New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[mod_ssi] Add SSI vars "SCRIPT_URI" and "REQUEST_SCHEME" #24
Conversation
@stbuehler I noticed that some users also need or ask for SCRIPT_URL, so I just updated the patch to include that one too. I also need to check whether or not we need some sanitization to prevent exploits, check whether special chars would need to be escaped, and find out whether or not it would be appropriate to add such sanitization and/or escape sequences in mod_ssi. But I think all required sanitization is already performed by core at the time mod_ssi is called and I also believe that special chars are already handled by the |
@fbrosson please replace [Corrected] |
@gstrauss : Done, thanks! |
@fbrosson, thanks for the correction. I updated my comment. Regarding the bonus "SCHEME" variable, I think I prefer the name "REQUEST_SCHEME" which matches the name used by some Apache modules. BTW, if con->uri.authority is not set, you might use con->server_name, if that is set, and assume that admin has set the server_name to a working DNS name. That won't always work. Alternatively, since the client got routed to the vhost without providing Host header, it should be correct to provide an IP address in place of con->uri.authority. Take a look in http-header-glue.c:http_response_redirect_to_directory() to see how it handles empty con->uri.authority. Or, just leave it blank if the client does not provide Host. I agree with you that this is the simplest solution, and not a likely scenario since all modern, popular browsers send Host header, even for HTTP/1.0 requests, else those clients would not work with a large portion of the internet. |
Aside: I see that SERVER_NAME in mod_ssi is the server IP, which looks suboptimal to me (it should be the vhost name where available) and the IP might be a wildcard address instead of the IP of the current socket connection (getsockname()). Ick. FYI: in historical versions of Apache, mod_rewrite set SCRIPT_URI and SCRIPT_URL. If mod_rewrite was not enabled, then those variables were not present. That seems to still be the case if you look at https://httpd.apache.org/docs/2.4/mod/mod_rewrite.html (search for SCRIPT_URx). I am having trouble finding documentation on SCRIPT_URI and SCRIPT_URL in the current Apache 2.4 documentation. I did find it in http://httpd.apache.org/docs/2.2/en/mod/mod_rewrite.html |
Thanks @gstrauss for your messages. I had not noticed that some Apache modules alread defined @stbuehler @gstrauss : |
(I think you meant con->uri.authority (for use in SCRIPT_URI) instead of REQUEST_SCHEME in the last paragraph above.) Instead of greatly increasing the size of this patch for what should be a rare case, I would suggest leaving the patch as-is for now. If it turns out to be strongly desired to handle that case, then, as you also suggested, I think it would be better to create a new routine in http-header-glue.c which sets con->uri.authority if it has not been set, and to use that routine in both http_response_redirect_to_directory() and in mod_ssi.c |
Oops, you are perfectly right about my confusion between SCRIPT_URI and REQUEST_SCHEME in the last paragraph of my previous message. I'll fix it right now to avoid confusing new readers. Thanks! |
x-ref: I filed https://redmine.lighttpd.net/issues/2721 to track this issue on lighttpd redmine issue tracker. |
@gstrauss Good idea, thanks! |
Ref: Feature #2721: https://redmine.lighttpd.net/issues/2721 This is a proposal to add to lighttpd the famous SSI variables SCRIPT_URI and SCRIPT_URL (known to Apache users), as well as a bonus ENV variable called REQUEST_SCHEME. SCRIPT_URI and SCRIPT_URL will be available as SSI variables from within documents handled by mod_ssi. They can be used like any other SSI var with the "#echo var" command: <!--#echo var="SCRIPT_URI"--> <!--#echo var="SCRIPT_URL"--> Webmasters willing to display links to the W3C Validator will be able to use: <a href="http://validator.w3.org/check?uri=<!--#echo var="SCRIPT_URI"-->">…</a> instead of the generic http://validator.w3.org/check?uri=referer link which does not work on some (most?) browsers which do not send referers when the link itself resides in a document sent through https. REQUEST_SCHEME will be available both as an environment variable. It is defined as "http" or "https", depending on the scheme of the connection. It is safe to use this name as it does not conflict with any existing variable on Apache or Nginx. This is slightly different from the HTTPS var which is often added by webadmins on their server's configuration. EDIT: Some Apache modules also define REQUEST_SCHEME with the same possible values as this proposal.
Thanks a lot! Applied in a579e7f with some whitespace changes. |
You're welcome! That's great! |
This is a proposal to add to lighttpd the famous SSI variables
SCRIPT_URI
andSCRIPT_URL
(known to Apache users), as well as a bonus ENV variable calledREQUEST_SCHEME
.SCRIPT_URI
andSCRIPT_URL
will be available as SSI variables from within documents handled by mod_ssi.They can be used like any other SSI var with the
#echo var
SSI command:Webmasters willing to display links to the W3C Validator will be able to use:
instead of the generic http://validator.w3.org/check?uri=referer link which does not work on some (most?) browsers which do not send referers when the link itself resides in a document sent through https.
REQUEST_SCHEME will be available as an environment variable. It is defined as "http" or "https", depending on the scheme of the connection. It is safe to use this name as it does not conflict with any existing variable in Apache or Nginx. This is slightly different from the HTTPS var which is often added by webadmins on their server's configuration. EDIT: Some Apache modules also define REQUEST_SCHEME with the same possible values as this proposal.