Re: CGI/1.1 draft

George Phillips <phillips@cs.ubc.ca>

Mail folder: WWW Talk Jan 94-present
Next message: Daniel W. Connolly: "Updated URI test suite; resolving some issues..."
Previous message: Dave_Raggett: "Re: The future of meta-indices/libraries?"
Maybe in reply to: ts: "CGI/1.1 draft"
Reply: Rob McCool: "Re: CGI/1.1 draft"

Errors-To: listmaster@www0.cern.ch
Date: Wed, 16 Mar 1994 22:28:21 --100
Message-id: <7790*phillips@cs.ubc.ca>
Errors-To: listmaster@www0.cern.ch
Reply-To: phillips@cs.ubc.ca
Originator: www-talk@info.cern.ch
Sender: www-talk@www0.cern.ch
Precedence: bulk
From: George Phillips <phillips@cs.ubc.ca>
To: Multiple recipients of list <www-talk@www0.cern.ch>
Subject: Re: CGI/1.1 draft
X-Listprocessor-Version: 6.0c -- ListProcessor by Anastasios Kotsikonas
Content-Length: 1170

Easy stuff first:  I agree with the proposed changes.  Now, about
PATH_INFO...

Rob said:
>I don't agree. I think that with dummy inputs available in forms, we can
>finally move away from using PATH_INFO to convey state information to
>scripts and go back to using them for their intended purpose: To allow
>scripts to access the server's virtual->physical translation and access
>authorization for auxillary files. If you're using filenames in PATH_INFO
>then you don't have to escape the information, and if you have it as dummy
>inputs in a form then your data is already escaped anyway.

I agree that PATH_INFO is not the right place for user input, but
PATH_INFO is something generated by the script for use by the script.
The server shouldn't be touching it.  It shouldn't even have any
idea if % or some other escaping is done on the information there.
As long as there are no bad characters in it, it just doesn't matter.

I certainly don't agree with your idea of the intended purpose of
CGI scripts.  I use them all the time for dynamically translating
data into browser-understandable formats (like HTML).  Input
forms and searches are just one possible use.