Description of Problem: Unable to pass through PATH_INFO that look like URLs. This may be a new security feature? If so, is there a way to disable? Version-Release number of selected component (if applicable): httpd-2.0.36-6 How Reproducible: 100% Steps to Reproduce: 1. Install test script "pathinfo" in /var/www/cgi-bin/ and make executable #!/usr/bin/tclsh puts "Content-type: text/plain\n" if {[info exists env(PATH_INFO)]} {puts PATH_INFO=$env(PATH_INFO)} 2. Try: http://localhost/cgi-bin/pathinfo/http://localhost/ 3. Try: http://localhost/cgi-bin/pathinfo/http%3A%2F%2Flocalhost/ Actual Results: 2. pathinfo prints: /http:/localhost/ i.e. one "/" is missing 3. doesn't even get to pathinfo. Server returns Object Not Found. Expected Results: PATH_INFO should contain exact string passed to server. Additional Information:
Hi, use of PATH_INFO must be explicitly configured now in 2.0 (I recommend reading the migration guide at /usr/share/doc/httpd-2.0.36/migration.html).
Please excuse and ignore previous comment: I reproduced this problem after adding the comment, and am investigating further, I only meant to change the component.
Related to this bug, the contents of PATH_TRANSLATED and SCRIPT_NAME are also totally broken. Using /cgi-bin/cgienv containing: #!/usr/bin/tclsh puts "Content-type: text/plain\n" foreach var [lsort [array names env]] {puts "$var = $env($var)"} Testing with: http://localhost/cgi-bin/cgienv/http://test.com/ Results in: PATH_INFO = /http:/test.com/ PATH_TRANSLATED = /var/www/html/http:/test.com/ SCRIPT_NAME = /cgi-bin/cgienv/http:
Other than the fact that "//" has been normalised into "/", the PATH_TRANSLATED and PATH_INFO appear correct. The PATH_INFO is defined for passing a URI path segment, whereas you are trying to use a complete absoluteURI: if you want to the value to be passed through intact, maybe the only correct way to do it is to use a query string. The old behaviour would appear to be incorrect according to the CGI specification http://cgi-spec.golux.com/draft-coar-cgi-v11-03-clean.html, where the grammar for PATH_INFO does not allow a double-slash. A URI path containing %2F is explicitly rejected with a 404 by Apache for security reasons (%2F is allowed in a query string, however); this behaviour has been present since Apache 1.2. The SCRIPT_NAME problem appears to be a valid bug though.
The Apache bug tracking the SCRIPT_NAME issue is here: http://nagoya.apache.org/bugzilla/show_bug.cgi?id=10775
The old PATH_INFO behaviour is not incorrect according to http://cgi-spec.golux.com/draft-coar-cgi-v11-03-clean.html The PATH_INFO syntax spec is: PATH_INFO = "" | ( "/" path ) path = segment *( "/" segment ) segment = *pchar pchar = <any CHAR except "/"> Note that segment can be a null string because *pchar specifies zero or more characters: *rule A rule preceded by an asterisk ("*") may have zero or more occurrences. A rule preceded by an integer followed by an asterisk must occur at least the specified number of times.
Upstream are tracking the double-slashes vs PATH_INFO issue at: http://nagoya.apache.org/bugzilla/show_bug.cgi?id=20047