Re: CGI/1.1 draft

George Phillips (phillips@cs.ubc.ca)
Sun, 6 Mar 1994 20:33:39 --100


Rob said:
>Here are my proposals for changes to CGI, to make its version 1.1:
..
>2. Add a new env. variable called HTTP_EXTRA_HEADERS which contains all
> headers sent by the client which the server didn't understand. This does
> not include Authorized, Accept, Content-type, or Content-length as these
> are already elsewhere in the CGI variable space. The server may perform
> collapsing of these lines, i.e. it may consolidate multiple occurrences
> of these lines as it already does with HTTP_ACCEPT.

While Accept:, Content-Type: and Content-Length: are literally in
the CGI variable space, only a munged version of Authorized: is
there. How about changing that to "does not include Authorized:
if server is doing the authentication on that script, otherwise
is does." For a script with simple authorization requirements,
the server can do the work. When the script gateways into something
where server authentication is inappropriate or impossible
(like an Oracle database), the writer can use an "nph-" script and
do the authentication herself.

>Finally, note that I don't mention whether PATH_INFO should be unescaped or
>not. My first impression is that it should remain escaped, in order to avoid
>ambiguities like the decoding of foo="1%3d2". Problem is, all of the current
>implementations are ``broken'', and therefore such a change technically
>isn't backward compatible. So perhaps we should update the spec. to reflect
>the implementations. Comments?

Please, please leave PATH_INFO escaped. It was a mistake to do the
unescaping in the server; let's fix it. Sure, it's not strictly
backwards compatible, but I seriously doubt many scripts relied upon
the old behaviour. Besides "%3d", there's also "%00" which a CGI
script really loses on.