Project

General

Profile

Actions
Copy link

Bug #1339

closed

lighttpd doesn't set empty QUERY_STRING in cgi environment

Added by alexo over 16 years ago. Updated about 8 years ago.

Status:
Fixed
Priority:
Normal
Category:
mod_cgi
Target version:
1.4.40
ASK QUESTIONS IN Forums:

Description

We found using some proprietary billing software (like http://www.billmax.com/) REQUIRES QUERY_STRING to be set in any cases regardless is it empty.

Suggesting patch fixes this lighttpd behaviour.

Files

lighttpd_empty_query_string.patch (540 Bytes) lighttpd_empty_query_string.patch Patch #1 alexo, 2007-09-06 05:57
Actions
Copy link
 #1

Updated by stbuehler over 15 years ago

  • Status changed from New to Fixed
  • Resolution set to invalid

CGI spec:

"This variable should always be set when there is query information"

Sorry, fix your app (if you paid for it they should care about it).

Actions
Copy link
 #2

Updated by stbuehler over 15 years ago

  • Status changed from Fixed to Invalid
Actions
Copy link
 #3

Updated by Spida over 13 years ago

  • Status changed from Invalid to Reopened

According to rfc3875 [1]:
"The server MUST set this variable; if the Script-URI does not include a query component, the QUERY_STRING MUST be defined as an empty string ("")."
so we are NOT rfc-compliant there.

[1] http://www.rfc-editor.org/rfc/rfc3875.txt

Actions
Copy link
 #4

Updated by BaconSpot almost 11 years ago

This issue is still pending. A similar problem occurs with the widespread open source mailing list software mailman, when accessing the web interface over cgi. Cf. https://bugs.launchpad.net/mailman/+bug/1160647

Actions
Copy link
 #5

Updated by gstrauss about 8 years ago

  • Description updated (diff)
  • Target version changed from 1.5.0 to 1.4.x

This affects 1.4.x, too. Attached 2-line patch is correct. Please apply.

Actions
Copy link
 #6

Updated by alexo about 8 years ago

gstrauss wrote:

This affects 1.4.x, too. Attached 2-line patch is correct. Please apply.

I would suggest to find some better web-server software replacement (with adequate maintenance). Unless you want to wait 10 years more lol

Actions
Copy link
 #7

Updated by gstrauss about 8 years ago

Sorry you've had to wait so long, alexo. I can assure you this will now get resolved much sooner than that. :)

darix suggested a simpler patch to unconditionally set QUERY_STRING, as specified by the RFCs.

diff --git a/src/mod_cgi.c b/src/mod_cgi.c
index d3e0297..c4a4d2e 100644
--- a/src/mod_cgi.c
+++ b/src/mod_cgi.c
@@ -947,9 +947,7 @@ static int cgi_create_env(server *srv, connection *con, plugin_data *p, buffer *
                        cgi_env_add(&env, CONST_STR_LEN("PATH_INFO"), CONST_BUF_LEN(con->request.pathinfo));
                }
                cgi_env_add(&env, CONST_STR_LEN("REDIRECT_STATUS"), CONST_STR_LEN("200"));
-               if (!buffer_string_is_empty(con->uri.query)) {
-                       cgi_env_add(&env, CONST_STR_LEN("QUERY_STRING"), CONST_BUF_LEN(con->uri.query));
-               }
+               cgi_env_add(&env, CONST_STR_LEN("QUERY_STRING"), CONST_BUF_LEN(con->uri.query));
                if (!buffer_string_is_empty(con->request.orig_uri)) {
                        cgi_env_add(&env, CONST_STR_LEN("REQUEST_URI"), CONST_BUF_LEN(con->request.orig_uri));
                }
Actions
Copy link
 #8

Updated by alexo about 8 years ago

gstrauss wrote:

Sorry you've had to wait so long, alexo. I can assure you this will now get resolved much sooner than that. :)

darix suggested a simpler patch to unconditionally set QUERY_STRING, as specified by the RFCs.

[...]

Maybe it is simpler, but can't say it is safer: you are dropping empty string check. NPE or buffer overload is just waiting here.

Actions
Copy link
 #9

Updated by stbuehler about 8 years ago

The linked RFC is just "informational", and happens to collide with the "CGI/1.1" name used in http://web.archive.org/web/20100127161358/http://hoohoo.ncsa.illinois.edu/cgi/ - which, afaict, is the CGI "origin". I cannot say who came up with the name "CGI/1.1" first, but I'd say that those who defined the first version should be considered authoritative.

As the original CGI spec page is down now, one can probably argue that it is better to follow the RFC thing now, even if it is stupid and broken (why require an empty environment var? that should be the default value...).

The modified patch doesn't work because cgi_env_add will return early on NULL key / value (not sure what else would change if cgi_env_add would be changed).

Actions
Copy link
 #10

Updated by gstrauss about 8 years ago

As stbuehler noted, the quick patch I posted above won't work since cgi_env_add will return early if it receives a NULL value.

The original patch from alexo does work. Please apply.

Actions
Copy link
 #11

Updated by gstrauss about 8 years ago

  • Status changed from Reopened to Patch Pending

The original two-line patch from alexo is repeated below.

--- mod_cgi.c.orig    Wed Sep  5 03:48:30 2007
+++ mod_cgi.c    Wed Sep  5 03:29:04 2007
@@ -842,6 +842,8 @@
         cgi_env_add(&env, CONST_STR_LEN("REDIRECT_STATUS"), CONST_STR_LEN("200"));
         if (!buffer_is_empty(con->uri.query)) {
             cgi_env_add(&env, CONST_STR_LEN("QUERY_STRING"), CONST_BUF_LEN(con->uri.query));
+        } else {
+            cgi_env_add(&env, CONST_STR_LEN("QUERY_STRING"), CONST_STR_LEN(""));
         }
         if (!buffer_is_empty(con->request.orig_uri)) {
             cgi_env_add(&env, CONST_STR_LEN("REQUEST_URI"), CONST_BUF_LEN(con->request.orig_uri));

Actions
Copy link
 #12

Updated by gstrauss about 8 years ago

  • Target version changed from 1.4.x to 1.4.40
Actions
Copy link
 #13

Updated by gstrauss about 8 years ago

  • Status changed from Patch Pending to Fixed

committed in f1681ca2

Actions
Copy link

Also available in: Atom