Permalink
Browse files

BUG: incorrect handling of PATH_INFO for border cases

Example,

REQUEST_URI=/info/
old:
    SCRIPT_NAME=/info/
    PATH_INFO=/
new:
    SCRIPT_NAME=/info
    PATH_INFO=/

REQUEST_URI=/info/foo///bar
old:
    SCRIPT_NAME=/info/f
    PATH_INFO=/foo/bar
new:
    SCRIPT_NAME=/info
    PATH_INFO=/

New behaviour is consistent with Apache.

ENH: added REQUEST_URI, DOCUMENT_ROOT, PATH_TRANSLATED cgi variables
  • Loading branch information...
1 parent ac485f7 commit eb0ec3a0af7d13d78fc19df1fc887b4368fe8954 Mark Olesen committed Jun 21, 2011
Showing with 33 additions and 23 deletions.
  1. +1 −1 consubs.pl
  2. +16 −11 httpi.in
  3. +16 −11 stock/httpi.in
View
@@ -1,5 +1,5 @@
$version_key = "HTTPi/1.7/$DEF_CONF_TYPE";
-$ACTUAL_VERSION = "1.7 (C)1998-2010 Cameron Kaiser/Contributors";
+$ACTUAL_VERSION = "1.7 (C)1998-2011 Cameron Kaiser/Contributors";
print STDOUT "HTTPi/$ACTUAL_VERSION\n";
print STDOUT "Pre-flight check in progress ...\n\n";
View
@@ -22,7 +22,7 @@ $ENV{'PERL_SIGNALS'} = "unsafe";
$VERSION = "1.7 (DEF_CONF_TYPE/DEF_ARCH)";
# HTTPi Hypertext Tiny Truncated Process Implementation
-# Copyright 1999-2010 Cameron Kaiser and Contributors # All rights reserved
+# Copyright 1999-2011 Cameron Kaiser and Contributors # All rights reserved
# Please read LICENSE # Do not strip this copyright message.
###############################################################
@@ -63,7 +63,7 @@ $VERSION = "1.7 (DEF_CONF_TYPE/DEF_ARCH)";
"au" => "audio/basic",
"aif" => "audio/x-aiff",
"aiff" => "audio/x-aiff",
- "ogg" => "audio/x-ogg",
+ "ogg" => "audio/x-ogg",
"oga" => "audio/x-ogg",
"mid" => "audio/midi",
"wma" => "audio/x-ms-wma",
@@ -361,17 +361,17 @@ $date = scalar localtime;
m/(...) (...) (..) (..:..:..) (....)/);
$dt += 0;
$dt = substr("0$dt", length("0$dt") - 2, 2);
-$date = "$dt/$mon/$yr:$tm DEF_TIME_ZONE";
+$date = "$dt/$mon/$yr:$tm DEF_TIME_ZONE";
-select(STDOUT); $|=1; $address = 0;
+select(STDOUT); $|=1; $address = 0;
~check MCANALARM
alarm 5;
~
~
while (<STDIN>) {
if(/^([A-Z]+)\s+([^\s]+)\s+([^\s\r\l\n]*)/) {
$method = $1;
- $address = $2;
+ $address = $2;
$httpver = $3;
$httpref = '';
$httpua = '';
@@ -603,18 +603,19 @@ EOF
$raddress = (-r "${raddress}index.shtml") ?
"${raddress}index.shtml" : "${raddress}index.html"
if (-d $raddress);
+ $ENV{'REQUEST_URI'} = $address . (($variables) ? "?$variables" : "");
~check PATHINFO
if (! -e $raddress && ! -d $raddress
&& $raddress =~ m#^(.+)/$#
&& -x $1) {
$raddress = $1;
+ $address =~ s{/+$}{}; # trailing slashes are all in PATH_INFO
$ENV{'PATH_INFO'} = '/';
}
if (! -e $raddress) {
my $oldraddress = $raddress;
my @path_array = split('/', $raddress);
my @path_info = ();
- my $k;
while(scalar(@path_array) &&
((! -e $raddress) || (-d $raddress))) {
@@ -624,18 +625,18 @@ EOF
if (scalar(@path_array) && (-x $raddress)) {
$ENV{'PATH_INFO'} = '/' . join('/', @path_info);
# change $address accordingly
- $address = substr($address, 0,
- length($address) - length($ENV{'PATH_INFO'}));
+ $address = substr($raddress, length($path));
} else {
$raddress = $oldraddress; # prepare to fail
$ENV{'PATH_INFO'} = '';
}
}
~
+ delete $ENV{'PATH_INFO'};
~
IRED: ($hostname, $port, $ip) = &sock_to_host();
if(!sysopen(S, $raddress, 0)) { &hterror404; } else {
- if ((-x $raddress)
+ if ((-x $raddress)
~check CGIEXT
&& ($raddress =~ /[\-\._](exe|[ckpba]*sh|p[er]*l|cgi|cmd|com)$/i)
~
@@ -654,6 +655,10 @@ EOF
getsockname(STDIN));
$ENV{'SERVER_URL'} = "http://DEF_SERVER_HOST:$ENV{'SERVER_PORT'}/";
~
+ $ENV{'DOCUMENT_ROOT'} = $path;
+ if (exists $ENV{'PATH_INFO'}) {
+ $ENV{'PATH_TRANSLATED'} = $ENV{'DOCUMENT_ROOT'} . $ENV{'PATH_INFO'};
+ }
$ENV{'SCRIPT_FILENAME'} = $raddress;
