Received: (qmail 35935 invoked by uid 501); 2 Jul 2001 02:06:41 -0000 Message-Id: <20010702020641.35934.qmail@apache.org> Date: 2 Jul 2001 02:06:41 -0000 From: Zak Ziggy Reply-To: zak_ziggy@hotmail.com To: submit@bugz.apache.org Subject: The cgi-bin scripts with URL requests path exeeding the ScriptPath error Forbidden. X-Send-Pr-Version: 3.110 >Number: 7966 >Category: mod_cgi >Synopsis: The cgi-bin scripts with URL requests path exeeding the ScriptPath error Forbidden. >Confidential: no >Severity: serious >Priority: medium >Responsible: apache >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: apache >Arrival-Date: Sun Jul 01 19:10:00 PDT 2001 >Closed-Date: >Last-Modified: >Originator: zak_ziggy@hotmail.com >Release: 1.3.20 was good in 1.3.9 >Organization: apache >Environment: OS X Server / Darwin G3 (Blue and White box) With apache 1.3.20 use to work in 1.3.9 change is bad. >Description: So now I put apache source for version 1.3.20, on OS X Server. This compiles okay, and runs. The version I use for 1.2 has been custom modified to include SSL etc. this one is superior. My primary problem with it is a path like /cgi-bin/PDO_link/Customer/SessionContainerIDNumber.pageValue/Zone/Action no longer is considered valid because there is no actual file or path on the system past the ScriptPath /cgi-bin/PDO_link. (I have years of code build around this and it is not an option for apache to change it I believe it is an apache bug, they to can not leave well enough alone and the tech world continues to de-evolve). Of course this works in 1.3.9 not downloadable not supported, but does compile on OS X, unfortunately it does not run either. This use to be accepted because the cgi-bin program is valid. It is important and in the fashion of Hotmail and countless other session container driven sites (probably including WebObjects) that it work the way it always use to and should. I am sure this is a bug in apache source, I have compared the code of 1.3.9 to 1.3.20, and there is no reason I can find why this occurs but will have to reduce myself to the level of C to repair it or lose a decade of work. It is important because the path data helps browsers know that each page is unique via random session container numbers and page numbers, also it is important that it works this way so that a browser can cache the page allowing back arrow navigation without requiring reloading and therefore breaking the link forward. (There are other reasons I will avoid explaining to you here for now). Question: Does anybody now of a compiler directive that will allow apache cgi-bin script or URL requests with extra data in the path to properly be processed without sending Forbidden errors (or File Not found errors after that one is skipped). >How-To-Repeat: Run a script like hotmail that includes session container data and page values, like /cgi-bin/PDO_link/Customer/SessionContainerIDNumber.pageValue/Zone/Action Version 1.3.9 worked right an allowed paths beyond the bin script. I have spent 7 years building code for the original accepted format I would rather fix the apache source myself, but I am sure this is a bug you would like to now about. >Fix: Looking back at 1.3.9 I can find where this change has taken place, but basically in the Directory and file checks/walks all cgi-bin scripts are valid. Simple allow the script path to be set and validate the request, even though the path continues on past the cgi-bin point, or include a compiler directive to allow this, if you feel it is not a bug. Thank you for listening to my suggestion/bug report. My life's work is dependent on it I hope you can tell me what is going to happen, soon. P.S. Thank you for putting up with my rating, etc. >Release-Note: >Audit-Trail: >Unformatted: [In order for any reply to be added to the PR database, you need] [to include in the Cc line and make sure the] [subject line starts with the report component and number, with ] [or without any 'Re:' prefixes (such as "general/1098:" or ] ["Re: general/1098:"). If the subject doesn't match this ] [pattern, your message will be misfiled and ignored. The ] ["apbugs" address is not added to the Cc line of messages from ] [the database automatically because of the potential for mail ] [loops. If you do not include this Cc, your reply may be ig- ] [nored unless you are responding to an explicit request from a ] [developer. Reply only with text; DO NOT SEND ATTACHMENTS! ]