Fossil

Check-in [5bb921dd]
Login

Check-in [5bb921dd]

Many hyperlinks are disabled.
Use anonymous login to enable hyperlinks.

Overview
Comment:The REQUEST_URI CGI parameter should not include the QUERY_STRING.
Downloads: Tarball | ZIP archive | SQL archive
Timelines: family | ancestors | descendants | both | trunk
Files: files | file ages | folders
SHA3-256: 5bb921dd0893a5486ff8c5de74cb986a3b168a44e170d4c53ddc11bbf0d75f35
User & Date: drh 2022-02-11 21:25:21
References
2022-02-13
19:16
Back out check-in [5bb921dd0893a548] which was wrong - the REQUEST_URI CGI parameter should include the query string. Improve the CGI variable documentation in comments. Improve robustness to malformed CGI variables. ... (check-in: e514eeea user: drh tags: trunk)
01:35
Cherry-pick from branch 'cgi-compliance' (and thus back out [5bb921dd0893a548]). Adapt the computation of g.zUrlSuffix in set_base_url() accordingly. ... (check-in: 5c649c7e user: george tags: base-href-fix)
00:26
Back out [5bb921dd0893a548]. It turns out that REQUEST_URI should have the query string appended. Make other changes to cgi.c to bring it into "compliance". "Compliance" is in quotes because rfc3875 does not define REQUEST_URI. That variable is really just by conveniention. But Apache and Nginx both append the query string, so we should too. ... (check-in: fd1c9b09 user: drh tags: cgi-compliance)
Context
2022-02-12
00:38
Robot defense uses a mousedown event rather than mouse motion as one of the signals that the request is from a human. This should make robot defense work better for users on mobile. ... (check-in: 8d4e1143 user: drh tags: trunk)
2022-02-11
21:25
The REQUEST_URI CGI parameter should not include the QUERY_STRING. ... (check-in: 5bb921dd user: drh tags: trunk)
16:00
Improvements to the /admin_sql page. ... (check-in: 6325f81d user: drh tags: trunk)
Changes
Hide Diffs Unified Diffs Ignore Whitespace Patch

Changes to src/cgi.c. 

1864
1865
1866
1867
1868
1869
1870
1871
1872
1873
1874

1875
1876
1877
1878
1879
1880
1881

  }
  cgi_setenv("GATEWAY_INTERFACE","CGI/1.0");
  cgi_setenv("REQUEST_METHOD",zToken);
  zToken = extract_token(z, &z);
  if( zToken==0 ){
    malformed_request("malformed URL in HTTP header");
  }
  cgi_setenv("REQUEST_URI", zToken);
  cgi_setenv("SCRIPT_NAME", "");
  for(i=0; zToken[i] && zToken[i]!='?'; i++){}
  if( zToken[i] ) zToken[i++] = 0;

  cgi_setenv("PATH_INFO", zToken);
  cgi_setenv("QUERY_STRING", &zToken[i]);
  if( zIpAddr==0 ){
    zIpAddr = cgi_remote_ip(fileno(g.httpIn));
  }
  if( zIpAddr ){
    cgi_setenv("REMOTE_ADDR", zIpAddr);








<



>








1864
1865
1866
1867
1868
1869
1870

1871
1872
1873
1874
1875
1876
1877
1878
1879
1880
1881

  }
  cgi_setenv("GATEWAY_INTERFACE","CGI/1.0");
  cgi_setenv("REQUEST_METHOD",zToken);
  zToken = extract_token(z, &z);
  if( zToken==0 ){
    malformed_request("malformed URL in HTTP header");
  }

  cgi_setenv("SCRIPT_NAME", "");
  for(i=0; zToken[i] && zToken[i]!='?'; i++){}
  if( zToken[i] ) zToken[i++] = 0;
  cgi_setenv("REQUEST_URI", zToken);
  cgi_setenv("PATH_INFO", zToken);
  cgi_setenv("QUERY_STRING", &zToken[i]);
  if( zIpAddr==0 ){
    zIpAddr = cgi_remote_ip(fileno(g.httpIn));
  }
  if( zIpAddr ){
    cgi_setenv("REMOTE_ADDR", zIpAddr);