$ENV{'SCRIPT_NAME'} = $address;
$ENV{'REMOTE_HOST'} = $hostname;
@@ -677,7 +682,7 @@ EOF
~
$ENV{'PATH'} = '';
($raddress =~ /^(.+)$/) && ($raddress = $1);
- if ($method eq 'POST') {
+ if ($method eq 'POST') {
open(W, "|$raddress") || die
"can't POST to $raddress";
read(STDIN, $buf, $httpcl);
@@ -700,7 +705,7 @@ EOF
}
}
$mtime = &rfctime($mtime);
-SERVEIT:
+SERVEIT:
if ($mtime eq $modsince) {
&htsponse(304, "Not Modified");
&hthead("Last-Modified: $mtime", 1);
View
@@ -22,7 +22,7 @@ $ENV{'PERL_SIGNALS'} = "unsafe";
$VERSION = "1.7 (DEF_CONF_TYPE/DEF_ARCH)";
# HTTPi Hypertext Tiny Truncated Process Implementation
-# Copyright 1999-2010 Cameron Kaiser and Contributors # All rights reserved
+# Copyright 1999-2011 Cameron Kaiser and Contributors # All rights reserved
# Please read LICENSE # Do not strip this copyright message.
###############################################################
@@ -63,7 +63,7 @@ $VERSION = "1.7 (DEF_CONF_TYPE/DEF_ARCH)";
"au" => "audio/basic",
"aif" => "audio/x-aiff",
"aiff" => "audio/x-aiff",
- "ogg" => "audio/x-ogg",
+ "ogg" => "audio/x-ogg",
"oga" => "audio/x-ogg",
"mid" => "audio/midi",
"wma" => "audio/x-ms-wma",
@@ -361,17 +361,17 @@ $date = scalar localtime;
m/(...) (...) (..) (..:..:..) (....)/);
$dt += 0;
$dt = substr("0$dt", length("0$dt") - 2, 2);
-$date = "$dt/$mon/$yr:$tm DEF_TIME_ZONE";
+$date = "$dt/$mon/$yr:$tm DEF_TIME_ZONE";
-select(STDOUT); $|=1; $address = 0;
+select(STDOUT); $|=1; $address = 0;
~check MCANALARM
alarm 5;
~
~
while (<STDIN>) {
if(/^([A-Z]+)\s+([^\s]+)\s+([^\s\r\l\n]*)/) {
$method = $1;
- $address = $2;
+ $address = $2;
$httpver = $3;
$httpref = '';
$httpua = '';
@@ -603,18 +603,19 @@ EOF
$raddress = (-r "${raddress}index.shtml") ?
"${raddress}index.shtml" : "${raddress}index.html"
if (-d $raddress);
+ $ENV{'REQUEST_URI'} = $address . (($variables) ? "?$variables" : "");
~check PATHINFO
if (! -e $raddress && ! -d $raddress
&& $raddress =~ m#^(.+)/$#
&& -x $1) {
$raddress = $1;
+ $address =~ s{/+$}{}; # trailing slashes are all in PATH_INFO
$ENV{'PATH_INFO'} = '/';
}
if (! -e $raddress) {
my $oldraddress = $raddress;
my @path_array = split('/', $raddress);
my @path_info = ();
- my $k;
while(scalar(@path_array) &&
((! -e $raddress) || (-d $raddress))) {
@@ -624,18 +625,18 @@ EOF
if (scalar(@path_array) && (-x $raddress)) {
$ENV{'PATH_INFO'} = '/' . join('/', @path_info);
# change $address accordingly
- $address = substr($address, 0,
- length($address) - length($ENV{'PATH_INFO'}));
+ $address = substr($raddress, length($path));
} else {
$raddress = $oldraddress; # prepare to fail
$ENV{'PATH_INFO'} = '';
}
}
~
+ delete $ENV{'PATH_INFO'};
~
IRED: ($hostname, $port, $ip) = &sock_to_host();
if(!sysopen(S, $raddress, 0)) { &hterror404; } else {
- if ((-x $raddress)
+ if ((-x $raddress)
~check CGIEXT
&& ($raddress =~ /[\-\._](exe|[ckpba]*sh|p[er]*l|cgi|cmd|com)$/i)
~
@@ -654,6 +655,10 @@ EOF
getsockname(STDIN));
$ENV{'SERVER_URL'} = "http://DEF_SERVER_HOST:$ENV{'SERVER_PORT'}/";
~
+ $ENV{'DOCUMENT_ROOT'} = $path;
+ if (exists $ENV{'PATH_INFO'}) {
+ $ENV{'PATH_TRANSLATED'} = $ENV{'DOCUMENT_ROOT'} . $ENV{'PATH_INFO'};
+ }
$ENV{'SCRIPT_FILENAME'} = $raddress;
$ENV{'SCRIPT_NAME'} = $address;
$ENV{'REMOTE_HOST'} = $hostname;
@@ -677,7 +682,7 @@ EOF
~
$ENV{'PATH'} = '';
($raddress =~ /^(.+)$/) && ($raddress = $1);
- if ($method eq 'POST') {
+ if ($method eq 'POST') {
open(W, "|$raddress") || die
"can't POST to $raddress";
read(STDIN, $buf, $httpcl);
@@ -700,7 +705,7 @@ EOF
}
}
$mtime = &rfctime($mtime);
-SERVEIT:
+SERVEIT:
if ($mtime eq $modsince) {
&htsponse(304, "Not Modified");
&hthead("Last-Modified: $mtime", 1);

0 comments on commit eb0ec3a

Please sign in to comment.