Bug 68125
| Summary: | PATH_INFO corruption | ||
|---|---|---|---|
| Product: | [Retired] Red Hat Linux | Reporter: | ellson |
| Component: | httpd | Assignee: | Joe Orton <jorton> |
| Status: | CLOSED UPSTREAM | QA Contact: | Brian Brock <bbrock> |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 8.0 | ||
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | i386 | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2003-06-19 08:06:20 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Hi, use of PATH_INFO must be explicitly configured now in 2.0 (I recommend reading the migration guide at /usr/share/doc/httpd-2.0.36/migration.html). Please excuse and ignore previous comment: I reproduced this problem after adding the comment, and am investigating further, I only meant to change the component. Related to this bug, the contents of PATH_TRANSLATED and SCRIPT_NAME are also
totally broken.
Using /cgi-bin/cgienv containing:
#!/usr/bin/tclsh
puts "Content-type: text/plain\n"
foreach var [lsort [array names env]] {puts "$var = $env($var)"}
Testing with:
http://localhost/cgi-bin/cgienv/http://test.com/
Results in:
PATH_INFO = /http:/test.com/
PATH_TRANSLATED = /var/www/html/http:/test.com/
SCRIPT_NAME = /cgi-bin/cgienv/http:
Other than the fact that "//" has been normalised into "/", the PATH_TRANSLATED and PATH_INFO appear correct. The PATH_INFO is defined for passing a URI path segment, whereas you are trying to use a complete absoluteURI: if you want to the value to be passed through intact, maybe the only correct way to do it is to use a query string. The old behaviour would appear to be incorrect according to the CGI specification http://cgi-spec.golux.com/draft-coar-cgi-v11-03-clean.html, where the grammar for PATH_INFO does not allow a double-slash. A URI path containing %2F is explicitly rejected with a 404 by Apache for security reasons (%2F is allowed in a query string, however); this behaviour has been present since Apache 1.2. The SCRIPT_NAME problem appears to be a valid bug though. The Apache bug tracking the SCRIPT_NAME issue is here: http://nagoya.apache.org/bugzilla/show_bug.cgi?id=10775 The old PATH_INFO behaviour is not incorrect according to http://cgi-spec.golux.com/draft-coar-cgi-v11-03-clean.html The PATH_INFO syntax spec is: PATH_INFO = "" | ( "/" path ) path = segment *( "/" segment ) segment = *pchar pchar = <any CHAR except "/"> Note that segment can be a null string because *pchar specifies zero or more characters: *rule A rule preceded by an asterisk ("*") may have zero or more occurrences. A rule preceded by an integer followed by an asterisk must occur at least the specified number of times. Upstream are tracking the double-slashes vs PATH_INFO issue at: http://nagoya.apache.org/bugzilla/show_bug.cgi?id=20047 |
Description of Problem: Unable to pass through PATH_INFO that look like URLs. This may be a new security feature? If so, is there a way to disable? Version-Release number of selected component (if applicable): httpd-2.0.36-6 How Reproducible: 100% Steps to Reproduce: 1. Install test script "pathinfo" in /var/www/cgi-bin/ and make executable #!/usr/bin/tclsh puts "Content-type: text/plain\n" if {[info exists env(PATH_INFO)]} {puts PATH_INFO=$env(PATH_INFO)} 2. Try: http://localhost/cgi-bin/pathinfo/http://localhost/ 3. Try: http://localhost/cgi-bin/pathinfo/http%3A%2F%2Flocalhost/ Actual Results: 2. pathinfo prints: /http:/localhost/ i.e. one "/" is missing 3. doesn't even get to pathinfo. Server returns Object Not Found. Expected Results: PATH_INFO should contain exact string passed to server. Additional Information: