> Note that it doesn't say "...followed by extra information... The
> extra information is sent as PATH_INFO, unless it happens to consist
> entirely of '/' characters, in which case we do some other thing with
> it".
I guess this is one level to far down, we need to see what the SSI
docs say about passing PATH_INFO from the current document (regular
html files don't have PATH_INFO), to the included cgi. I can't
reach the docs at the moment, but I'd be surprised if they explicitly
say that cgi includes assume the PATH_INFO of the parent document.
That's not to say they can't though.
> Is there a security hole here?
no. I shouldn't say that, I should say "I don't think so".
> If not, why is it "dangerous"? (I can
> see how it could be a little confusing, but only to people who brought
> it on themselves...).
That's the danger... It's going to confuse a hell of a lot of people,
because it's a half-baked system, with too many pitfalls. It only
makes sense to have the PATH_INFO, if the document has SSI, and the
SSI makes use of CGI - that narrows it down a bit.
Do we test for the other cases, and "404 Not Found" them ?
Nobody can be using this yet, 'cos NCSA 1.3/1.4 won't allow it. Is
it so desirable to have this, that we can live with the relative URL
problems that come with it ? I think not. 404 everything until HTTP/1.1
makes it fool proof.
robh
> extra information is sent as PATH_INFO, unless it happens to consist
> entirely of '/' characters, in which case we do some other thing with
> it".
I guess this is one level to far down, we need to see what the SSI
docs say about passing PATH_INFO from the current document (regular
html files don't have PATH_INFO), to the included cgi. I can't
reach the docs at the moment, but I'd be surprised if they explicitly
say that cgi includes assume the PATH_INFO of the parent document.
That's not to say they can't though.
> Is there a security hole here?
no. I shouldn't say that, I should say "I don't think so".
> If not, why is it "dangerous"? (I can
> see how it could be a little confusing, but only to people who brought
> it on themselves...).
That's the danger... It's going to confuse a hell of a lot of people,
because it's a half-baked system, with too many pitfalls. It only
makes sense to have the PATH_INFO, if the document has SSI, and the
SSI makes use of CGI - that narrows it down a bit.
Do we test for the other cases, and "404 Not Found" them ?
Nobody can be using this yet, 'cos NCSA 1.3/1.4 won't allow it. Is
it so desirable to have this, that we can live with the relative URL
problems that come with it ? I think not. 404 everything until HTTP/1.1
makes it fool proof.
robh