu, Jul 24, 2008 at 3:01 PM, Ruediger Pluem <rp...@apache.org> wrote:
> +1, but who is behaving correctly currently mod_cgi or mod_cgid?
>

The BNF from Ken's CGI RFC site seems to support the 1.3/mod_cgi
interpretation (++ results in null strings in argv)

http://ken.coar.org/cgi/draft-coar-cgi-v11-03.html#5.0

 search-string = search-word *( "+" search-word )
 search-word   = 1*schar
  ...


-- 
Eric Covener
covener@gmail.com

Re: mod_cgid doesn't pass null arguments on command line

Posted by Ruediger Pluem <rp...@apache.org>.


On 07/24/2008 07:09 PM, Paul Querna wrote:
> Plüm, Rüdiger, VF-Group wrote:
>>  
>>
>>> -----Ursprüngliche Nachricht-----
>>> Von: Jeff Trawick
>>> Gesendet: Donnerstag, 24. Juli 2008 15:36
>>> An: dev@httpd.apache.org
>>> Betreff: Re: mod_cgid doesn't pass null arguments on command line
>>>

>>>
>>> mod_cgi works fine though (tiny caveat: I tried this with cgi vs. 
>>> cgid on a 2061 tree I had handy).  The discrepancy between arg 
>>> handling in cgi/cgid is the major concern as far as user impact.
>>
>> I don't get why there is a difference between mod_cgi and mod_cgid
>> how they handle NULL arguments. Is there any specific reason why mod_cgid
>> skips them?
>> Whatever is the correct thing (skipping or not): Lets make mod_cgi / 
>> mod_cgid
>> behave in the same way.
> 
> +1, they should have identical behaviors, and I would prefer to fix that 
> in 2.2x, not just add another env var.

+1, but who is behaving correctly currently mod_cgi or mod_cgid?

Regards

Rüdiger

Re: mod_cgid doesn't pass null arguments on command line

Posted by Paul Querna <ch...@force-elite.com>.

Plüm, Rüdiger, VF-Group wrote:
>  
> 
>> -----Ursprüngliche Nachricht-----
>> Von: Jeff Trawick
>> Gesendet: Donnerstag, 24. Juli 2008 15:36
>> An: dev@httpd.apache.org
>> Betreff: Re: mod_cgid doesn't pass null arguments on command line
>>
>> On Thu, Jul 24, 2008 at 8:01 AM, Eric Covener 
>> <co...@gmail.com> wrote:
>>
>>
>> 	Background: When a query string doesn't have key/value 
>> pairs, the
>> 	query string is tokenized on the '+' character and the 
>> values are sent
>> 	as argv to the CGI script.
>> 	
>> 	
>> 	It looks like a change to discard null tokens snuck in 
>> along with a
>> 	suexec patch, r87905 (look for strcmp)
>>
>>
>> mod_cgi works fine though (tiny caveat: I tried this with cgi 
>> vs. cgid on a 2061 tree I had handy).  The discrepancy 
>> between arg handling in cgi/cgid is the major concern as far 
>> as user impact.
> 
> I don't get why there is a difference between mod_cgi and mod_cgid
> how they handle NULL arguments. Is there any specific reason why mod_cgid
> skips them?
> Whatever is the correct thing (skipping or not): Lets make mod_cgi / mod_cgid
> behave in the same way.

+1, they should have identical behaviors, and I would prefer to fix that 
in 2.2x, not just add another env var.

-Paul

Re: mod_cgid doesn't pass null arguments on command line

Posted by "Plüm, Rüdiger, VF-Group" <ru...@vodafone.com>.

 

> -----Ursprüngliche Nachricht-----
> Von: Jeff Trawick
> Gesendet: Donnerstag, 24. Juli 2008 15:36
> An: dev@httpd.apache.org
> Betreff: Re: mod_cgid doesn't pass null arguments on command line
> 
> On Thu, Jul 24, 2008 at 8:01 AM, Eric Covener 
> <co...@gmail.com> wrote:
> 
> 
> 	Background: When a query string doesn't have key/value 
> pairs, the
> 	query string is tokenized on the '+' character and the 
> values are sent
> 	as argv to the CGI script.
> 	
> 	
> 	It looks like a change to discard null tokens snuck in 
> along with a
> 	suexec patch, r87905 (look for strcmp)
> 
> 
> mod_cgi works fine though (tiny caveat: I tried this with cgi 
> vs. cgid on a 2061 tree I had handy).  The discrepancy 
> between arg handling in cgi/cgid is the major concern as far 
> as user impact.

I don't get why there is a difference between mod_cgi and mod_cgid
how they handle NULL arguments. Is there any specific reason why mod_cgid
skips them?
Whatever is the correct thing (skipping or not): Lets make mod_cgi / mod_cgid
behave in the same way.

Regards

Rüdiger

Re: mod_cgid doesn't pass null arguments on command line

Posted by Eric Covener <co...@gmail.com>.

On Thu, Jul 24, 2008 at 9:36 AM, Jeff Trawick <tr...@gmail.com> wrote:
> Fix in trunk for sure.
> For the life of 2.2.x, I suspect that the same fix will leave more users
> helped than hurt, with both numbers small.  (If paralyzed by fear of
> regression, respect build flag such as -DCGID_BROKEN_NULLARG_PARSING.)

Anyone concerned enough about 2.2.x to have some runtime setting
stashed away in the struct passed from httpd to cgid?

-- 
Eric Covener
covener@gmail.com

Re: mod_cgid doesn't pass null arguments on command line

Posted by Jeff Trawick <tr...@gmail.com>.

On Thu, Jul 24, 2008 at 8:01 AM, Eric Covener <co...@gmail.com> wrote:

> Background: When a query string doesn't have key/value pairs, the
> query string is tokenized on the '+' character and the values are sent
> as argv to the CGI script.
>
>
> It looks like a change to discard null tokens snuck in along with a
> suexec patch, r87905 (look for strcmp)

mod_cgi works fine though (tiny caveat: I tried this with cgi vs. cgid on a
2061 tree I had handy).  The discrepancy between arg handling in cgi/cgid is
the major concern as far as user impact.

Fix in trunk for sure.
For the life of 2.2.x, I suspect that the same fix will leave more users
helped than hurt, with both numbers small.  (If paralyzed by fear of
regression, respect build flag such as -DCGID_BROKEN_NULLARG_PARSING.)

All imHo of course...

Re: mod_cgid doesn't pass null arguments on command line

Posted by Jeff Trawick <tr...@gmail.com>.

On Thu, Jul 24, 2008 at 8:01 AM, Eric Covener <co...@gmail.com> wrote:

> Background: When a query string doesn't have key/value pairs, the
> query string is tokenized on the '+' character and the values are sent
> as argv to the CGI script.

I just stumbled onto this old PR:

https://issues.apache.org/bugzilla/show_bug.cgi?id=31679