apache - Is there a special case in Apache2 when calling a CGI and the URI includes a single query string parameter without a value? -


today got error , surprised since looked fine...

i have cgi written in c++ accepts uris query string. query string selects page, etc. cgi installed in standard location ubuntu installation:

/usr/lib/cgi-bin/snapmanager.cgi

today finishing adding login screen , once logged in, wanted add logout link. link adds ?logout @ end of uri:

http://www.example.com/cgi-bin/snapmanager.cgi?logout

that failed.

checking error log, got error saying "logout" appeared on command line. rather surprising, if ask me! tried with:

http://www.example.com/cgi-bin/snapmanager.cgi?logout=now

and worked expected. no logout on command line.

i tried:

http://www.example.com/cgi-bin/snapmanager.cgi?logout&host=foo

and worked too. again, no logout on command line.

however, if switch parameters position fails again:

http://www.example.com/cgi-bin/snapmanager.cgi?host=foo&logout

so looks apache2 calls cgi logout query string parameter on command line when 1 query string name defined last.

just in case, tried add dashes @ start of name, , sure enough, appears command line switch in logs!

error:snapmanager.cgi: option --logout not supported.

really scary. huge security risk if know of switch can "tweak things way"...

is documented somewhere?

i found answer in rfc3875 in paragraph 4.4

4.4. script command line

some systems support method supplying array of strings cgi script. used in case of 'indexed' http query, identified 'get' or 'head' request uri query string not contain unencoded "=" characters. such request, server should treat query-string search-string , parse words, using rules

 search-string = search-word *( "+" search-word )  search-word   = 1*schar  schar         = unreserved | escaped | xreserved  xreserved     = ";" | "/" | "?" | ":" | "@" | "&" | "=" | "," |                  "$"

after parsing, each search-word url-decoded, optionally encoded in system-defined manner , added command line argument list.

if server cannot create part of argument list, server must not generate command line information. example, number of arguments may greater operating system or server limits, or 1 of words may not representable argument.

the script should check see if query_string value contains unencoded "=" character, , should not use command line arguments if does.

emphasis mine


Comments

Post a Comment

Popular posts from this blog

php - How to add and update images or image url in Volusion using Volusion API -

actually have store importing products store product data insert , update image or image url not insert , update. this xml code name datapro.txt. <products_joined> <productcode>3710_012t</productcode> <vendor_partno>eah5450silent/di/1gd3(lp)</vendor_partno> <productname>test product ta</productname> <hideproduct>n</hideproduct> <stockstatus>20</stockstatus> <lastmodified>1/5/2016 10:25:00 am</lastmodified> <lastmodby>2</lastmodby> <productweight>0.9</productweight> <productprice>100</productprice> <productmanufacturer>asus tek</productmanufacturer> <vendor_price>32.69</vendor_price> <numproductssharingstock>0</numproductssharingstock> <categoryids>107</categoryids> <producturl>http://tebkq.mvlce.servertrust.com/productdetails.asp?productcode=3710_012t</producturl...
Read more

Laravel mail error `Swift_TransportException in StreamBuffer.php line 269: Connection could not be established with host smtp.gmail.com [ #0]` -

i developing website contact-us page guest users can send me email using gmail . anytime try send mail using contact-us form, error swift_transportexception in streambuffer.php line 269: connection not established host smtp.gmail.com [ #0] this mail.php return [ 'driver' => env('mail_driver', 'smtp'), 'host' => env('mail_host', 'smtp.gmail.com'), 'port' => 587, 'from' => ['address' => '', 'name' => ''], 'encryption' => env('mail_encryption', 'tls'), 'username' => env('mail_username'), 'password' => env(mail_password), 'sendmail' => '/usr/sbin/sendmail -bs', 'pretend' => env('mail_pretend', false), ]; this .env mail_driver=smtp mail_host=smtp.gmail.com mail_port=587 mail_username=afecjaped@gmail.com mail_password=********...
Read more

c# SetCompatibleTextRenderingDefault must be called before the first -

i tried search exception couldn't find solution on case i'am using code below invoke .net application : assembly assem = assembly.load(data); methodinfo method = assem.entrypoint; var o = activator.createinstance(method.declaringtype); method.invoke(o, null); the application invoked has form , in entrypoint of application : [stathread] static void main() { application.enablevisualstyles(); application.setcompatibletextrenderingdefault(false); //exception application.run(new form1()); } setcompatibletextrenderingdefault must called before first iwin32window object created in application. edit : assembly = assembly.load(data); methodinfo method = a.gettype().getmethod("start"); var o = activator.createinstance(method.declaringtype); method.invoke(o, null); you should create new method skips initialization...
Read more