3
0

draft-coar-cgi-v11-03-clean.html 85 KB

1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677787980818283848586878889909192939495969798991001011021031041051061071081091101111121131141151161171181191201211221231241251261271281291301311321331341351361371381391401411421431441451461471481491501511521531541551561571581591601611621631641651661671681691701711721731741751761771781791801811821831841851861871881891901911921931941951961971981992002012022032042052062072082092102112122132142152162172182192202212222232242252262272282292302312322332342352362372382392402412422432442452462472482492502512522532542552562572582592602612622632642652662672682692702712722732742752762772782792802812822832842852862872882892902912922932942952962972982993003013023033043053063073083093103113123133143153163173183193203213223233243253263273283293303313323333343353363373383393403413423433443453463473483493503513523533543553563573583593603613623633643653663673683693703713723733743753763773783793803813823833843853863873883893903913923933943953963973983994004014024034044054064074084094104114124134144154164174184194204214224234244254264274284294304314324334344354364374384394404414424434444454464474484494504514524534544554564574584594604614624634644654664674684694704714724734744754764774784794804814824834844854864874884894904914924934944954964974984995005015025035045055065075085095105115125135145155165175185195205215225235245255265275285295305315325335345355365375385395405415425435445455465475485495505515525535545555565575585595605615625635645655665675685695705715725735745755765775785795805815825835845855865875885895905915925935945955965975985996006016026036046056066076086096106116126136146156166176186196206216226236246256266276286296306316326336346356366376386396406416426436446456466476486496506516526536546556566576586596606616626636646656666676686696706716726736746756766776786796806816826836846856866876886896906916926936946956966976986997007017027037047057067077087097107117127137147157167177187197207217227237247257267277287297307317327337347357367377387397407417427437447457467477487497507517527537547557567577587597607617627637647657667677687697707717727737747757767777787797807817827837847857867877887897907917927937947957967977987998008018028038048058068078088098108118128138148158168178188198208218228238248258268278288298308318328338348358368378388398408418428438448458468478488498508518528538548558568578588598608618628638648658668678688698708718728738748758768778788798808818828838848858868878888898908918928938948958968978988999009019029039049059069079089099109119129139149159169179189199209219229239249259269279289299309319329339349359369379389399409419429439449459469479489499509519529539549559569579589599609619629639649659669679689699709719729739749759769779789799809819829839849859869879889899909919929939949959969979989991000100110021003100410051006100710081009101010111012101310141015101610171018101910201021102210231024102510261027102810291030103110321033103410351036103710381039104010411042104310441045104610471048104910501051105210531054105510561057105810591060106110621063106410651066106710681069107010711072107310741075107610771078107910801081108210831084108510861087108810891090109110921093109410951096109710981099110011011102110311041105110611071108110911101111111211131114111511161117111811191120112111221123112411251126112711281129113011311132113311341135113611371138113911401141114211431144114511461147114811491150115111521153115411551156115711581159116011611162116311641165116611671168116911701171117211731174117511761177117811791180118111821183118411851186118711881189119011911192119311941195119611971198119912001201120212031204120512061207120812091210121112121213121412151216121712181219122012211222122312241225122612271228122912301231123212331234123512361237123812391240124112421243124412451246124712481249125012511252125312541255125612571258125912601261126212631264126512661267126812691270127112721273127412751276127712781279128012811282128312841285128612871288128912901291129212931294129512961297129812991300130113021303130413051306130713081309131013111312131313141315131613171318131913201321132213231324132513261327132813291330133113321333133413351336133713381339134013411342134313441345134613471348134913501351135213531354135513561357135813591360136113621363136413651366136713681369137013711372137313741375137613771378137913801381138213831384138513861387138813891390139113921393139413951396139713981399140014011402140314041405140614071408140914101411141214131414141514161417141814191420142114221423142414251426142714281429143014311432143314341435143614371438143914401441144214431444144514461447144814491450145114521453145414551456145714581459146014611462146314641465146614671468146914701471147214731474147514761477147814791480148114821483148414851486148714881489149014911492149314941495149614971498149915001501150215031504150515061507150815091510151115121513151415151516151715181519152015211522152315241525152615271528152915301531153215331534153515361537153815391540154115421543154415451546154715481549155015511552155315541555155615571558155915601561156215631564156515661567156815691570157115721573157415751576157715781579158015811582158315841585158615871588158915901591159215931594159515961597159815991600160116021603160416051606160716081609161016111612161316141615161616171618161916201621162216231624162516261627162816291630163116321633163416351636163716381639164016411642164316441645164616471648164916501651165216531654165516561657165816591660166116621663166416651666166716681669167016711672167316741675167616771678167916801681168216831684168516861687168816891690169116921693169416951696169716981699170017011702170317041705170617071708170917101711171217131714171517161717171817191720172117221723172417251726172717281729173017311732173317341735173617371738173917401741174217431744174517461747174817491750175117521753175417551756175717581759176017611762176317641765176617671768176917701771177217731774177517761777177817791780178117821783178417851786178717881789179017911792179317941795179617971798179918001801180218031804180518061807180818091810181118121813181418151816181718181819182018211822182318241825182618271828182918301831183218331834183518361837183818391840184118421843184418451846184718481849185018511852185318541855185618571858185918601861186218631864186518661867186818691870187118721873187418751876187718781879188018811882188318841885188618871888188918901891189218931894189518961897189818991900190119021903190419051906190719081909191019111912191319141915191619171918191919201921192219231924192519261927192819291930193119321933193419351936193719381939194019411942194319441945194619471948194919501951195219531954195519561957195819591960196119621963196419651966196719681969197019711972197319741975197619771978197919801981198219831984198519861987198819891990199119921993199419951996199719981999200020012002200320042005200620072008200920102011201220132014201520162017201820192020202120222023202420252026202720282029203020312032203320342035203620372038203920402041204220432044204520462047204820492050205120522053205420552056205720582059206020612062206320642065206620672068206920702071207220732074207520762077207820792080208120822083208420852086208720882089209020912092209320942095209620972098209921002101210221032104210521062107210821092110211121122113211421152116211721182119212021212122212321242125212621272128212921302131213221332134213521362137213821392140214121422143214421452146214721482149215021512152215321542155215621572158215921602161216221632164216521662167216821692170217121722173217421752176217721782179218021812182218321842185218621872188218921902191219221932194219521962197219821992200220122022203220422052206220722082209221022112212221322142215221622172218221922202221222222232224222522262227222822292230223122322233223422352236223722382239224022412242224322442245224622472248224922502251225222532254225522562257225822592260226122622263226422652266226722682269227022712272227322742275227622772278227922802281228222832284228522862287228822892290229122922293229422952296229722982299230023012302230323042305230623072308230923102311231223132314231523162317231823192320232123222323232423252326232723282329233023312332233323342335233623372338233923402341234223432344234523462347234823492350235123522353235423552356235723582359236023612362236323642365236623672368236923702371237223732374237523762377237823792380238123822383238423852386238723882389239023912392239323942395239623972398239924002401240224032404240524062407240824092410241124122413241424152416241724182419242024212422242324242425242624272428242924302431243224332434243524362437243824392440244124422443244424452446244724482449245024512452245324542455245624572458245924602461246224632464246524662467246824692470247124722473247424752476247724782479248024812482248324842485248624872488248924902491249224932494249524962497249824992500250125022503250425052506250725082509251025112512251325142515251625172518251925202521252225232524252525262527252825292530253125322533253425352536253725382539254025412542254325442545254625472548254925502551255225532554255525562557255825592560256125622563256425652566256725682569257025712572257325742575257625772578257925802581258225832584258525862587258825892590259125922593259425952596259725982599260026012602260326042605260626072608260926102611261226132614261526162617261826192620262126222623262426252626262726282629263026312632263326342635263626372638263926402641264226432644264526462647264826492650265126522653265426552656265726582659266026612662266326642665266626672668266926702671267226732674
  1. <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"
  2. "http://www.w3.org/TR/REC-html40/loose.dtd">
  3. <HTML>
  4. <HEAD>
  5. <TITLE>Common Gateway Interface - 1.1 *Draft 03* [http://cgi-spec.golux.com/draft-coar-cgi-v11-03-clean.html]
  6. </TITLE>
  7. <!--#if expr="$HTTP_USER_AGENT != /Lynx/" -->
  8. <!--#set var="GUI" value="1" -->
  9. <!--#endif -->
  10. <LINK HREF="mailto:Ken.Coar@Golux.Com" rev="revised">
  11. <LINK REL="STYLESHEET" HREF="cgip-style-rfc.css" TYPE="text/css">
  12. <META name="latexstyle" content="rfc">
  13. <META name="author" content="Ken A L Coar">
  14. <META name="institute" content="IBM Corporation">
  15. <META name="date" content="25 June 1999">
  16. <META name="expires" content="Expires 31 December 1999">
  17. <META name="document" content="INTERNET-DRAFT">
  18. <META name="file" content="&lt;draft-coar-cgi-v11-03.txt&gt;">
  19. <META name="group" content="INTERNET-DRAFT">
  20. <!--
  21. There are a lot of BNF fragments in this document. To make it work
  22. in all possible browsers (including Lynx, which is used to turn it
  23. into text/plain), we handle these by using PREformatted blocks with
  24. a universal internal margin of 2, inside one-level DL blocks.
  25. -->
  26. </HEAD>
  27. <BODY>
  28. <!--
  29. HTML doesn't do paper pagination, so we need to fake it out. Basing
  30. our formatting upon RFC2068, there are four (4) lines of header and
  31. four (4) lines of footer for each page.
  32. <DIV ALIGN="CENTER">
  33. <PRE>
  34. Coar, et al. CGI/1.1 Specification May, 1998
  35. INTERNET-DRAFT Expires 1 December 1998 [Page 2]
  36. </PRE>
  37. </DIV>
  38. -->
  39. <!--
  40. The following weirdness wrt non-breaking spaces is to get Lynx
  41. (which is barely TABLE-aware) to line the left/right justified
  42. text up properly.
  43. -->
  44. <DIV ALIGN="CENTER">
  45. <TABLE WIDTH="100%" CELLPADDING=0 CELLSPACING=0>
  46. <TR VALIGN="TOP">
  47. <TD ALIGN="LEFT">
  48. INTERNET-DRAFT&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
  49. </TD>
  50. <TD ALIGN="RIGHT">
  51. &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Ken A L Coar
  52. </TD>
  53. </TR>
  54. <TR VALIGN="TOP">
  55. <TD ALIGN="LEFT">
  56. draft-coar-cgi-v11-03.{html,txt}&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
  57. </TD>
  58. <TD ALIGN="RIGHT">
  59. &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;IBM Corporation
  60. </TD>
  61. </TR>
  62. <TR VALIGN="TOP">
  63. <TD ALIGN="LEFT">
  64. &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
  65. </TD>
  66. <TD ALIGN="RIGHT">
  67. &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;D.R.T. Robinson
  68. </TD>
  69. </TR>
  70. <TR VALIGN="TOP">
  71. <TD ALIGN="LEFT">
  72. &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
  73. </TD>
  74. <TD ALIGN="RIGHT">
  75. &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;E*TRADE&nbsp;UK&nbsp;Ltd.
  76. </TD>
  77. </TR>
  78. <TR VALIGN="TOP">
  79. <TD ALIGN="LEFT">
  80. &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
  81. </TD>
  82. <TD ALIGN="RIGHT">
  83. &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;25 June 1999
  84. </TD>
  85. </TR>
  86. </TABLE>
  87. </DIV>
  88. <H1 ALIGN="CENTER">
  89. The WWW Common Gateway Interface
  90. <BR>
  91. Version 1.1
  92. </H1>
  93. <!--#include virtual="I-D-statement" -->
  94. <H2>
  95. <A NAME="Abstract">
  96. Abstract
  97. </A>
  98. </H2>
  99. <P>
  100. The Common Gateway Interface (CGI) is a simple interface for running
  101. external programs, software or gateways under an information server
  102. in a platform-independent manner. Currently, the supported information
  103. servers are HTTP servers.
  104. </P>
  105. <P>
  106. The interface has been in use by the World-Wide Web since 1993. This
  107. specification defines the
  108. "current practice" parameters of the
  109. 'CGI/1.1' interface developed and documented at the U.S. National
  110. Centre for Supercomputing Applications [NCSA-CGI].
  111. This document also defines the use of the CGI/1.1 interface
  112. on the Unix and AmigaDOS(tm) systems.
  113. </P>
  114. <P>
  115. Discussion of this draft occurs on the CGI-WG mailing list; see the
  116. project Web page at
  117. <SAMP>&lt;URL:<A HREF="http://CGI-Spec.Golux.Com/"
  118. >http://CGI-Spec.Golux.Com/</A>&gt;</SAMP>
  119. for details on the mailing list and the status of the project.
  120. </P>
  121. <!--#if expr="$GUI" -->
  122. <H2>
  123. Revision History
  124. </H2>
  125. <P>
  126. The revision history of this draft is being maintained using Web-based
  127. GUI notation, such as struck-through characters and colour-coded
  128. sections. The following legend describes how to determine the origin
  129. of a particular revision according to the colour of the text:
  130. </P>
  131. <DL COMPACT>
  132. <DT>Black
  133. </DT>
  134. <DD>Revision 00, released 28 May 1998
  135. </DD>
  136. <DT>Green
  137. </DT>
  138. <DD>Revision 01, released 28 December 1998
  139. <BR>
  140. Major structure change: Section 4, "Request Metadata (Meta-Variables)"
  141. was moved entirely under <A HREF="#7.0">Section 7</A>, "Data Input to the
  142. CGI Script."
  143. Due to the size of this change, it is noted here and the text in its
  144. former location does <EM>not</EM> appear as struckthrough. This has
  145. caused major <A HREF="#6.0">sections 5</A> and following to decrement
  146. by one. Other
  147. large text movements are likewise not marked up. References to RFC
  148. 1738 were changed to 2396 (1738's replacement).
  149. </DD>
  150. <DT>Red
  151. </DT>
  152. <DD>Revision 02, released 2 April, 1999
  153. <BR>
  154. Added text to <A HREF="#8.3">section 8.3</A> defining correct handling
  155. of HTTP/1.1
  156. requests using "chunked" Transfer-Encoding. Labelled metavariable
  157. names in <A HREF="#8.0">section 8</A> with the appropriate detail section
  158. numbers.
  159. Clarified allowed usage of <SAMP>Status</SAMP> and
  160. <SAMP>Location</SAMP> response header fields. Included new
  161. Internet-Draft language.
  162. </DD>
  163. <DT>Fuchsia
  164. </DT>
  165. <DD>Revision 03, released 25 June 1999
  166. <BR>
  167. Changed references from "HTTP" to "Protocol-Specific" for the listing of
  168. things like HTTP_ACCEPT. Changed 'entity-body' and 'content-body' to
  169. 'message-body.' Added a note that response headers must comply with
  170. requirements of the protocol level in use. Added a lot of stuff about
  171. security (section 11). Clarified a bunch of productions. Pointed out
  172. that zero-length and omitted values are indistinguishable in this
  173. specification. Clarified production describing order of fields in
  174. script response header. Clarified issues surrounding encoding of
  175. data. Acknowledged additional contributors, and changed one of
  176. the authors' addresses.
  177. </DD>
  178. </DL>
  179. <!--#endif -->
  180. <H2>
  181. <A NAME="Contents">
  182. Table of Contents
  183. </A>
  184. </H2>
  185. <DIV ALIGN="CENTER">
  186. <PRE>
  187. 1 Introduction..............................................<A
  188. HREF="#1.0"
  189. >TBD</A>
  190. 1.1 Purpose................................................<A
  191. HREF="#1.1"
  192. >TBD</A>
  193. 1.2 Requirements...........................................<A
  194. HREF="#1.2"
  195. >TBD</A>
  196. 1.3 Specifications.........................................<A
  197. HREF="#1.3"
  198. >TBD</A>
  199. 1.4 Terminology............................................<A
  200. HREF="#1.4"
  201. >TBD</A>
  202. 2 Notational Conventions and Generic Grammar................<A
  203. HREF="#2.0"
  204. >TBD</A>
  205. 2.1 Augmented BNF..........................................<A
  206. HREF="#2.1"
  207. >TBD</A>
  208. 2.2 Basic Rules............................................<A
  209. HREF="#2.2"
  210. >TBD</A>
  211. 3 Protocol Parameters.......................................<A
  212. HREF="#3.0"
  213. >TBD</A>
  214. 3.1 URL Encoding...........................................<A
  215. HREF="#3.1"
  216. >TBD</A>
  217. 3.2 The Script-URI.........................................<A
  218. HREF="#3.2"
  219. >TBD</A>
  220. 4 Invoking the Script.......................................<A
  221. HREF="#4.0"
  222. >TBD</A>
  223. 5 The CGI Script Command Line...............................<A
  224. HREF="#5.0"
  225. >TBD</A>
  226. 6 Data Input to the CGI Script..............................<A
  227. HREF="#6.0"
  228. >TBD</A>
  229. 6.1 Request Metadata (Metavariables).......................<A
  230. HREF="#6.1"
  231. >TBD</A>
  232. 6.1.1 AUTH_TYPE...........................................<A
  233. HREF="#6.1.1"
  234. >TBD</A>
  235. 6.1.2 CONTENT_LENGTH......................................<A
  236. HREF="#6.1.2"
  237. >TBD</A>
  238. 6.1.3 CONTENT_TYPE........................................<A
  239. HREF="#6.1.3"
  240. >TBD</A>
  241. 6.1.4 GATEWAY_INTERFACE...................................<A
  242. HREF="#6.1.4"
  243. >TBD</A>
  244. 6.1.5 Protocol-Specific Metavariables.....................<A
  245. HREF="#6.1.5"
  246. >TBD</A>
  247. 6.1.6 PATH_INFO...........................................<A
  248. HREF="#6.1.6"
  249. >TBD</A>
  250. 6.1.7 PATH_TRANSLATED.....................................<A
  251. HREF="#6.1.7"
  252. >TBD</A>
  253. 6.1.8 QUERY_STRING........................................<A
  254. HREF="#6.1.8"
  255. >TBD</A>
  256. 6.1.9 REMOTE_ADDR.........................................<A
  257. HREF="#6.1.9"
  258. >TBD</A>
  259. 6.1.10 REMOTE_HOST........................................<A
  260. HREF="#6.1.10"
  261. >TBD</A>
  262. 6.1.11 REMOTE_IDENT.......................................<A
  263. HREF="#6.1.11"
  264. >TBD</A>
  265. 6.1.12 REMOTE_USER........................................<A
  266. HREF="#6.1.12"
  267. >TBD</A>
  268. 6.1.13 REQUEST_METHOD.....................................<A
  269. HREF="#6.1.13"
  270. >TBD</A>
  271. 6.1.14 SCRIPT_NAME........................................<A
  272. HREF="#6.1.14"
  273. >TBD</A>
  274. 6.1.15 SERVER_NAME........................................<A
  275. HREF="#6.1.15"
  276. >TBD</A>
  277. 6.1.16 SERVER_PORT........................................<A
  278. HREF="#6.1.16"
  279. >TBD</A>
  280. 6.1.17 SERVER_PROTOCOL....................................<A
  281. HREF="#6.1.17"
  282. >TBD</A>
  283. 6.1.18 SERVER_SOFTWARE....................................<A
  284. HREF="#6.1.18"
  285. >TBD</A>
  286. 6.2 Request Message-Bodies................................<A
  287. HREF="#6.2"
  288. >TBD</A>
  289. 7 Data Output from the CGI Script...........................<A
  290. HREF="#7.0"
  291. >TBD</A>
  292. 7.1 Non-Parsed Header Output...............................<A
  293. HREF="#7.1"
  294. >TBD</A>
  295. 7.2 Parsed Header Output...................................<A
  296. HREF="#7.2"
  297. >TBD</A>
  298. 7.2.1 CGI header fields...................................<A
  299. HREF="#7.2.1"
  300. >TBD</A>
  301. 7.2.1.1 Content-Type.....................................<A
  302. HREF="#7.2.1.1"
  303. >TBD</A>
  304. 7.2.1.2 Location.........................................<A
  305. HREF="#7.2.1.2"
  306. >TBD</A>
  307. 7.2.1.3 Status...........................................<A
  308. HREF="#7.2.1.3"
  309. >TBD</A>
  310. 7.2.1.4 Extension header fields..........................<A
  311. HREF="#7.2.1.3"
  312. >TBD</A>
  313. 7.2.2 HTTP header fields..................................<A
  314. HREF="#7.2.2"
  315. >TBD</A>
  316. 8 Server Implementation.....................................<A
  317. HREF="#8.0"
  318. >TBD</A>
  319. 8.1 Requirements for Servers...............................<A
  320. HREF="#8.1"
  321. >TBD</A>
  322. 8.1.1 Script-URI..........................................<A
  323. HREF="#8.1"
  324. >TBD</A>
  325. 8.1.2 Request Message-body Handling.......................<A
  326. HREF="#8.1.2"
  327. >TBD</A>
  328. 8.1.3 Required Metavariables..............................<A
  329. HREF="#8.1.3"
  330. >TBD</A>
  331. 8.1.4 Response Compliance.................................<A
  332. HREF="#8.1.4"
  333. >TBD</A>
  334. 8.2 Recommendations for Servers............................<A
  335. HREF="#8.2"
  336. >TBD</A>
  337. 8.3 Summary of Metavariables...............................<A
  338. HREF="#8.3"
  339. >TBD</A>
  340. 9 Script Implementation.....................................<A
  341. HREF="#9.0"
  342. >TBD</A>
  343. 9.1 Requirements for Scripts...............................<A
  344. HREF="#9.1"
  345. >TBD</A>
  346. 9.2 Recommendations for Scripts............................<A
  347. HREF="#9.2"
  348. >TBD</A>
  349. 10 System Specifications....................................<A
  350. HREF="#10.0"
  351. >TBD</A>
  352. 10.1 AmigaDOS..............................................<A
  353. HREF="#10.1"
  354. >TBD</A>
  355. 10.2 Unix..................................................<A
  356. HREF="#10.2"
  357. >TBD</A>
  358. 11 Security Considerations..................................<A
  359. HREF="#11.0"
  360. >TBD</A>
  361. 11.1 Safe Methods..........................................<A
  362. HREF="#11.1"
  363. >TBD</A>
  364. 11.2 HTTP Header Fields Containing Sensitive Information...<A
  365. HREF="#11.2"
  366. >TBD</A>
  367. 11.3 Script Interference with the Server...................<A
  368. HREF="#11.3"
  369. >TBD</A>
  370. 11.4 Data Length and Buffering Considerations..............<A
  371. HREF="#11.4"
  372. >TBD</A>
  373. 11.5 Stateless Processing..................................<A
  374. HREF="#11.5"
  375. >TBD</A>
  376. 12 Acknowledgments..........................................<A
  377. HREF="#12.0"
  378. >TBD</A>
  379. 13 References...............................................<A
  380. HREF="#13.0"
  381. >TBD</A>
  382. 14 Authors' Addresses.......................................<A
  383. HREF="#14.0"
  384. >TBD</A>
  385. </PRE>
  386. </DIV>
  387. <H2>
  388. <A NAME="1.0">
  389. 1. Introduction
  390. </A>
  391. </H2>
  392. <H3>
  393. <A NAME="1.1">
  394. 1.1. Purpose
  395. </A>
  396. </H3>
  397. <P>
  398. Together the HTTP [<A HREF="#[3]">3</A>,<A HREF="#[8]">8</A>] server
  399. and the CGI script are responsible
  400. for servicing a client
  401. request by sending back responses. The client
  402. request comprises a Universal Resource Identifier (URI)
  403. [<A HREF="#[1]">1</A>], a
  404. request method, and various ancillary
  405. information about the request
  406. provided by the transport mechanism.
  407. </P>
  408. <P>
  409. The CGI defines the abstract parameters, known as
  410. metavariables,
  411. which describe the client's
  412. request. Together with a
  413. concrete programmer interface this specifies a platform-independent
  414. interface between the script and the HTTP server.
  415. </P>
  416. <H3>
  417. <A NAME="1.2">
  418. 1.2. Requirements
  419. </A>
  420. </H3>
  421. <P>
  422. This specification uses the same words as RFC 1123
  423. [<A HREF="#[5]">5</A>] to define the
  424. significance of each particular requirement. These are:
  425. </P><!--#if expr="! $GUI" -->
  426. <P></P><!--#endif -->
  427. <DL>
  428. <DT><EM>MUST</EM>
  429. </DT>
  430. <DD>
  431. <P>
  432. This word or the adjective 'required' means that the item is an
  433. absolute requirement of the specification.
  434. </P>
  435. </DD>
  436. <DT><EM>SHOULD</EM>
  437. </DT>
  438. <DD>
  439. <P>
  440. This word or the adjective 'recommended' means that there may
  441. exist valid reasons in particular circumstances to ignore this
  442. item, but the full implications should be understood and the case
  443. carefully weighed before choosing a different course.
  444. </P>
  445. </DD>
  446. <DT><EM>MAY</EM>
  447. </DT>
  448. <DD>
  449. <P>
  450. This word or the adjective 'optional' means that this item is
  451. truly optional. One vendor may choose to include the item because
  452. a particular marketplace requires it or because it enhances the
  453. product, for example; another vendor may omit the same item.
  454. </P>
  455. </DD>
  456. </DL>
  457. <P>
  458. An implementation is not compliant if it fails to satisfy one or more
  459. of the 'must' requirements for the protocols it implements. An
  460. implementation that satisfies all of the 'must' and all of the
  461. 'should' requirements for its features is said to be 'unconditionally
  462. compliant'; one that satisfies all of the 'must' requirements but not
  463. all of the 'should' requirements for its features is said to be
  464. 'conditionally compliant.'
  465. </P>
  466. <H3>
  467. <A NAME="1.3">
  468. 1.3. Specifications
  469. </A>
  470. </H3>
  471. <P>
  472. Not all of the functions and features of the CGI are defined in the
  473. main part of this specification. The following phrases are used to
  474. describe the features which are not specified:
  475. </P>
  476. <DL>
  477. <DT><EM>system defined</EM>
  478. </DT>
  479. <DD>
  480. <P>
  481. The feature may differ between systems, but must be the same for
  482. different implementations using the same system. A system will
  483. usually identify a class of operating-systems. Some systems are
  484. defined in
  485. <A HREF="#10.0"
  486. >section 10</A> of this document.
  487. New systems may be defined
  488. by new specifications without revision of this document.
  489. </P>
  490. </DD>
  491. <DT><EM>implementation defined</EM>
  492. </DT>
  493. <DD>
  494. <P>
  495. The behaviour of the feature may vary from implementation to
  496. implementation, but a particular implementation must document its
  497. behaviour.
  498. </P>
  499. </DD>
  500. </DL>
  501. <H3>
  502. <A NAME="1.4">
  503. 1.4. Terminology
  504. </A>
  505. </H3>
  506. <P>
  507. This specification uses many terms defined in the HTTP/1.1
  508. specification [<A HREF="#[8]">8</A>]; however, the following terms are
  509. used here in a
  510. sense which may not accord with their definitions in that document,
  511. or with their common meaning.
  512. </P>
  513. <DL>
  514. <DT><EM>metavariable</EM>
  515. </DT>
  516. <DD>
  517. <P>
  518. A named parameter that carries information from the server to the
  519. script. It is not necessarily a variable in the operating-system's
  520. environment, although that is the most common implementation.
  521. </P>
  522. </DD>
  523. <DT><EM>script</EM>
  524. </DT>
  525. <DD>
  526. <P>
  527. The software which is invoked by the server <EM>via</EM> this
  528. interface. It
  529. need not be a standalone program, but could be a
  530. dynamically-loaded or shared library, or even a subroutine in the
  531. server. It <EM>may</EM> be a set of statements
  532. interpreted at run-time, as the term 'script' is frequently
  533. understood, but that is not a requirement and within the context
  534. of this specification the term has the broader definition stated.
  535. </P>
  536. </DD>
  537. <DT><EM>server</EM>
  538. </DT>
  539. <DD>
  540. <P>
  541. The application program which invokes the script in order to service
  542. requests.
  543. </P>
  544. </DD>
  545. </DL>
  546. <H2>
  547. <A NAME="2.0">
  548. 2. Notational Conventions and Generic Grammar
  549. </A>
  550. </H2>
  551. <H3>
  552. <A NAME="2.1">
  553. 2.1. Augmented BNF
  554. </A>
  555. </H3>
  556. <P>
  557. All of the mechanisms specified in this document are described in
  558. both prose and an augmented Backus-Naur Form (BNF) similar to that
  559. used by RFC 822 [<A HREF="#[6]">6</A>]. This augmented BNF contains
  560. the following constructs:
  561. </P>
  562. <DL>
  563. <DT>name = definition
  564. </DT>
  565. <DD>
  566. <P>
  567. The
  568. definition by the equal character ("="). Whitespace is only
  569. significant in that continuation lines of a definition are
  570. indented.
  571. </P>
  572. </DD>
  573. <DT>"literal"
  574. </DT>
  575. <DD>
  576. <P>
  577. Quotation marks (") surround literal text, except for a literal
  578. quotation mark, which is surrounded by angle-brackets ("&lt;" and "&gt;").
  579. Unless stated otherwise, the text is case-sensitive.
  580. </P>
  581. </DD>
  582. <DT>rule1 | rule2
  583. </DT>
  584. <DD>
  585. <P>
  586. Alternative rules are separated by a vertical bar ("|").
  587. </P>
  588. </DD>
  589. <DT>(rule1 rule2 rule3)
  590. </DT>
  591. <DD>
  592. <P>
  593. Elements enclosed in parentheses are treated as a single element.
  594. </P>
  595. </DD>
  596. <DT>*rule
  597. </DT>
  598. <DD>
  599. <P>
  600. A rule preceded by an asterisk ("*") may have zero or more
  601. occurrences. A rule preceded by an integer followed by an asterisk
  602. must occur at least the specified number of times.
  603. </P>
  604. </DD>
  605. <DT>[rule]
  606. </DT>
  607. <DD>
  608. <P>
  609. An element enclosed in square
  610. brackets ("[" and "]") is optional.
  611. </P>
  612. </DD>
  613. </DL>
  614. <H3>
  615. <A NAME="2.2">
  616. 2.2. Basic Rules
  617. </A>
  618. </H3>
  619. <P>
  620. The following rules are used throughout this specification to
  621. describe basic parsing constructs.
  622. </P><!--#if expr="! $GUI" -->
  623. <P></P><!--#endif -->
  624. <PRE>
  625. alpha = lowalpha | hialpha
  626. alphanum = alpha | digit
  627. lowalpha = "a" | "b" | "c" | "d" | "e" | "f" | "g" | "h"
  628. | "i" | "j" | "k" | "l" | "m" | "n" | "o" | "p"
  629. | "q" | "r" | "s" | "t" | "u" | "v" | "w" | "x"
  630. | "y" | "z"
  631. hialpha = "A" | "B" | "C" | "D" | "E" | "F" | "G" | "H"
  632. | "I" | "J" | "K" | "L" | "M" | "N" | "O" | "P"
  633. | "Q" | "R" | "S" | "T" | "U" | "V" | "W" | "X"
  634. | "Y" | "Z"
  635. digit = "0" | "1" | "2" | "3" | "4" | "5" | "6" | "7"
  636. | "8" | "9"
  637. hex = digit | "A" | "B" | "C" | "D" | "E" | "F" | "a"
  638. | "b" | "c" | "d" | "e" | "f"
  639. escaped = "%" hex hex
  640. OCTET = &lt;any 8-bit sequence of data&gt;
  641. CHAR = &lt;any US-ASCII character (octets 0 - 127)&gt;
  642. CTL = &lt;any US-ASCII control character
  643. (octets 0 - 31) and DEL (127)&gt;
  644. CR = &lt;US-ASCII CR, carriage return (13)&gt;
  645. LF = &lt;US-ASCII LF, linefeed (10)&gt;
  646. SP = &lt;US-ASCII SP, space (32)&gt;
  647. HT = &lt;US-ASCII HT, horizontal tab (9)&gt;
  648. NL = CR | LF
  649. LWSP = SP | HT | NL
  650. tspecial = "(" | ")" | "@" | "," | ";" | ":" | "\" | &lt;"&gt;
  651. | "/" | "[" | "]" | "?" | "&lt;" | "&gt;" | "{" | "}"
  652. | SP | HT | NL
  653. token = 1*&lt;any CHAR except CTLs or tspecials&gt;
  654. quoted-string = ( &lt;"&gt; *qdtext &lt;"&gt; ) | ( "&lt;" *qatext "&gt;")
  655. qdtext = &lt;any CHAR except &lt;"&gt; and CTLs but including LWSP&gt;
  656. qatext = &lt;any CHAR except "&lt;", "&gt;" and CTLs but
  657. including LWSP&gt;
  658. mark = "-" | "_" | "." | "!" | "~" | "*" | "'" | "(" | ")"
  659. unreserved = alphanum | mark
  660. reserved = ";" | "/" | "?" | ":" | "@" | "&amp;" | "=" |
  661. "$" | ","
  662. uric = reserved | unreserved | escaped
  663. </PRE>
  664. <P>
  665. Note that newline (NL) need not be a single character, but can be a
  666. character sequence.
  667. </P>
  668. <H2>
  669. <A NAME="3.0">
  670. 3. Protocol Parameters
  671. </A>
  672. </H2>
  673. <H3>
  674. <A NAME="3.1">
  675. 3.1. URL Encoding
  676. </A>
  677. </H3>
  678. <P>
  679. Some variables and constructs used here are described as being
  680. 'URL-encoded'. This encoding is described in section
  681. 2 of RFC
  682. 2396
  683. [<A HREF="#[4]">4</A>].
  684. </P>
  685. <P>
  686. An alternate "shortcut" encoding for representing the space
  687. character exists and is in common use. Scripts MUST be prepared to
  688. recognise both '+' and '%20' as an encoded space in a
  689. URL-encoded value.
  690. </P>
  691. <P>
  692. Note that some unsafe characters may have different semantics if
  693. they are encoded. The definition of which characters are unsafe
  694. depends on the context.
  695. For example, the following two URLs do not
  696. necessarily refer to the same resource:
  697. </P><!--#if expr="! $GUI" -->
  698. <P></P><!--#endif -->
  699. <PRE>
  700. http://somehost.com/somedir%2Fvalue
  701. http://somehost.com/somedir/value
  702. </PRE>
  703. <P>
  704. See section
  705. 2 of RFC
  706. 2396 [<A HREF="#[4]">4</A>]
  707. for authoritative treatment of this issue.
  708. </P>
  709. <H3>
  710. <A NAME="3.2">
  711. 3.2. The Script-URI
  712. </A>
  713. </H3>
  714. <P>
  715. The 'Script-URI' is defined as the URI of the resource identified
  716. by the metavariables. Often,
  717. this URI will be the same as
  718. the URI requested by the client (the 'Client-URI'); however, it need
  719. not be. Instead, it could be a URI invented by the server, and so it
  720. can only be used in the context of the server and its CGI interface.
  721. </P>
  722. <P>
  723. The Script-URI has the syntax of generic-RL as defined in section 2.1
  724. of RFC 1808 [<A HREF="#[7]">7</A>], with the exception that object
  725. parameters and
  726. fragment identifiers are not permitted:
  727. </P><!--#if expr="! $GUI" -->
  728. <P></P><!--#endif -->
  729. <PRE>
  730. &lt;scheme&gt;://&lt;host&gt;&lt;port&gt;/&lt;path&gt;?&lt;query&gt;
  731. </PRE>
  732. <P>
  733. The various components of the
  734. Script-URI
  735. are defined by some of the
  736. metavariables (see
  737. <A HREF="#4.0">section 4</A>
  738. below);
  739. </P><!--#if expr="! $GUI" -->
  740. <P></P><!--#endif -->
  741. <PRE>
  742. script-uri = protocol "://" SERVER_NAME ":" SERVER_PORT enc-script
  743. enc-path-info "?" QUERY_STRING
  744. </PRE>
  745. <P>
  746. where 'protocol' is obtained
  747. from SERVER_PROTOCOL, 'enc-script' is a
  748. URL-encoded version of SCRIPT_NAME and 'enc-path-info' is a
  749. URL-encoded version of PATH_INFO. See
  750. <A HREF="#4.6">section 4.6</A> for more information about the PATH_INFO
  751. metavariable.
  752. </P>
  753. <P>
  754. Note that the scheme and the protocol are <EM>not</EM> identical;
  755. for instance, a resource accessed <EM>via</EM> an SSL mechanism
  756. may have a Client-URI with a scheme of "<SAMP>https</SAMP>"
  757. rather than "<SAMP>http</SAMP>". CGI/1.1 provides no means
  758. for the script to reconstruct this, and therefore
  759. the Script-URI includes the base protocol used.
