Received: (qmail 4135 invoked by uid 2012); 25 Jan 1999 12:26:33 -0000 Message-Id: <19990125122633.4134.qmail@hyperreal.org> Date: 25 Jan 1999 12:26:33 -0000 From: Trietsch@hyperreal.org, Frank Reply-To: Frank.Trietsch@lhsystems.com To: apbugs@hyperreal.org Subject: Supporting CGI-variables created by POST for SSI X-Send-Pr-Version: 3.2 >Number: 3759 >Category: mod_include >Synopsis: Supporting CGI-variables created by POST for SSI >Confidential: no >Severity: non-critical >Priority: medium >Responsible: apache >State: closed >Class: change-request >Submitter-Id: apache >Arrival-Date: Mon Jan 25 04:30:02 PST 1999 >Last-Modified: Tue Apr 20 20:49:25 PDT 1999 >Originator: Frank.Trietsch@lhsystems.com >Organization: >Release: any >Environment: The fix below is for 1.3.4. Lower versions will work the same way. >Description: It would be useful, if one can not only use the default variables given by mod_include such as DATE_LOCAL, DATE_GMT, LAST_MODIFIED, DOCUMENT_URI, DOCUMENT_PATH_INFO, USER_NAME, DOCUMENT_NAME, QUERY_STRING_UNESCAPED, etc. but also variables generated by a GET or POST request. With that you might use mod_include to determine which HTML pages to include dynamically. For example: > http://this.is.a.test/hello_world.shtml?name=hello&language=german will include a file named "/german/hello.html". >How-To-Repeat: >Fix: Maybe it's not the best way... but it works for me: static void add_include_vars(request_rec *r, char *timefmt) { #ifndef WIN32 struct passwd *pw; #endif /* ndef WIN32 */ table *e = r->subprocess_env; char *t; time_t date = r->request_time; // added by Frank Trietsch, 24.01.1999 char *varname, *value; char *query; ap_table_setn(e, "DATE_LOCAL", ap_ht_time(r->pool, date, timefmt, 0)); ap_table_setn(e, "DATE_GMT", ap_ht_time(r->pool, date, timefmt, 1)); ap_table_setn(e, "LAST_MODIFIED", ap_ht_time(r->pool, r->finfo.st_mtime, timefmt, 0)); ap_table_setn(e, "DOCUMENT_URI", r->uri); ap_table_setn(e, "DOCUMENT_PATH_INFO", r->path_info); #ifndef WIN32 pw = getpwuid(r->finfo.st_uid); if (pw) { ap_table_setn(e, "USER_NAME", ap_pstrdup(r->pool, pw->pw_name)); } else { ap_table_setn(e, "USER_NAME", ap_psprintf(r->pool, "user#%lu", (unsigned long) r->finfo.st_uid)); } #endif /* ndef WIN32 */ if ((t = strrchr(r->filename, '/'))) { ap_table_setn(e, "DOCUMENT_NAME", ++t); } else { ap_table_setn(e, "DOCUMENT_NAME", r->uri); } if (r->args) { char *arg_copy = ap_pstrdup(r->pool, r->args); ap_unescape_url(arg_copy); ap_table_setn(e, "QUERY_STRING_UNESCAPED", ap_escape_shell_cmd(r->pool, arg_copy)); } // added by Frank Trietsch, 24.01.1999 to parse QUERY_STRING if (query = ap_pstrdup(r->pool, r->args)) { varname = strtok(query, "="); while (varname) { value = strtok(NULL, "&"); ap_table_setn(e, varname, value); varname = strtok(NULL, "="); } } } >Audit-Trail: State-Changed-From-To: open-closed State-Changed-By: dgaudet State-Changed-When: Tue Apr 20 20:49:25 PDT 1999 State-Changed-Why: Dude, you should be careful with this -- you've just opened yourself up to some exploits. I can request urls with trailing ?DATE_LOCAL=blah&DOCUMENT_NAME=foo and your code will overwrite the server's variables. I'm also really concerned about adding this to apache in general, since SSI provides very little way to verify the validity of the arguments. It could make it all too easy/tempting for folks to write insecure web pages. Using something like mod_php or mod_perl seems much more appropriate. Dean >Unformatted: [In order for any reply to be added to the PR database, ] [you need to include in the Cc line ] [and leave the subject line UNCHANGED. This is not done] [automatically because of the potential for mail loops. ] [If you do not include this Cc, your reply may be ig- ] [nored unless you are responding to an explicit request ] [from a developer. ] [Reply only with text; DO NOT SEND ATTACHMENTS! ]