Re: CGI/1.1 draft
robm@ncsa.uiuc.edu (Rob McCool)
Errors-To: listmaster@www0.cern.ch
Date: Tue, 1 Mar 1994 11:32:35 --100
Message-id: <9403011029.AA16135@void.ncsa.uiuc.edu>
Errors-To: listmaster@www0.cern.ch
Reply-To: robm@ncsa.uiuc.edu
Originator: www-talk@info.cern.ch
Sender: www-talk@www0.cern.ch
Precedence: bulk
From: robm@ncsa.uiuc.edu (Rob McCool)
To: Multiple recipients of list <www-talk@www0.cern.ch>
Subject: Re: CGI/1.1 draft
X-Listprocessor-Version: 6.0c -- ListProcessor by Anastasios Kotsikonas
Content-Length: 2267
I wrote:
/*
* CGI/1.1 draft by Rob McCool
* written on Mar 1, 2:39am.
*
*
* Here are my proposals for changes to CGI, to make its version 1.1:
*
* 1. Any headers output by non-nph scripts which the server doesn't understand
* may be passed to the client.
*
* 2. Add a new env. variable called HTTP_EXTRA_HEADERS which contains all
* headers sent by the client which the server didn't understand. This does
* not include Authorized, Accept, Content-type, or Content-length as these
* are already elsewhere in the CGI variable space. The server may perform
* collapsing of these lines, i.e. it may consolidate multiple occurrences
* of these lines as it already does with HTTP_ACCEPT.
To clarify, this is the headers sent by the client which _CGI_ didn't
understand, not what the server didn't understand. Currently, this means
everything except Authorization, Accept, Content-type and Content-length.
* ---
* Discussion:
*
* 1: This is has already been discussed and largely agreed upon as a Good
* Idea. It's backward compatible with CGI/1.0 behavior, and fits nicely in.
*
* 2: This will allow stupid pet tricks like using From:, but more importantly,
* allows us to not need to update the CGI spec every time a new header is
* introduced.
*
* Finally, note that I don't mention whether PATH_INFO should be unescaped or
* not. My first impression is that it should remain escaped, in order to avoid
* ambiguities like the decoding of foo="1%3d2". Problem is, all of the current
* implementations are ``broken'', and therefore such a change technically
* isn't backward compatible. So perhaps we should update the spec. to reflect
* the implementations. Comments?
*/
To clarify on this point, I just went back and looked at the spec. again.
The current implementations are in fact up to spec., as the specification
has always read that PATH_INFO should be unescaped (dating back to Dec. 13
last year). The notable exception is NCSA httpd 1.x which mistakenly
converts + signs to spaces in file names.
The question is then whether we should have PATH_INFO in fact be escaped, or
unescaped. At any rate, changing this aspect of the specification will break
things, so I'm leery of it.
--Rob