  760. </P>
  761. <H2>
  762. <A NAME="4.0">
  763. 4. Invoking the Script
  764. </A>
  765. </H2>
  766. <P>
  767. The
  768. script is invoked in a system defined manner. Unless specified
  769. otherwise, the file containing the script will be invoked as an
  770. executable program.
  771. </P>
  772. <H2>
  773. <A NAME="5.0">
  774. 5. The CGI Script Command Line
  775. </A>
  776. </H2>
  777. <P>
  778. Some systems support a method for supplying an array of strings to
  779. the CGI script. This is only used in the case of an 'indexed' query.
  780. This is identified by a "GET" or "HEAD" HTTP request with a URL
  781. query
  782. string not containing any unencoded "=" characters. For such a
  783. request,
  784. servers SHOULD parse the search string
  785. into words, using the following rules:
  786. </P><!--#if expr="! $GUI" -->
  787. <P></P><!--#endif -->
  788. <PRE>
  789. search-string = search-word *( "+" search-word )
  790. search-word = 1*schar
  791. schar = xunreserved | escaped | xreserved
  792. xunreserved = alpha | digit | xsafe | extra
  793. xsafe = "$" | "-" | "_" | "."
  794. xreserved = ";" | "/" | "?" | ":" | "@" | "&"
  795. </PRE>
  796. <P>
  797. After parsing, each word is URL-decoded, optionally encoded in a
  798. system defined manner,
  799. and then the argument list is set to the list
  800. of words.
  801. </P>
  802. <P>
  803. If the server cannot create any part of the argument list, then the
  804. server SHOULD NOT generate any command line information. For example, the
  805. number of arguments may be greater than operating system or server
  806. limitations permit, or one of the words may not be representable as an
  807. argument.
  808. </P>
  809. <P>
  810. Scripts SHOULD check to see if the QUERY_STRING value contains an
  811. unencoded "=" character, and SHOULD NOT use the command line arguments
  812. if it does.
  813. </P>
  814. <H2>
  815. <A NAME="6.0">
  816. 6. Data Input to the CGI Script
  817. </A>
  818. </H2>
  819. <P>
  820. Information about a request comes from two different sources: the
  821. request header, and any associated
  822. message-body.
  823. Servers MUST
  824. make portions of this information available to
  825. scripts.
  826. </P>
  827. <H3>
  828. <A NAME="6.1">
  829. 6.1. Request Metadata
  830. (Metavariables)
  831. </A>
  832. </H3>
  833. <P>
  834. Each CGI server
  835. implementation MUST define a mechanism
  836. to pass data about the request from
  837. the server to the script.
  838. The metavariables containing these
  839. data
  840. are accessed by the script in a system
  841. defined manner.
  842. The
  843. representation of the characters in the
  844. metavariables is
  845. system defined.
  846. </P>
  847. <P>
  848. This specification does not distinguish between the representation of
  849. null values and missing ones. Whether null or missing values
  850. (such as a query component of "?" or "", respectively) are represented
  851. by undefined metavariables or by metavariables with values of "" is
  852. implementation-defined.
  853. </P>
  854. <P>
  855. Case is not significant in the
  856. metavariable
  857. names, in that there cannot be two
  858. different variables
  859. whose names differ in case only. Here they are
  860. shown using a canonical representation of capitals plus underscore
  861. ("_"). The actual representation of the names is system defined; for
  862. a particular system the representation MAY be defined differently
  863. than this.
  864. </P>
  865. <P>
  866. Metavariable
  867. values MUST be
  868. considered case-sensitive except as noted
  869. otherwise.
  870. </P>
  871. <P>
  872. The canonical
  873. metavariables
  874. defined by this specification are:
  875. </P><!--#if expr="! $GUI" -->
  876. <P></P><!--#endif -->
  877. <PRE>
  878. AUTH_TYPE
  879. CONTENT_LENGTH
  880. CONTENT_TYPE
  881. GATEWAY_INTERFACE
  882. PATH_INFO
  883. PATH_TRANSLATED
  884. QUERY_STRING
  885. REMOTE_ADDR
  886. REMOTE_HOST
  887. REMOTE_IDENT
  888. REMOTE_USER
  889. REQUEST_METHOD
  890. SCRIPT_NAME
  891. SERVER_NAME
  892. SERVER_PORT
  893. SERVER_PROTOCOL
  894. SERVER_SOFTWARE
  895. </PRE>
  896. <P>
  897. Metavariables with names beginning with the protocol name (<EM>e.g.</EM>,
  898. "HTTP_ACCEPT") are also canonical in their description of request header
  899. fields. The number and meaning of these fields may change independently
  900. of this specification. (See also <A HREF="#6.1.5">section 6.1.5</A>.)
  901. </P>
  902. <H4>
  903. <A NAME="6.1.1">
  904. 6.1.1. AUTH_TYPE
  905. </A>
  906. </H4>
  907. <P>
  908. This variable is specific to requests made
  909. <EM>via</EM> the
  910. "<CODE>http</CODE>"
  911. scheme.
  912. </P>
  913. <P>
  914. If the Script-URI
  915. required access authentication for external
  916. access, then the server
  917. MUST set
  918. the value of
  919. this variable
  920. from the '<SAMP>auth-scheme</SAMP>' token in
  921. the request's "<SAMP>Authorization</SAMP>" header
  922. field.
  923. Otherwise
  924. it is
  925. set to NULL.
  926. </P><!--#if expr="! $GUI" -->
  927. <P></P><!--#endif -->
  928. <PRE>
  929. AUTH_TYPE = "" | auth-scheme
  930. auth-scheme = "Basic" | "Digest" | token
  931. </PRE>
  932. <P>
  933. HTTP access authentication schemes are described in section 11 of the
  934. HTTP/1.1 specification [<A HREF="#[8]">8</A>]. The auth-scheme is
  935. not case-sensitive.
  936. </P>
  937. <P>
  938. Servers
  939. MUST
  940. provide this metavariable
  941. to scripts if the request
  942. header included an "<SAMP>Authorization</SAMP>" field
  943. that was authenticated.
  944. </P>
  945. <H4>
  946. <A NAME="6.1.2">
  947. 6.1.2. CONTENT_LENGTH
  948. </A>
  949. </H4>
  950. <P>
  951. This
  952. metavariable
  953. is set to the
  954. size of the message-body
  955. entity attached to the request, if any, in decimal
  956. number of octets. If no data are attached, then this
  957. metavariable
  958. is either NULL or not
  959. defined. The syntax is
  960. the same as for
  961. the HTTP "<SAMP>Content-Length</SAMP>" header field (section 14.14, HTTP/1.1
  962. specification [<A HREF="#[8]">8</A>]).
  963. </P><!--#if expr="! $GUI" -->
  964. <P></P><!--#endif -->
  965. <PRE>
  966. CONTENT_LENGTH = "" | 1*digit
  967. </PRE>
  968. <P>
  969. Servers MUST provide this metavariable
  970. to scripts if the request
  971. was accompanied by a
  972. message-body entity.
  973. </P>
  974. <H4>
  975. <A NAME="6.1.3">
  976. 6.1.3. CONTENT_TYPE
  977. </A>
  978. </H4>
  979. <P>
  980. If the request includes a
  981. message-body,
  982. CONTENT_TYPE is set
  983. to
  984. the Internet Media Type
  985. [<A HREF="#[9]">9</A>] of the attached
  986. entity if the type was provided <EM>via</EM>
  987. a "<SAMP>Content-type</SAMP>" field in the
  988. request header, or if the server can determine it in the absence
  989. of a supplied "<SAMP>Content-type</SAMP>" field. The syntax is the
  990. same as for the HTTP
  991. "<SAMP>Content-Type</SAMP>" header field.
  992. </P><!--#if expr="! $GUI" -->
  993. <P></P><!--#endif -->
  994. <PRE>
  995. CONTENT_TYPE = "" | media-type
  996. media-type = type "/" subtype *( ";" parameter)
  997. type = token
  998. subtype = token
  999. parameter = attribute "=" value
  1000. attribute = token
  1001. value = token | quoted-string
  1002. </PRE>
  1003. <P>
  1004. The type, subtype,
  1005. and parameter attribute names are not
  1006. case-sensitive. Parameter values MAY be case sensitive.
  1007. Media types and their use in HTTP are described
  1008. in section 3.7 of the
  1009. HTTP/1.1 specification [<A HREF="#[8]">8</A>].
  1010. </P>
  1011. <P>
  1012. Example:
  1013. </P><!--#if expr="! $GUI" -->
  1014. <P></P><!--#endif -->
  1015. <PRE>
  1016. application/x-www-form-urlencoded
  1017. </PRE>
  1018. <P>
  1019. There is no default value for this variable. If and only if it is
  1020. unset, then the script MAY attempt to determine the media type from
  1021. the data received. If the type remains unknown, then
  1022. the script MAY choose to either assume a
  1023. content-type of
  1024. <SAMP>application/octet-stream</SAMP>
  1025. or reject the request with a 415 ("Unsupported Media Type")
  1026. error. See <A HREF="#7.2.1.3">section 7.2.1.3</A>
  1027. for more information about returning error status values.
  1028. </P>
  1029. <P>
  1030. Servers MUST provide this metavariable
  1031. to scripts if
  1032. a "<SAMP>Content-Type</SAMP>" field was present
  1033. in the original request header. If the server receives a request
  1034. with an attached entity but no "<SAMP>Content-Type</SAMP>"
  1035. header field, it MAY attempt to
  1036. determine the correct datatype, or it MAY omit this
  1037. metavariable when
  1038. communicating the request information to the script.
  1039. </P>
  1040. <H4>
  1041. <A NAME="6.1.4">
  1042. 6.1.4. GATEWAY_INTERFACE
  1043. </A>
  1044. </H4>
  1045. <P>
  1046. This
  1047. metavariable
  1048. is set to
  1049. the dialect of CGI being used
  1050. by the server to communicate with the script.
  1051. Syntax:
  1052. </P><!--#if expr="! $GUI" -->
  1053. <P></P><!--#endif -->
  1054. <PRE>
  1055. GATEWAY_INTERFACE = "CGI" "/" major "." minor
  1056. major = 1*digit
  1057. minor = 1*digit
  1058. </PRE>
  1059. <P>
  1060. Note that the major and minor numbers are treated as separate
  1061. integers and hence each may be
  1062. more than a single
  1063. digit. Thus CGI/2.4 is a lower version than CGI/2.13 which in turn
  1064. is lower than CGI/12.3. Leading zeros in either
  1065. the major or the minor number MUST be ignored by scripts and
  1066. SHOULD NOT be generated by servers.
  1067. </P>
  1068. <P>
  1069. This document defines the 1.1 version of the CGI interface
  1070. ("CGI/1.1").
  1071. </P>
  1072. <P>
  1073. Servers MUST provide this metavariable
  1074. to scripts.
  1075. </P>
  1076. <H4>
  1077. <A NAME="6.1.5">
  1078. 6.1.5. Protocol-Specific Metavariables
  1079. </A>
  1080. </H4>
  1081. <P>
  1082. These metavariables are specific to
  1083. the protocol
  1084. <EM>via</EM> which the request is made.
  1085. Interpretation of these variables depends on the value of
  1086. the
  1087. SERVER_PROTOCOL
  1088. metavariable
  1089. (see
  1090. <A HREF="#6.1.17">section 6.1.17</A>).
  1091. </P>
  1092. <P>
  1093. Metavariables
  1094. with names beginning with "HTTP_" contain
  1095. values from the request header, if the
  1096. scheme used was HTTP.
  1097. Each
  1098. HTTP header field name is converted to upper case, has all occurrences of
  1099. "-" replaced with "_",
  1100. and has "HTTP_" prepended to form
  1101. the metavariable name.
  1102. Similar transformations are applied for other
  1103. protocols.
  1104. The header data MAY be presented as sent
  1105. by the client, or MAY be rewritten in ways which do not change its
  1106. semantics. If multiple header fields with the same field-name are received
  1107. then the server
  1108. MUST rewrite them as though they
  1109. had been received as a single header field having the same
  1110. semantics before being represented in a
  1111. metavariable.
  1112. Similarly, a header field that is received on more than one line
  1113. MUST be merged into a single line. The server MUST, if necessary,
  1114. change the representation of the data (for example, the character
  1115. set) to be appropriate for a CGI
  1116. metavariable.
  1117. <!-- ###NOTE: See if 2068 describes this thoroughly, and
  1118. point there if so. -->
  1119. </P>
  1120. <P>
  1121. Servers are
  1122. not required to create
  1123. metavariables for all
  1124. the request
  1125. header fields that they
  1126. receive. In particular,
  1127. they MAY
  1128. decline to make available any
  1129. header fields carrying authentication information, such as
  1130. "<SAMP>Authorization</SAMP>", or
  1131. which are available to the script
  1132. <EM>via</EM> other metavariables,
  1133. such as "<SAMP>Content-Length</SAMP>" and "<SAMP>Content-Type</SAMP>".
  1134. </P>
  1135. <H4>
  1136. <A NAME="6.1.6">
  1137. 6.1.6. PATH_INFO
  1138. </A>
  1139. </H4>
  1140. <P>
  1141. The PATH_INFO
  1142. metavariable
  1143. specifies
  1144. a path to be interpreted by the CGI script. It identifies the
  1145. resource or sub-resource to be returned
  1146. by the CGI
  1147. script, and it is derived from the portion
  1148. of the URI path following the script name but preceding
  1149. any query data.
  1150. The syntax
  1151. and semantics are similar to a decoded HTTP URL
  1152. 'path' token
  1153. (defined in
  1154. RFC 2396
  1155. [<A HREF="#[4]">4</A>]), with the exception
  1156. that a PATH_INFO of "/"
  1157. represents a single void path segment.
  1158. </P><!--#if expr="! $GUI" -->
  1159. <P></P><!--#endif -->
  1160. <PRE>
  1161. PATH_INFO = "" | ( "/" path )
  1162. path = segment *( "/" segment )
  1163. segment = *pchar
  1164. pchar = &lt;any CHAR except "/"&gt;
  1165. </PRE>
  1166. <P>
  1167. The PATH_INFO string is the trailing part of the &lt;path&gt; component of
  1168. the Script-URI
  1169. (see <A HREF="#3.2">section 3.2</A>)
  1170. that follows the SCRIPT_NAME
  1171. portion of the path.
  1172. </P>
  1173. <P>
  1174. Servers MAY impose their own restrictions and
  1175. limitations on what values they will accept for PATH_INFO, and MAY
  1176. reject or edit any values they
  1177. consider objectionable before passing
  1178. them to the script.
  1179. </P>
  1180. <P>
  1181. Servers MUST make this URI component available
  1182. to CGI scripts. The PATH_INFO
  1183. value is case-sensitive, and the
  1184. server MUST preserve the case of the PATH_INFO element of the URI
  1185. when making it available to scripts.
  1186. </P>
  1187. <H4>
  1188. <A NAME="6.1.7">
  1189. 6.1.7. PATH_TRANSLATED
  1190. </A>
  1191. </H4>
  1192. <P>
  1193. PATH_TRANSLATED is derived by taking any path-info component of the
  1194. request URI (see
  1195. <A HREF="#6.1.6">section 6.1.6</A>), decoding it
  1196. (see <A HREF="#3.1">section 3.1</A>), parsing it as a URI in its own
  1197. right, and performing any virtual-to-physical
  1198. translation appropriate to map it onto the
  1199. server's document repository structure.
  1200. If the request URI includes no path-info
  1201. component, the PATH_TRANSLATED metavariable SHOULD NOT be defined.
  1202. </P><!--#if expr="! $GUI" -->
  1203. <P></P><!--#endif -->
  1204. <PRE>
  1205. PATH_TRANSLATED = *CHAR
  1206. </PRE>
  1207. <P>
  1208. For a request such as the following:
  1209. </P><!--#if expr="! $GUI" -->
  1210. <P></P><!--#endif -->
  1211. <PRE>
  1212. http://somehost.com/cgi-bin/somescript/this%2eis%2epath%2einfo
  1213. </PRE>
  1214. <P>
  1215. the PATH_INFO component would be decoded, and the result
  1216. parsed as though it were a request for the following:
  1217. </P><!--#if expr="! $GUI" -->
  1218. <P></P><!--#endif -->
  1219. <PRE>
  1220. http://somehost.com/this.is.the.path.info
  1221. </PRE>
  1222. <P>
  1223. This would then be translated to a
  1224. location in the server's document repository,
  1225. perhaps a filesystem path something
  1226. like this:
  1227. </P><!--#if expr="! $GUI" -->
  1228. <P></P><!--#endif -->
  1229. <PRE>
  1230. /usr/local/www/htdocs/this.is.the.path.info
  1231. </PRE>
  1232. <P>
  1233. The result of the translation is the value of PATH_TRANSLATED.
  1234. </P>
  1235. <P>
  1236. The value of PATH_TRANSLATED may or may not map to a valid
  1237. repository
  1238. location.
  1239. Servers MUST preserve the case of the path-info
  1240. segment if and only if the underlying
  1241. repository
  1242. supports case-sensitive
  1243. names. If the
  1244. repository
  1245. is only case-aware, case-preserving, or case-blind
  1246. with regard to
  1247. document names,
  1248. servers are not required to preserve the
  1249. case of the original segment through the translation.
  1250. </P>
  1251. <P>
  1252. The
  1253. translation
  1254. algorithm the server uses to derive PATH_TRANSLATED is
  1255. implementation defined; CGI scripts which use this variable may
  1256. suffer limited portability.
  1257. </P>
  1258. <P>
  1259. Servers SHOULD provide this metavariable
  1260. to scripts if and only if the request URI includes a
  1261. path-info component.
  1262. </P>
  1263. <H4>
  1264. <A NAME="6.1.8">
  1265. 6.1.8. QUERY_STRING
  1266. </A>
  1267. </H4>
  1268. <P>
  1269. A URL-encoded
  1270. string; the &lt;query&gt; part of the
  1271. Script-URI.
  1272. (See
  1273. <A HREF="#3.2">section 3.2</A>.)
  1274. </P><!--#if expr="! $GUI" -->
  1275. <P></P><!--#endif -->
  1276. <PRE>
  1277. QUERY_STRING = query-string
  1278. query-string = *uric
  1279. </PRE>
  1280. <P>
  1281. The URL syntax for a query
  1282. string is described in
  1283. section 3 of
  1284. RFC 2396
  1285. [<A HREF="#[4]">4</A>].
  1286. </P>
  1287. <P>
  1288. Servers MUST supply this value to scripts.
  1289. The QUERY_STRING value is case-sensitive.
  1290. If the Script-URI does not include a query component,
  1291. the QUERY_STRING metavariable MUST be defined as an empty string ("").
  1292. </P>
  1293. <H4>
  1294. <A NAME="6.1.9">
  1295. 6.1.9. REMOTE_ADDR
  1296. </A>
  1297. </H4>
  1298. <P>
  1299. The IP address of the client
  1300. sending the request to the server. This
  1301. is not necessarily that of the user
  1302. agent
  1303. (such as if the request came through a proxy).
  1304. </P><!--#if expr="! $GUI" -->
  1305. <P></P><!--#endif -->
  1306. <PRE>
  1307. REMOTE_ADDR = hostnumber
  1308. hostnumber = ipv4-address | ipv6-address
  1309. </PRE>
  1310. <P>
  1311. The definitions of <SAMP>ipv4-address</SAMP> and <SAMP>ipv6-address</SAMP>
  1312. are provided in Appendix B of RFC 2373 [<A HREF="#[13]">13</A>].
  1313. </P>
  1314. <P>
  1315. Servers MUST supply this value to scripts.
  1316. </P>
  1317. <H4>
  1318. <A NAME="6.1.10">
  1319. 6.1.10. REMOTE_HOST
  1320. </A>
  1321. </H4>
  1322. <P>
  1323. The fully qualified domain name of the
  1324. client sending the request to
  1325. the server, if available, otherwise NULL.
  1326. (See <A HREF="#6.1.9">section 6.1.9</A>.)
  1327. Fully qualified domain names take the form as described in
  1328. section 3.5 of RFC 1034 [<A HREF="#[10]">10</A>] and section 2.1 of
  1329. RFC 1123 [<A HREF="#[5]">5</A>]. Domain names are not case sensitive.
  1330. </P>
  1331. <P>
  1332. Servers SHOULD provide this information to
  1333. scripts.
  1334. </P>
  1335. <H4>
  1336. <A NAME="6.1.11">
  1337. 6.1.11. REMOTE_IDENT
  1338. </A>
  1339. </H4>
  1340. <P>
  1341. The identity information reported about the connection by a
  1342. RFC 1413 [<A HREF="#[11]">11</A>] request to the remote agent, if
  1343. available. Servers
  1344. MAY choose not
  1345. to support this feature, or not to request the data
  1346. for efficiency reasons.
  1347. </P><!--#if expr="! $GUI" -->
  1348. <P></P><!--#endif -->
  1349. <PRE>
  1350. REMOTE_IDENT = *CHAR
  1351. </PRE>
  1352. <P>
  1353. The data returned
  1354. may be used for authentication purposes, but the level
  1355. of trust reposed in them should be minimal.
  1356. </P>
  1357. <P>
  1358. Servers MAY supply this information to scripts if the
  1359. RFC1413 [<A HREF="#[11]">11</A>] lookup is performed.
  1360. </P>
  1361. <H4>
  1362. <A NAME="6.1.12">
  1363. 6.1.12. REMOTE_USER
  1364. </A>
  1365. </H4>
  1366. <P>
  1367. If the request required authentication using the "Basic"
  1368. mechanism (<EM>i.e.</EM>, the AUTH_TYPE
  1369. metavariable is set
  1370. to "Basic"), then the value of the REMOTE_USER
  1371. metavariable is set to the
  1372. user-ID supplied. In all other cases
  1373. the value of this metavariable
  1374. is undefined.
  1375. </P><!--#if expr="! $GUI" -->
  1376. <P></P><!--#endif -->
  1377. <PRE>
  1378. REMOTE_USER = *OCTET
  1379. </PRE>
  1380. <P>
  1381. This variable is specific to requests made <EM>via</EM> the
  1382. HTTP protocol.
  1383. </P>
  1384. <P>
  1385. Servers SHOULD provide this metavariable
  1386. to scripts.
  1387. </P>
  1388. <H4>
  1389. <A NAME="6.1.13">
  1390. 6.1.13. REQUEST_METHOD
  1391. </A>
  1392. </H4>
  1393. <P>
  1394. The REQUEST_METHOD
  1395. metavariable
  1396. is set to the
  1397. method with which the request was made, as described in section
  1398. 5.1.1 of the HTTP/1.0 specification [<A HREF="#[3]">3</A>] and
  1399. section 5.1.1 of the
  1400. HTTP/1.1 specification [<A HREF="#[8]">8</A>].
  1401. </P><!--#if expr="! $GUI" -->
  1402. <P></P><!--#endif -->
  1403. <PRE>
  1404. REQUEST_METHOD = http-method
  1405. http-method = "GET" | "HEAD" | "POST" | "PUT" | "DELETE"
  1406. | "OPTIONS" | "TRACE" | extension-method
  1407. extension-method = token
  1408. </PRE>
  1409. <P>
  1410. The method is case sensitive.
  1411. CGI/1.1 servers MAY choose to process some methods
  1412. directly rather than passing them to scripts.
  1413. </P>
  1414. <P>
  1415. This variable is specific to requests made with HTTP.
  1416. </P>
  1417. <P>
  1418. Servers MUST provide this metavariable
  1419. to scripts.
  1420. </P>
  1421. <H4>
  1422. <A NAME="6.1.14">
  1423. 6.1.14. SCRIPT_NAME
  1424. </A>
  1425. </H4>
  1426. <P>
  1427. The SCRIPT_NAME
  1428. metavariable
  1429. is
  1430. set to a URL path that could identify the CGI script (rather than the
  1431. script's
  1432. output). The syntax and semantics are identical to a
  1433. decoded HTTP URL 'path' token
  1434. (see RFC 2396
  1435. [<A HREF="#[4]">4</A>]).
  1436. </P><!--#if expr="! $GUI" -->
  1437. <P></P><!--#endif -->
  1438. <PRE>
  1439. SCRIPT_NAME = "" | ( "/" [ path ] )
  1440. </PRE>
  1441. <P>
  1442. The SCRIPT_NAME string is some leading part of the &lt;path&gt; component
  1443. of the Script-URI derived in some
  1444. implementation defined manner.
  1445. No PATH_INFO or QUERY_STRING segments
  1446. (see sections <A HREF="#6.1.6">6.1.6</A> and
  1447. <A HREF="#6.1.8">6.1.8</A>) are included
  1448. in the SCRIPT_NAME value.
  1449. </P>
  1450. <P>
  1451. Servers MUST provide this metavariable
  1452. to scripts.
  1453. </P>
  1454. <H4>
  1455. <A NAME="6.1.15">
  1456. 6.1.15. SERVER_NAME
  1457. </A>
  1458. </H4>
  1459. <P>
  1460. The SERVER_NAME
  1461. metavariable
  1462. is set to the
  1463. name of the
  1464. server, as
  1465. derived from the &lt;host&gt; part of the
  1466. Script-URI
  1467. (see <A HREF="#3.2">section 3.2</A>).
  1468. </P><!--#if expr="! $GUI" -->
  1469. <P></P><!--#endif -->
  1470. <PRE>
  1471. SERVER_NAME = hostname | hostnumber
  1472. </PRE>
  1473. <P>
  1474. Servers MUST provide this metavariable
  1475. to scripts.
  1476. </P>
  1477. <H4>
  1478. <A NAME="6.1.16">
  1479. 6.1.16. SERVER_PORT
  1480. </A>
  1481. </H4>
  1482. <P>
  1483. The SERVER_PORT
  1484. metavariable
  1485. is set to the
  1486. port on which the
  1487. request was received, as used in the &lt;port&gt;
  1488. part of the Script-URI.
  1489. </P><!--#if expr="! $GUI" -->
  1490. <P></P><!--#endif -->
  1491. <PRE>
  1492. SERVER_PORT = 1*digit
  1493. </PRE>
  1494. <P>
  1495. If the &lt;port&gt; portion of the script-URI is blank, the actual
  1496. port number upon which the request was received MUST be supplied.
  1497. </P>
  1498. <P>
  1499. Servers MUST provide this metavariable
  1500. to scripts.
  1501. </P>
  1502. <H4>
  1503. <A NAME="6.1.17">
  1504. 6.1.17. SERVER_PROTOCOL
  1505. </A>
  1506. </H4>
  1507. <P>
  1508. The SERVER_PROTOCOL
  1509. metavariable
  1510. is set to
  1511. the
  1512. name and revision of the information protocol with which
  1513. the
  1514. request
  1515. arrived. This is not necessarily the same as the protocol version used by
  1516. the server in its response to the client.
  1517. </P><!--#if expr="! $GUI" -->
  1518. <P></P><!--#endif -->
  1519. <PRE>
  1520. SERVER_PROTOCOL = HTTP-Version | extension-version
  1521. | extension-token
  1522. HTTP-Version = "HTTP" "/" 1*digit "." 1*digit
  1523. extension-version = protocol "/" 1*digit "." 1*digit
  1524. protocol = 1*( alpha | digit | "+" | "-" | "." )
  1525. extension-token = token
  1526. </PRE>
  1527. <P>
  1528. 'protocol' is a version of the &lt;scheme&gt; part of the
  1529. Script-URI, but is
  1530. not identical to it. For example, the scheme of a request may be
  1531. "<SAMP>https</SAMP>" while the protocol remains "<SAMP>http</SAMP>".
  1532. The protocol is not case sensitive, but
  1533. by convention, 'protocol' is in
  1534. upper case.
  1535. </P>
  1536. <P>
  1537. A well-known extension token value is "INCLUDED",
  1538. which signals that the current document is being included as part of
  1539. a composite document, rather than being the direct target of the
  1540. client request.
  1541. </P>
  1542. <P>
  1543. Servers MUST provide this metavariable
  1544. to scripts.
  1545. </P>
  1546. <H4>
  1547. <A NAME="6.1.18">
  1548. 6.1.18. SERVER_SOFTWARE
  1549. </A>
  1550. </H4>
  1551. <P>
  1552. The SERVER_SOFTWARE
  1553. metavariable
  1554. is set to the
  1555. name and version of the information server software answering the
  1556. request (and running the gateway).
  1557. </P><!--#if expr="! $GUI" -->
  1558. <P></P><!--#endif -->
  1559. <PRE>
  1560. SERVER_SOFTWARE = 1*product
  1561. product = token [ "/" product-version ]
  1562. product-version = token
  1563. </PRE>
  1564. <P>
  1565. Servers MUST provide this metavariable
  1566. to scripts.
  1567. </P>
  1568. <H3>
  1569. <A NAME="6.2">
  1570. 6.2. Request Message-Bodies
  1571. </A>
  1572. </H3>
  1573. <P>
  1574. As there may be a data entity attached to the request, there MUST be
  1575. a system defined method for the script to read
  1576. these data. Unless
  1577. defined otherwise, this will be <EM>via</EM> the 'standard input' file
  1578. descriptor.
  1579. </P>
  1580. <P>
  1581. If the CONTENT_LENGTH value (see <A HREF="#6.1.2">section 6.1.2</A>)
  1582. is non-NULL, the server MUST supply at least that many bytes to
  1583. scripts on the standard input stream.
  1584. Scripts are
  1585. not obliged to read the data.
  1586. Servers MAY signal an EOF condition after CONTENT_LENGTH bytes have been
  1587. read, but are
  1588. not obligated to do so. Therefore, scripts
  1589. MUST NOT
  1590. attempt to read more than CONTENT_LENGTH bytes, even if more data
  1591. are available.
  1592. </P>
  1593. <P>
  1594. For non-parsed header (NPH) scripts (see
  1595. <A HREF="#7.1">section 7.1</A>
  1596. below),
  1597. servers SHOULD
  1598. attempt to ensure that the data
  1599. supplied to the script are precisely
  1600. as supplied by the client and unaltered by
  1601. the server.
  1602. </P>
  1603. <P>
  1604. <A HREF="#8.1.2">Section 8.1.2</A> describes the requirements of
  1605. servers with regard to requests that include
  1606. message-bodies.
  1607. </P>
  1608. <H2>
  1609. <A NAME="7.0">
  1610. 7. Data Output from the CGI Script
  1611. </A>
  1612. </H2>
  1613. <P>
  1614. There MUST be a system defined method for the script to send data
  1615. back to the server or client; a script MUST always return some data.
  1616. Unless defined otherwise, this will be <EM>via</EM> the 'standard
  1617. output' file descriptor.
  1618. </P>
  1619. <P>
  1620. There are two forms of output that scripts can supply to servers: non-parsed
  1621. header (NPH) output, and parsed header output.
  1622. Servers MUST support parsed header
  1623. output and MAY support NPH output. The method of
  1624. distinguishing between the two
  1625. types of output (or scripts) is implementation defined.
  1626. </P>
  1627. <P>
  1628. Servers MAY implement a timeout period within which data must be
  1629. received from scripts. If a server implementation defines such
  1630. a timeout and receives no data from a script within the timeout
  1631. period, the server MAY terminate the script process and SHOULD
  1632. abort the client request with
  1633. either a
  1634. '504 Gateway Timed Out' or a
  1635. '500 Internal Server Error' response.
  1636. </P>
  1637. <H3>
  1638. <A NAME="7.1">
  1639. 7.1. Non-Parsed Header Output
  1640. </A>
  1641. </H3>
  1642. <P>
  1643. Scripts using the NPH output form
  1644. MUST return a complete HTTP response message, as described
  1645. in Section 6 of the HTTP specifications
  1646. [<A HREF="#[3]">3</A>,<A HREF="#[8]">8</A>].
  1647. NPH scripts
  1648. MUST use the SERVER_PROTOCOL variable to determine the appropriate format
  1649. for a response.
  1650. </P>
  1651. <P>
  1652. Servers
  1653. SHOULD attempt to ensure that the script output is sent
  1654. directly to the client, with minimal
  1655. internal and no transport-visible
  1656. buffering.
  1657. </P>
  1658. <H3>
  1659. <A NAME="7.2">
  1660. 7.2. Parsed Header Output
  1661. </A>
  1662. </H3>
  1663. <P>
  1664. Scripts using the parsed header output form MUST supply
  1665. a CGI response message to the server
  1666. as follows:
  1667. </P><!--#if expr="! $GUI" -->
  1668. <P></P><!--#endif -->
  1669. <PRE>
  1670. CGI-Response = *optional-field CGI-Field *optional-field NL [ Message-Body ]
  1671. optional-field = ( CGI-Field | HTTP-Field )
  1672. CGI-Field = Content-type
  1673. | Location
  1674. | Status
  1675. | extension-header
  1676. </PRE>
  1677. <P><!-- ##### If HTTP defines x-headers, remove ours except x-cgi- -->
  1678. The response comprises a header and a body, separated by a blank line.
  1679. The body may be NULL.
  1680. The header fields are either CGI header fields to be interpreted by
  1681. the server, or HTTP header fields
  1682. to be included in the response returned
  1683. to the client
  1684. if the request method is HTTP. At least one
  1685. CGI-Field MUST be
  1686. supplied, but no CGI field name may be used more than once
  1687. in a response.
  1688. If a body is supplied, then a "<SAMP>Content-type</SAMP>"
  1689. header field MUST be
  1690. supplied by the script,
  1691. otherwise the script MUST send a "<SAMP>Location</SAMP>"
  1692. or "<SAMP>Status</SAMP>" header field. If a
  1693. <SAMP>Location</SAMP> CGI-Field
  1694. is returned, then the script MUST NOT supply
  1695. any HTTP-Fields.
  1696. </P>
  1697. <P>
  1698. Each header field in a CGI-Response MUST be specified on a single line;
  1699. CGI/1.1 does not support continuation lines.
  1700. </P>
  1701. <H4>
  1702. <A NAME="7.2.1">
  1703. 7.2.1. CGI header fields
  1704. </A>
  1705. </H4>
  1706. <P>
  1707. The CGI header fields have the generic syntax:
  1708. </P><!--#if expr="! $GUI" -->
  1709. <P></P><!--#endif -->
  1710. <PRE>
  1711. generic-field = field-name ":" [ field-value ] NL
  1712. field-name = token
  1713. field-value = *( field-content | LWSP )
  1714. field-content = *( token | tspecial | quoted-string )
  1715. </PRE>
  1716. <P>
  1717. The field-name is not case sensitive; a NULL field value is
  1718. equivalent to the header field not being sent.
  1719. </P>
  1720. <H4>
  1721. <A NAME="7.2.1.1">
  1722. 7.2.1.1. Content-Type
  1723. </A>
  1724. </H4>
  1725. <P>
  1726. The Internet Media Type [<A HREF="#[9]">9</A>] of the entity
  1727. body, which is to be sent unmodified to the client.
  1728. </P><!--#if expr="! $GUI" -->
  1729. <P></P><!--#endif -->
  1730. <PRE>
  1731. Content-Type = "Content-Type" ":" media-type NL
  1732. </PRE>
  1733. <P>
  1734. This is actually an HTTP-Field
  1735. rather than a CGI-Field, but
  1736. it is listed here because of its importance in the CGI dialogue as
  1737. a member of the "one of these is required" set of header
  1738. fields.
  1739. </P>
  1740. <H4>
  1741. <A NAME="7.2.1.2">
  1742. 7.2.1.2. Location
  1743. </A>
  1744. </H4>
  1745. <P>
  1746. This is used to specify to the server that the script is returning a
  1747. reference to a document rather than an actual document.
  1748. </P><!--#if expr="! $GUI" -->
  1749. <P></P><!--#endif -->
  1750. <PRE>
  1751. Location = "Location" ":"
  1752. ( fragment-URI | rel-URL-abs-path ) NL
  1753. fragment-URI = URI [ # fragmentid ]
  1754. URI = scheme ":" *qchar
  1755. fragmentid = *qchar
  1756. rel-URL-abs-path = "/" [ hpath ] [ "?" query-string ]
  1757. hpath = fpsegment *( "/" psegment )
  1758. fpsegment = 1*hchar
  1759. psegment = *hchar
  1760. hchar = alpha | digit | safe | extra
  1761. | ":" | "@" | "& | "="
  1762. </PRE>
  1763. <P>
  1764. The Location
  1765. value is either an absolute URI with optional fragment,
  1766. as defined in RFC 1630 [<A HREF="#[1]">1</A>], or an absolute path
  1767. within the server's URI space (<EM>i.e.</EM>,
  1768. omitting the scheme and network-related fields) and optional
  1769. query-string. If an absolute URI is returned by the script,
  1770. then the
  1771. server MUST generate a
  1772. '302 redirect' HTTP response
  1773. message unless the script has supplied an
  1774. explicit Status response header field.
  1775. Scripts returning an absolute URI MAY choose to
  1776. provide a message-body. Servers MUST make any appropriate modifications
  1777. to the script's output to ensure the response to the user-agent complies
  1778. with the response protocol version.
  1779. If the Location value is a path, then the server
  1780. MUST generate
  1781. the response that it would have produced in response to a request
  1782. containing the URL
  1783. </P><!--#if expr="! $GUI" -->
  1784. <P></P><!--#endif -->
  1785. <PRE>
  1786. scheme "://" SERVER_NAME ":" SERVER_PORT rel-URL-abs-path
  1787. </PRE>
  1788. <P>
  1789. Note: If the request was accompanied by a
  1790. message-body
  1791. (such as for a POST request), and the script
  1792. redirects the request with a Location field, the
  1793. message-body
  1794. may not be
  1795. available to the resource that is the target of the redirect.
  1796. </P>
  1797. <H4>
  1798. <A NAME="7.2.1.3">
  1799. 7.2.1.3. Status
  1800. </A>
  1801. </H4>
  1802. <P>
  1803. The "<SAMP>Status</SAMP>" header field is used to indicate to the server what
  1804. status code the server MUST use in the response message.
  1805. </P><!--#if expr="! $GUI" -->
  1806. <P></P><!--#endif -->
  1807. <PRE>
  1808. Status = "Status" ":" digit digit digit SP reason-phrase NL
  1809. reason-phrase = *&lt;CHAR, excluding CTLs, NL&gt;
  1810. </PRE>
  1811. <P>
  1812. The valid status codes are listed in section 6.1.1 of the HTTP/1.0
  1813. specifications [<A HREF="#[3]">3</A>]. If the SERVER_PROTOCOL is
  1814. "HTTP/1.1", then the status codes defined in the HTTP/1.1
  1815. specification [<A HREF="#[8]">8</A>] may
  1816. be used. If the script does not return a "<SAMP>Status</SAMP>" header
  1817. field, then "200 OK" SHOULD be assumed by the server.
  1818. </P>
  1819. <P>
  1820. If a script is being used to handle a particular error or condition
  1821. encountered by the server, such as a '404 Not Found' error, the script
  1822. SHOULD use the "<SAMP>Status</SAMP>" CGI header field to propagate the error
  1823. condition back to the client. <EM>E.g.</EM>, in the example mentioned it
  1824. SHOULD include a "Status:&nbsp;404&nbsp;Not&nbsp;Found" in the
  1825. header data returned to the server.
  1826. </P>
  1827. <H4>
  1828. <A NAME="7.2.1.4">
  1829. 7.2.1.4. Extension header fields
  1830. </A>
  1831. </H4>
  1832. <P>
  1833. Scripts MAY include in their CGI response header additional fields
  1834. not defined in this or the HTTP specification.
  1835. These are called "extension" fields,
  1836. and have the syntax of a <SAMP>generic-field</SAMP> as defined in
  1837. <A HREF="#7.2.1">section 7.2.1</A>. The name of an extension field
  1838. MUST NOT conflict with a field name defined in this or any other
  1839. specification; extension field names SHOULD begin with "X-CGI-"
  1840. to ensure uniqueness.
  1841. </P>
  1842. <H4>
  1843. <A NAME="7.2.2">
  1844. 7.2.2. HTTP header fields
  1845. </A>
  1846. </H4>
  1847. <P>
  1848. The script MAY return any other header fields defined by the
  1849. specification
  1850. for the SERVER_PROTOCOL (HTTP/1.0 [<A HREF="#[3]">3</A>] or HTTP/1.1
  1851. [<A HREF="#[8]">8</A>]).
  1852. Servers MUST resolve conflicts beteen CGI header
  1853. and HTTP header formats or names (see <A HREF="#8.0">section 8</A>).
  1854. </P>
  1855. <H2>
  1856. <A NAME="8.0">
  1857. 8. Server Implementation
  1858. </A>
  1859. </H2>
  1860. <P>
  1861. This section defines the requirements that must be met by HTTP
  1862. servers in order to provide a coherent and correct CGI/1.1
  1863. environment in which scripts may function. It is intended
  1864. primarily for server implementors, but it is useful for
  1865. script authors to be familiar with the information as well.
  1866. </P>
  1867. <H3>
  1868. <A NAME="8.1">
  1869. 8.1. Requirements for Servers
  1870. </A>
  1871. </H3>
  1872. <P>
  1873. In order to be considered CGI/1.1-compliant, a server must meet
  1874. certain basic criteria and provide certain minimal functionality.
  1875. The details of these requirements are described in the following sections.
  1876. </P>
  1877. <H3>
  1878. <A NAME="8.1.1">
  1879. 8.1.1. Script-URI
  1880. </A>
  1881. </H3>
  1882. <P>
  1883. Servers MUST support the standard mechanism (described below) which
  1884. allows
  1885. script authors to determine
  1886. what URL to use in documents
  1887. which reference the script;
  1888. specifically, what URL to use in order to
  1889. achieve particular settings of the
  1890. metavariables. This
  1891. mechanism is as follows:
  1892. </P>
  1893. <P>
  1894. The server
  1895. MUST translate the header data from the CGI header field syntax to
  1896. the HTTP
  1897. header field syntax if these differ. For example, the character
  1898. sequence for
  1899. newline (such as Unix's ASCII NL) used by CGI scripts may not be the
  1900. same as that used by HTTP (ASCII CR followed by LF). The server MUST
  1901. also resolve any conflicts between header fields returned by the script
  1902. and header fields that it would otherwise send itself.
  1903. </P>
  1904. <H3>
  1905. <A NAME="8.1.2">
  1906. 8.1.2. Request Message-body Handling
  1907. </A>
  1908. </H3>
  1909. <P>
  1910. These are the requirements for server handling of message-bodies directed
  1911. to CGI/1.1 resources:
  1912. </P>
  1913. <OL>
  1914. <LI>The message-body the server provides to the CGI script MUST
  1915. have any transfer encodings removed.
  1916. </LI>
  1917. <LI>The server MUST derive and provide a value for the CONTENT_LENGTH
  1918. metavariable that reflects the length of the message-body after any
  1919. transfer decoding.
  1920. </LI>
  1921. <LI>The server MUST leave intact any content-encodings of the message-body.
  1922. </LI>
  1923. </OL>
  1924. <H3>
  1925. <A NAME="8.1.3">
  1926. 8.1.3. Required Metavariables
  1927. </A>
  1928. </H3>
  1929. <P>
  1930. Servers MUST provide scripts with certain information and
  1931. metavariables
  1932. as described in <A HREF="#8.3">section 8.3</A>.
  1933. </P>
  1934. <H3>
  1935. <A NAME="8.1.4">
  1936. 8.1.4. Response Compliance
  1937. </A>
  1938. </H3>
  1939. <P>
  1940. Servers MUST ensure that responses sent to the user-agent meet all
  1941. requirements of the protocol level in effect. This may involve
  1942. modifying, deleting, or augmenting any header
  1943. fields and/or message-body supplied by the script.
  1944. </P>
  1945. <H3>
  1946. <A NAME="8.2">
  1947. 8.2. Recommendations for Servers
  1948. </A>
  1949. </H3>
  1950. <P>
  1951. Servers SHOULD provide the "<SAMP>query</SAMP>" component of the script-URI
  1952. as command-line arguments to scripts if it does not
  1953. contain any unencoded '=' characters and the command-line arguments can
  1954. be generated in an unambiguous manner.
  1955. (See <A HREF="#5.0">section 5</A>.)
  1956. </P>
  1957. <P>
  1958. Servers SHOULD set the AUTH_TYPE
  1959. metavariable to the value of the
  1960. '<SAMP>auth-scheme</SAMP>' token of the "<SAMP>Authorization</SAMP>"
  1961. field if it was supplied as part of the request header.
  1962. (See <A HREF="#6.1.1">section 6.1.1</A>.)
  1963. </P>
  1964. <P>
  1965. Where applicable, servers SHOULD set the current working directory
  1966. to the directory in which the script is located before invoking
  1967. it.
  1968. </P>
  1969. <P>
  1970. Servers MAY reject with error '404 Not Found'
  1971. any requests that would result in
  1972. an encoded "/" being decoded into PATH_INFO or SCRIPT_NAME, as this
  1973. might represent a loss of information to the script.
  1974. </P>
  1975. <P>
  1976. Although the server and the CGI script need not be consistent in
  1977. their handling of URL paths (client URLs and the PATH_INFO data,
  1978. respectively), server authors may wish to impose consistency.
  1979. So the server implementation SHOULD define its behaviour for the
  1980. following cases:
  1981. </P>
  1982. <OL>
  1983. <LI>define any restrictions on allowed characters, in particular
  1984. whether ASCII NUL is permitted;
  1985. </LI>
  1986. <LI>define any restrictions on allowed path segments, in particular
  1987. whether non-terminal NULL segments are permitted;
  1988. </LI>
  1989. <LI>define the behaviour for <SAMP>"."</SAMP> or <SAMP>".."</SAMP> path
  1990. segments; <EM>i.e.</EM>, whether they are prohibited, treated as
  1991. ordinary path
  1992. segments or interpreted in accordance with the relative URL
  1993. specification [<A HREF="#[7]">7</A>];
  1994. </LI>
  1995. <LI>define any limits of the implementation, including limits on path or
  1996. search string lengths, and limits on the volume of header data the server
  1997. will parse.
  1998. </LI><!-- ##### Move the field resolution/translation para below here -->
  1999. </OL>
  2000. <P>
  2001. Servers MAY generate the
  2002. Script-URI in
  2003. any way from the client URI,
  2004. or from any other data (but the behaviour SHOULD be documented).
  2005. </P>
  2006. <P>
  2007. For non-parsed header (NPH) scripts (see
  2008. <A HREF="#7.1">section 7.1</A>), servers SHOULD
  2009. attempt to ensure that the script input comes directly from the
  2010. client, with minimal buffering. For all scripts the data will be
  2011. as supplied by the client.
  2012. </P>
  2013. <H3>
  2014. <A NAME="8.3">
  2015. 8.3. Summary of
  2016. MetaVariables
  2017. </A>
  2018. </H3>
  2019. <P>
  2020. Servers MUST provide the following
  2021. metavariables to
  2022. scripts. See the individual descriptions for exceptions and semantics.
  2023. </P><!--#if expr="! $GUI" -->
  2024. <P></P><!--#endif -->
  2025. <PRE>
  2026. CONTENT_LENGTH (section <A HREF="#6.1.2">6.1.2</A>)
  2027. CONTENT_TYPE (section <A HREF="#6.1.3">6.1.3</A>)
  2028. GATEWAY_INTERFACE (section <A HREF="#6.1.4">6.1.4</A>)
  2029. PATH_INFO (section <A HREF="#6.1.6">6.1.6</A>)
  2030. QUERY_STRING (section <A HREF="#6.1.8">6.1.8</A>)
  2031. REMOTE_ADDR (section <A HREF="#6.1.9">6.1.9</A>)
  2032. REQUEST_METHOD (section <A HREF="#6.1.13">6.1.13</A>)
  2033. SCRIPT_NAME (section <A HREF="#6.1.14">6.1.14</A>)
  2034. SERVER_NAME (section <A HREF="#6.1.15">6.1.15</A>)
  2035. SERVER_PORT (section <A HREF="#6.1.16">6.1.16</A>)
  2036. SERVER_PROTOCOL (section <A HREF="#6.1.17">6.1.17</A>)
  2037. SERVER_SOFTWARE (section <A HREF="#6.1.18">6.1.18</A>)
  2038. </PRE>
  2039. <P>
  2040. Servers SHOULD define the following
  2041. metavariables for scripts.
  2042. See the individual descriptions for exceptions and semantics.
  2043. </P><!--#if expr="! $GUI" -->
  2044. <P></P><!--#endif -->
  2045. <PRE>
  2046. AUTH_TYPE (section <A HREF="#6.1.1">6.1.1</A>)
  2047. REMOTE_HOST (section <A HREF="#6.1.10">6.1.10</A>)
  2048. </PRE>
  2049. <P>
  2050. In addition, servers SHOULD provide
  2051. metavariables for all fields present
  2052. in the HTTP request header, with the exception of those involved with
  2053. access control. Servers MAY at their discretion provide
  2054. metavariables
  2055. for access control fields.
