diff options
| author | bptato <nincsnevem662@gmail.com> | 2023-12-12 10:38:42 +0100 |
|---|---|---|
| committer | bptato <nincsnevem662@gmail.com> | 2023-12-12 19:37:14 +0100 |
| commit | 4eb57c2b88325d3963c6671a6f27bd08fc07cb59 (patch) | |
| tree | 06bec584dcaf017d94e570e6cffb394b75aca338 /doc | |
| parent | f779f672e6aa28efe03733226465c73c1a7490ad (diff) | |
| download | chawan-4eb57c2b88325d3963c6671a6f27bd08fc07cb59.tar.gz | |
local CGI: add mapped URI env vars; move about: to adapters
* Add MAPPED_URI_* as environment variables when a request is coming from urimethodmap It costs us compatibility with w3m, but it seems to be a massive improvement over smuggling in the URL as a query string and then writing an ad-hoc parser for every single urimethodmap script. The variables are set for every urimethodmap request, to avoid accidental leaking of global environment variables. * Move about: to adapters (an obvious improvement over the previous solution)
Diffstat (limited to 'doc')
| -rw-r--r-- | doc/localcgi.md | 27 |
1 files changed, 27 insertions, 0 deletions
diff --git a/doc/localcgi.md b/doc/localcgi.md index 57135c03..9943fbda 100644 --- a/doc/localcgi.md +++ b/doc/localcgi.md @@ -67,6 +67,33 @@ Chawan sets the following environment variables: * `HTTP_COOKIE=` if set, the Cookie header. * `HTTP_REFERER=` if set, the Referer header. +For requests originating from a urimethodmap rewrite, Chawan will also set +the parsed URL's parts as environment variables. Use of these is highly +encouraged, to avoid exploits originating from double-parsing of URLs. + +Let example://username:password@host.org:1234/path/name.html?example be the +original URL. Then: + +* `MAPPED_URI_SCHEME=` the scheme of the original URL, in this case `example`. +* `MAPPED_URI_USERNAME=` the username part, in this case `username`. If no + username was specified, the variable is set to the empty string. +* `MAPPED_URI_PASSWORD=` the password part, in this case `password`. If no + password was specified, the variable is set to the empty string. +* `MAPPED_URI_HOST=` the host part, in this case `host.org` If no host was + specified, the variable is set to the empty string. (An example of an URL + with no host: `about:blank`, here `blank` is the path name.) +* `MAPPED_URI_PORT=` the port, in this case `1234`. If no port was specified, + the variable is set to the empty string. (In this case, the CGI script is + expected to use the default port for the scheme, if any.) +* `MAPPED_URI_PATH=` the path name, in this case `/path/name.html?example`. If + no path was specified, the variable is set to the empty string. Note: + the path name is percent-encoded. +* `MAPPED_URI_QUERY=` the query string, in this case `example`. Note that, + unlike in JavaScript, no question mark is prepended to the string. + The query string is percent-encoded as well. + +Note: the fragment part is omitted intentionally. + ## Request body If the request body is not empty, it is streamed into the program through |