-
Notifications
You must be signed in to change notification settings - Fork 14
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CGI Variable "PATH_INFO" incorrectly removing runs of slash characters causing errors in CGI scripts #69
Comments
Thanks for the report, I can also reproduce on my server: gemini://mozz.us/cgi-bin/debug.py/Hi%2F%2F%2FThere%2F%2F%2FMozz I'm open to changing behavior if there is a clear and correct solution, but I think this one is complicated... The slashes are being merged because jetforce is normalizing the path. i.e. collapsing double slashes and It looks like the jury is still out on whether this is the correct behavior or not.
This is exactly the same procedure that jetforce uses:
Others have suggested adding non-standard And finally, this is a copout, but the easiest solution for your use-case is probably switching to a URL-safe version of base64 that uses |
That makes sense. Thanks for pointing out the URL-safe Base64 functions. I will move to those, since that's probably a more robust solution. However, I still think you can support this, because presumably you have to have special logic to handle CGI and determine the
That normalized path isn't going to exactly match anything in the file system, because But once you have determined the CGI file to execute, there is nothing that is requiring you to use the normalized path to also construct the
I have a workaround in my code that is very similar to this:
I'm going to adopt the URL-safe Base64 functions, but still something to consider: Once you know you are dealing with a CGI path and have determined the script file to run, there isn't a reason to do path normalization on the rest of the path that becomes the (Also, thanks for JetForce. ❤️ I've been using it for a year and its been rock solid) |
The trouble is that normalizing the path can also affect the script name. Take this example
decoded, turns into
then normalized
which ends up pointing to an entirely different CGI script. You would get
but now the non-normalized URL doesn't start with the script name, so you can't plug it back into step 2 to get |
ahh. good point. Moved to URL-safe Base64 functions anyway. Thanks |
I found this issue while passing Base64 encoded data to a CGI script via the PATH_INFO variable.
The value of the PATH_INFO seems to be collapsing multiple
/
characters next to each other in a single/
character. You can see the problem in the screen shot below:This is just a simple CGI script which echos out the
GEMINI_URL
andPATH_INFO
environment variables that are passed to the CGI.You can see the URL contains 3
/
characters between the words of the message"Hi///There///Mozz"
However the value ofPATH_INFO
has collapsed those slashes into the messageHi/There/Mozz
which is incorrect.This is causing my CGI script to fail, since I'm passing Base64 data via PATH_INFO.
/
is a valid Base64 character, and you can have 2 slashes next to each other. Since runs of slashes are collapsed into a single slash, it's altering the Base64 data 🙀I believe this is an issue with Jetforce, and not my Gemini client, since the
GEMINI_URL
variable shows the 3 slashes are being sent to JetForce and even are being passed to the CGI script properly. The bug appears to be in howPATH_INFO
is constructed from the URL.The text was updated successfully, but these errors were encountered: