Bug#296590: apache2: cgi SCRIPT_PATH broken
package: apache2
severity: important
When a request to a cgi script contains double slashes in the trailing URI
component after the script name, the cgi environment variable is not set
correctly. Tried on a (woody) apache 1.3 installation too, it works fine
there.
This severely affects automated URL creation from within cgi scripts.
Create an executable script in an apache2 cgi-bin directory with this
content, e.g. as 'scriptname':
------
#!/bin/sh
echo 'Content-Type: text/plain'
echo
echo 'script_name: ' $SCRIPT_NAME
echo 'path_info: ' $PATH_INFO
------
Browse to the http://servername/cgi-bin/scriptname/abc/def/g URL, output
is as expected:
------
script_name: /cgi-bin/scriptname
path_info: /abc/def/g
------
Now browse to http://servername/cgi-bin/scriptname/abc/def//g and the
abc/def component is wrongly added to SCRIPT_PATH:
------
script_name: /cgi-bin/scriptname/abc/def
path_info: /abc/def/g
------
PATH_INFO is right in both cases.
Regards,
Filip
--
"I feel like Microsoft is mostly unaware that their products are used in
the real world."
-- Jason Coombs on Microsoft product security
Reply to: