Project

General

Profile

Actions

Bug #1339

closed

lighttpd doesn't set empty QUERY_STRING in cgi environment

Added by alexo about 17 years ago. Updated over 8 years ago.

Status:
Fixed
Priority:
Normal
Category:
mod_cgi
Target version:
ASK QUESTIONS IN Forums:

Description

We found using some proprietary billing software (like http://www.billmax.com/) REQUIRES QUERY_STRING to be set in any cases regardless is it empty.

Suggesting patch fixes this lighttpd behaviour.


Files

lighttpd_empty_query_string.patch (540 Bytes) lighttpd_empty_query_string.patch Patch #1 alexo, 2007-09-06 05:57
Actions #1

Updated by stbuehler about 16 years ago

  • Status changed from New to Fixed
  • Resolution set to invalid

CGI spec:

"This variable should always be set when there is query information"

Sorry, fix your app (if you paid for it they should care about it).

Actions #2

Updated by stbuehler about 16 years ago

  • Status changed from Fixed to Invalid
Actions #3

Updated by Spida about 14 years ago

  • Status changed from Invalid to Reopened

According to rfc3875 [1]:
"The server MUST set this variable; if the Script-URI does not include a query component, the QUERY_STRING MUST be defined as an empty string ("")."
so we are NOT rfc-compliant there.

[1] http://www.rfc-editor.org/rfc/rfc3875.txt

Actions #4

Updated by BaconSpot over 11 years ago

This issue is still pending. A similar problem occurs with the widespread open source mailing list software mailman, when accessing the web interface over cgi. Cf. https://bugs.launchpad.net/mailman/+bug/1160647

Actions #5

Updated by gstrauss over 8 years ago

  • Description updated (diff)
  • Target version changed from 1.5.0 to 1.4.x

This affects 1.4.x, too. Attached 2-line patch is correct. Please apply.

Actions #6

Updated by alexo over 8 years ago

gstrauss wrote:

This affects 1.4.x, too. Attached 2-line patch is correct. Please apply.

I would suggest to find some better web-server software replacement (with adequate maintenance). Unless you want to wait 10 years more lol

Actions #7

Updated by gstrauss over 8 years ago

Sorry you've had to wait so long, alexo. I can assure you this will now get resolved much sooner than that. :)

darix suggested a simpler patch to unconditionally set QUERY_STRING, as specified by the RFCs.

diff --git a/src/mod_cgi.c b/src/mod_cgi.c
index d3e0297..c4a4d2e 100644
--- a/src/mod_cgi.c
+++ b/src/mod_cgi.c
@@ -947,9 +947,7 @@ static int cgi_create_env(server *srv, connection *con, plugin_data *p, buffer *
                        cgi_env_add(&env, CONST_STR_LEN("PATH_INFO"), CONST_BUF_LEN(con->request.pathinfo));
                }
                cgi_env_add(&env, CONST_STR_LEN("REDIRECT_STATUS"), CONST_STR_LEN("200"));
-               if (!buffer_string_is_empty(con->uri.query)) {
-                       cgi_env_add(&env, CONST_STR_LEN("QUERY_STRING"), CONST_BUF_LEN(con->uri.query));
-               }
+               cgi_env_add(&env, CONST_STR_LEN("QUERY_STRING"), CONST_BUF_LEN(con->uri.query));
                if (!buffer_string_is_empty(con->request.orig_uri)) {
                        cgi_env_add(&env, CONST_STR_LEN("REQUEST_URI"), CONST_BUF_LEN(con->request.orig_uri));
                }
Actions #8

Updated by alexo over 8 years ago

gstrauss wrote:

Sorry you've had to wait so long, alexo. I can assure you this will now get resolved much sooner than that. :)

darix suggested a simpler patch to unconditionally set QUERY_STRING, as specified by the RFCs.

[...]

Maybe it is simpler, but can't say it is safer: you are dropping empty string check. NPE or buffer overload is just waiting here.

Actions #9

Updated by stbuehler over 8 years ago

The linked RFC is just "informational", and happens to collide with the "CGI/1.1" name used in http://web.archive.org/web/20100127161358/http://hoohoo.ncsa.illinois.edu/cgi/ - which, afaict, is the CGI "origin". I cannot say who came up with the name "CGI/1.1" first, but I'd say that those who defined the first version should be considered authoritative.

As the original CGI spec page is down now, one can probably argue that it is better to follow the RFC thing now, even if it is stupid and broken (why require an empty environment var? that should be the default value...).

The modified patch doesn't work because cgi_env_add will return early on NULL key / value (not sure what else would change if cgi_env_add would be changed).

Actions #10

Updated by gstrauss over 8 years ago

As stbuehler noted, the quick patch I posted above won't work since cgi_env_add will return early if it receives a NULL value.

The original patch from alexo does work. Please apply.

Actions #11

Updated by gstrauss over 8 years ago

  • Status changed from Reopened to Patch Pending

The original two-line patch from alexo is repeated below.

--- mod_cgi.c.orig    Wed Sep  5 03:48:30 2007
+++ mod_cgi.c    Wed Sep  5 03:29:04 2007
@@ -842,6 +842,8 @@
         cgi_env_add(&env, CONST_STR_LEN("REDIRECT_STATUS"), CONST_STR_LEN("200"));
         if (!buffer_is_empty(con->uri.query)) {
             cgi_env_add(&env, CONST_STR_LEN("QUERY_STRING"), CONST_BUF_LEN(con->uri.query));
+        } else {
+            cgi_env_add(&env, CONST_STR_LEN("QUERY_STRING"), CONST_STR_LEN(""));
         }
         if (!buffer_is_empty(con->request.orig_uri)) {
             cgi_env_add(&env, CONST_STR_LEN("REQUEST_URI"), CONST_BUF_LEN(con->request.orig_uri));

Actions #12

Updated by gstrauss over 8 years ago

  • Target version changed from 1.4.x to 1.4.40
Actions #13

Updated by gstrauss over 8 years ago

  • Status changed from Patch Pending to Fixed

committed in f1681ca2

Actions

Also available in: Atom