While Accept:, Content-Type: and Content-Length: are literally in
the CGI variable space, only a munged version of Authorized: is
there. How about changing that to "does not include Authorized:
if server is doing the authentication on that script, otherwise
is does." For a script with simple authorization requirements,
the server can do the work. When the script gateways into something
where server authentication is inappropriate or impossible
(like an Oracle database), the writer can use an "nph-" script and
do the authentication herself.
>Finally, note that I don't mention whether PATH_INFO should be unescaped or
>not. My first impression is that it should remain escaped, in order to avoid
>ambiguities like the decoding of foo="1%3d2". Problem is, all of the current
>implementations are ``broken'', and therefore such a change technically
>isn't backward compatible. So perhaps we should update the spec. to reflect
>the implementations. Comments?
Please, please leave PATH_INFO escaped. It was a mistake to do the
unescaping in the server; let's fix it. Sure, it's not strictly
backwards compatible, but I seriously doubt many scripts relied upon
the old behaviour. Besides "%3d", there's also "%00" which a CGI
script really loses on.