[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#296590: apache2: cgi SCRIPT_PATH broken

package: apache2
severity: important

When a request to a cgi script contains double slashes in the trailing URI
component after the script name, the cgi environment variable is not set
correctly. Tried on a (woody) apache 1.3 installation too, it works fine
This severely affects automated URL creation from within cgi scripts.

Create an executable script in an apache2 cgi-bin directory with this
content, e.g. as 'scriptname':


echo 'Content-Type: text/plain'
echo 'script_name: ' $SCRIPT_NAME
echo 'path_info: ' $PATH_INFO

Browse to the http://servername/cgi-bin/scriptname/abc/def/g URL, output
is as expected:

script_name:  /cgi-bin/scriptname
path_info:  /abc/def/g

Now browse to http://servername/cgi-bin/scriptname/abc/def//g and the
abc/def component is wrongly added to SCRIPT_PATH:

script_name:  /cgi-bin/scriptname/abc/def
path_info:  /abc/def/g

PATH_INFO is right in both cases.



"I feel like Microsoft is mostly unaware that their products are used in
 the real world."
	-- Jason Coombs on Microsoft product security

Reply to: