Fossil

Check-in [b8973500]
Login

Check-in [b8973500]

Many hyperlinks are disabled.
Use anonymous login to enable hyperlinks.

Overview
Comment:Improved robustness in CGI variable parsing.
Downloads: Tarball | ZIP archive | SQL archive
Timelines: family | ancestors | descendants | both | cgi-compliance
Files: files | file ages | folders
SHA3-256: b8973500074aafd8b21cc13e2937f09a900c8882548ea63a7dea3f3045834093
User & Date: drh 2022-02-13 19:14:38
Context
2022-02-13
19:16
Back out check-in [5bb921dd0893a548] which was wrong - the REQUEST_URI CGI parameter should include the query string. Improve the CGI variable documentation in comments. Improve robustness to malformed CGI variables. ... (check-in: e514eeea user: drh tags: trunk)
19:14
Improved robustness in CGI variable parsing. ... (Closed-Leaf check-in: b8973500 user: drh tags: cgi-compliance)
00:26
Back out [5bb921dd0893a548]. It turns out that REQUEST_URI should have the query string appended. Make other changes to cgi.c to bring it into "compliance". "Compliance" is in quotes because rfc3875 does not define REQUEST_URI. That variable is really just by conveniention. But Apache and Nginx both append the query string, so we should too. ... (check-in: fd1c9b09 user: drh tags: cgi-compliance)
Changes
Hide Diffs Unified Diffs Ignore Whitespace Patch

Changes to src/cgi.c. 

1194
1195
1196
1197
1198
1199
1200
1201
1202
1203
1204
1205
1206
1207
1208


1209
1210
1211
1212
1213
1214
1215

** of REQUEST_URI.
**
** SCGI typically omits PATH_INFO.  CGI sometimes omits REQUEST_URI and
** PATH_INFO when it is empty.
**
** CGI Parameter quick reference:
**
**                                      REQUEST_URI
**                               _____________|________________
**                              /                              \
**    https://www.fossil-scm.org/forum/info/12736b30c072551a?t=c
**            \________________/\____/\____________________/ \_/
**                    |            |             |            |
**               HTTP_HOST         |        PATH_INFO     QUERY_STRING
**                            SCRIPT_NAME


*/
void cgi_init(void){
  char *z;
  const char *zType;
  char *zSemi;
  int len;
  const char *zRequestUri = cgi_parameter("REQUEST_URI",0);








|
|
|
|
|
|
|
|
>
>








1194
1195
1196
1197
1198
1199
1200
1201
1202
1203
1204
1205
1206
1207
1208
1209
1210
1211
1212
1213
1214
1215
1216
1217

** of REQUEST_URI.
**
** SCGI typically omits PATH_INFO.  CGI sometimes omits REQUEST_URI and
** PATH_INFO when it is empty.
**
** CGI Parameter quick reference:
**
**                                   REQUEST_URI
**                           _____________|________________
**                          /                              \
**    https://fossil-scm.org/forum/info/12736b30c072551a?t=c
**    \___/   \____________/\____/\____________________/ \_/
**      |           |          |             |            |
**      |       HTTP_HOST      |        PATH_INFO     QUERY_STRING
**      |                      |
**    REQUEST_SCHEMA         SCRIPT_NAME
**               
*/
void cgi_init(void){
  char *z;
  const char *zType;
  char *zSemi;
  int len;
  const char *zRequestUri = cgi_parameter("REQUEST_URI",0);

1224
1225
1226
1227
1228
1229
1230
1231
1232
1233
1234
1235
1236
1237
1238
1239
1240
1241
1242
1243
1244
1245
1246
1247
1248
1249
1250
1251
1252

#endif
  g.isHTTP = 1;
  cgi_destination(CGI_BODY);

  /* We must have SCRIPT_NAME. If the web server did not supply it, try
  ** to compute it from REQUEST_URI and PATH_INFO. */
  if( zScriptName==0 ){
    size_t nRU, nPI;
    if( zRequestUri==0 || zPathInfo==0 ){
      malformed_request("missing SCRIPT_NAME");  /* Does not return */
    }
    z = strchr(zRequestUri,'?');
    if( z ){
      nRU = (int)(z - zRequestUri);
    }else{
      nRU = strlen(zRequestUri);
    }
    nPI = strlen(zPathInfo);
    if( nRU<nPI ){
      malformed_request("PATH_INFO is longer than REQUEST_URI");
    }
    zScriptName = fossil_strndup(zRequestUri,(int)(nRU-nPI));
    cgi_set_parameter("SCRIPT_NAME", zScriptName);
  }

#ifdef _WIN32
  /* The Microsoft IIS web server does not define REQUEST_URI, instead it uses
  ** PATH_INFO for virtually the same purpose.  Define REQUEST_URI the same as
  ** PATH_INFO and redefine PATH_INFO with SCRIPT_NAME removed from the 








<



|
|
<
<
<
<
<
<
|

|








1226
1227
1228
1229
1230
1231
1232

1233
1234
1235
1236
1237






1238
1239
1240
1241
1242
1243
1244
1245
1246
1247

#endif
  g.isHTTP = 1;
  cgi_destination(CGI_BODY);

  /* We must have SCRIPT_NAME. If the web server did not supply it, try
  ** to compute it from REQUEST_URI and PATH_INFO. */
  if( zScriptName==0 ){

    if( zRequestUri==0 || zPathInfo==0 ){
      malformed_request("missing SCRIPT_NAME");  /* Does not return */
    }
    z = strstr(zRequestUri,zPathInfo);
    if( z==0 ){






      malformed_request("PATH_INFO not found in REQUEST_URI");
    }
    zScriptName = fossil_strndup(zRequestUri,(int)(z-zRequestUri));
    cgi_set_parameter("SCRIPT_NAME", zScriptName);
  }

#ifdef _WIN32
  /* The Microsoft IIS web server does not define REQUEST_URI, instead it uses
  ** PATH_INFO for virtually the same purpose.  Define REQUEST_URI the same as
  ** PATH_INFO and redefine PATH_INFO with SCRIPT_NAME removed from the