  2056. </P>
  2057. <P>
  2058. Servers MAY define the following
  2059. metavariables. See the individual
  2060. descriptions for exceptions and semantics.
  2061. </P><!--#if expr="! $GUI" -->
  2062. <P></P><!--#endif -->
  2063. <PRE>
  2064. PATH_TRANSLATED (section <A HREF="#6.1.7">6.1.7</A>)
  2065. REMOTE_IDENT (section <A HREF="#6.1.11">6.1.11</A>)
  2066. REMOTE_USER (section <A HREF="#6.1.12">6.1.12</A>)
  2067. </PRE>
  2068. <P>
  2069. Servers MAY
  2070. at their discretion define additional implementation-specific
  2071. extension metavariables
  2072. provided their names do not
  2073. conflict with defined header field names. Implementation-specific
  2074. metavariable names SHOULD
  2075. be prefixed with "X_" (<EM>e.g.</EM>,
  2076. "X_DBA") to avoid the potential for such conflicts.
  2077. </P>
  2078. <H2>
  2079. <A NAME="9.0">
  2080. 9.
  2081. Script Implementation
  2082. </A>
  2083. </H2>
  2084. <P>
  2085. This section defines the requirements and recommendations for scripts
  2086. that are intended to function in a CGI/1.1 environment. It is intended
  2087. primarily as a reference for script authors, but server implementors
  2088. should be familiar with these issues as well.
  2089. </P>
  2090. <H3>
  2091. <A NAME="9.1">
  2092. 9.1. Requirements for Scripts
  2093. </A>
  2094. </H3>
  2095. <P>
  2096. Scripts using the parsed-header method to communicate with servers
  2097. MUST supply a response header to the server.
  2098. (See <A HREF="#7.0">section 7</A>.)
  2099. </P>
  2100. <P>
  2101. Scripts using the NPH method to communicate with servers MUST
  2102. provide complete HTTP responses, and MUST use the value of the
  2103. SERVER_PROTOCOL metavariable
  2104. to determine the appropriate format.
  2105. (See <A HREF="#7.1">section 7.1</A>.)
  2106. </P>
  2107. <P>
  2108. Scripts MUST check the value of the REQUEST_METHOD
  2109. metavariable in order
  2110. to provide an appropriate response.
  2111. (See <A HREF="#6.1.13">section 6.1.13</A>.)
  2112. </P>
  2113. <P>
  2114. Scripts MUST be prepared to handled URL-encoded values in
  2115. metavariables.
  2116. In addition, they MUST recognise both "+" and "%20" in URL-encoded
  2117. quantities as representing the space character.
  2118. (See <A HREF="#3.1">section 3.1</A>.)
  2119. </P>
  2120. <P>
  2121. Scripts MUST ignore leading zeros in the major and minor version numbers
  2122. in the GATEWAY_INTERFACE
  2123. metavariable value. (See
  2124. <A HREF="#6.1.4">section 6.1.4</A>.)
  2125. </P>
  2126. <P>
  2127. When processing requests that include a
  2128. message-body, scripts
  2129. MUST NOT read more than CONTENT_LENGTH bytes from the input stream.
  2130. (See sections <A HREF="#6.1.2">6.1.2</A> and <A HREF="#6.2">6.2</A>.)
  2131. </P>
  2132. <H3>
  2133. <A NAME="9.2">
  2134. 9.2. Recommendations for Scripts
  2135. </A>
  2136. </H3>
  2137. <P>
  2138. Servers may interrupt or terminate script execution at any time
  2139. and without warning, so scripts SHOULD be prepared to deal with
  2140. abnormal termination.
  2141. </P>
  2142. <P>
  2143. Scripts MUST
  2144. reject with
  2145. error '405 Method Not
  2146. Allowed' requests
  2147. made using methods that they do not support. If the script does
  2148. not intend
  2149. processing the PATH_INFO data, then it SHOULD reject the request with
  2150. '404 Not
  2151. Found' if PATH_INFO is not NULL.
  2152. </P>
  2153. <P>
  2154. If a script is processing the output of a form, it SHOULD
  2155. verify that the CONTENT_TYPE
  2156. is "<SAMP>application/x-www-form-urlencoded</SAMP>" [<A HREF="#[2]">2</A>]
  2157. or whatever other media type is expected.
  2158. </P>
  2159. <P>
  2160. Scripts parsing PATH_INFO,
  2161. PATH_TRANSLATED, or SCRIPT_NAME
  2162. SHOULD be careful
  2163. of void path segments ("<SAMP>//</SAMP>") and special path segments
  2164. (<SAMP>"."</SAMP> and
  2165. <SAMP>".."</SAMP>). They SHOULD either be removed from the path before
  2166. use in OS
  2167. system calls, or the request SHOULD be rejected with
  2168. '404 Not Found'.
  2169. </P>
  2170. <P>
  2171. As it is impossible for
  2172. scripts to determine the client URI that
  2173. initiated a
  2174. request without knowledge of the specific server in
  2175. use, the script SHOULD NOT return "<SAMP>text/html</SAMP>"
  2176. documents containing
  2177. relative URL links without including a "<SAMP>&lt;BASE&gt;</SAMP>"
  2178. tag in the document.
  2179. </P>
  2180. <P>
  2181. When returning header fields,
  2182. scripts SHOULD try to send the CGI
  2183. header fields (see section
  2184. <A HREF="#7.2">7.2</A>) as soon as possible, and
  2185. SHOULD send them
  2186. before any HTTP header fields. This may
  2187. help reduce the server's memory requirements.
  2188. </P>
  2189. <H2>
  2190. <A NAME="10.0">
  2191. 10. System Specifications
  2192. </A>
  2193. </H2>
  2194. <H3>
  2195. <A NAME="10.1">
  2196. 10.1. AmigaDOS
  2197. </A>
  2198. </H3>
  2199. <P>
  2200. The implementation of the CGI on an AmigaDOS operating system platform
  2201. SHOULD use environment variables as the mechanism of providing
  2202. request metadata to CGI scripts.
  2203. </P>
  2204. <DL>
  2205. <DT><STRONG>Environment variables</STRONG>
  2206. </DT>
  2207. <DD>
  2208. <P>
  2209. These are accessed by the DOS library routine <SAMP>GetVar</SAMP>. The
  2210. flags argument SHOULD be 0. Case is ignored, but upper case is
  2211. recommended for compatibility with case-sensitive systems.
  2212. </P>
  2213. </DD>
  2214. <DT><STRONG>The current working directory</STRONG>
  2215. </DT>
  2216. <DD>
  2217. <P>
  2218. The current working directory for the script is set to the directory
  2219. containing the script.
  2220. </P>
  2221. </DD>
  2222. <DT><STRONG>Character set</STRONG>
  2223. </DT>
  2224. <DD>
  2225. <P>
  2226. The US-ASCII character set is used for the definition of environment
  2227. variable names and header
  2228. field names; the newline (NL) sequence is LF;
  2229. servers SHOULD also accept CR LF as a newline.
  2230. </P>
  2231. </DD>
  2232. </DL>
  2233. <H3>
  2234. <A NAME="10.2">
  2235. 10.2. Unix
  2236. </A>
  2237. </H3>
  2238. <P>
  2239. The implementation of the CGI on a UNIX operating system platform
  2240. SHOULD use environment variables as the mechanism of providing
  2241. request metadata to CGI scripts.
  2242. </P>
  2243. <P>
  2244. For Unix compatible operating systems, the following are defined:
  2245. </P>
  2246. <DL>
  2247. <DT><STRONG>Environment variables</STRONG>
  2248. </DT>
  2249. <DD>
  2250. <P>
  2251. These are accessed by the C library routine <SAMP>getenv</SAMP>.
  2252. </P>
  2253. </DD>
  2254. <DT><STRONG>The command line</STRONG>
  2255. </DT>
  2256. <DD>
  2257. <P>
  2258. This is accessed using the
  2259. <SAMP>argc</SAMP> and <SAMP>argv</SAMP>
  2260. arguments to <SAMP>main()</SAMP>. The words have any characters
  2261. that
  2262. are 'active' in the Bourne shell escaped with a backslash.
  2263. If the value of the QUERY_STRING
  2264. metavariable
  2265. contains an unencoded equals-sign '=', then the command line
  2266. SHOULD NOT be used by the script.
  2267. </P>
  2268. </DD>
  2269. <DT><STRONG>The current working directory</STRONG>
  2270. </DT>
  2271. <DD>
  2272. <P>
  2273. The current working directory for the script
  2274. SHOULD be set to the directory
  2275. containing the script.
  2276. </P>
  2277. </DD>
  2278. <DT><STRONG>Character set</STRONG>
  2279. </DT>
  2280. <DD>
  2281. <P>
  2282. The US-ASCII character set is used for the definition of environment
  2283. variable names and header field names; the newline (NL) sequence is LF;
  2284. servers SHOULD also accept CR LF as a newline.
  2285. </P>
  2286. </DD>
  2287. </DL>
  2288. <H2>
  2289. <A NAME="11.0">
  2290. 11. Security Considerations
  2291. </A>
  2292. </H2>
  2293. <H3>
  2294. <A NAME="11.1">
  2295. 11.1. Safe Methods
  2296. </A>
  2297. </H3>
  2298. <P>
  2299. As discussed in the security considerations of the HTTP
  2300. specifications [<A HREF="#[3]">3</A>,<A HREF="#[8]">8</A>], the
  2301. convention has been established that the
  2302. GET and HEAD methods should be 'safe'; they should cause no
  2303. side-effects and only have the significance of resource retrieval.
  2304. </P>
  2305. <P>
  2306. CGI scripts are responsible for enforcing any HTTP security considerations
  2307. [<A HREF="#[3]">3</A>,<A HREF="#[8]">8</A>]
  2308. with respect to the protocol version level of the request and
  2309. any side effects generated by the scripts on behalf of
  2310. the server. Primary
  2311. among these
  2312. are the considerations of safe and idempotent methods. Idempotent
  2313. requests are those that may be repeated an arbitrary number of times
  2314. and produce side effects identical to a single request.
  2315. </P>
  2316. <H3>
  2317. <A NAME="11.2">
  2318. 11.2. HTTP Header
  2319. Fields Containing Sensitive Information
  2320. </A>
  2321. </H3>
  2322. <P>
  2323. Some HTTP header fields may carry sensitive information which the server
  2324. SHOULD NOT pass on to the script unless explicitly configured to do
  2325. so. For example, if the server protects the script using the
  2326. "<SAMP>Basic</SAMP>"
  2327. authentication scheme, then the client will send an
  2328. "<SAMP>Authorization</SAMP>"
  2329. header field containing a username and password. If the server, rather
  2330. than the script, validates this information then the password SHOULD
  2331. NOT be passed on to the script <EM>via</EM> the HTTP_AUTHORIZATION
  2332. metavariable
  2333. without careful consideration.
  2334. This also applies to the
  2335. Proxy-Authorization header field and the corresponding
  2336. HTTP_PROXY_AUTHORIZATION
  2337. metavariable.
  2338. </P>
  2339. <H3>
  2340. <A NAME="11.3">
  2341. 11.3. Script
  2342. Interference with the Server
  2343. </A>
  2344. </H3>
  2345. <P>
  2346. The most common implementation of CGI invokes the script as a child
  2347. process using the same user and group as the server process. It
  2348. SHOULD therefore be ensured that the script cannot interfere with the
  2349. server process, its configuration, or documents.
  2350. </P>
  2351. <P>
  2352. If the script is executed by calling a function linked in to the
  2353. server software (either at compile-time or run-time) then precautions
  2354. SHOULD be taken to protect the core memory of the server, or to
  2355. ensure that untrusted code cannot be executed.
  2356. </P>
  2357. <H3>
  2358. <A NAME="11.4">
  2359. 11.4. Data Length and Buffering Considerations
  2360. </A>
  2361. </H3>
  2362. <P>
  2363. This specification places no limits on the length of message-bodies
  2364. presented to the script. Scripts should not assume that statically
  2365. allocated buffers of any size are sufficient to contain the entire
  2366. submission at one time. Use of a fixed length buffer without careful
  2367. overflow checking may result in an attacker exploiting 'stack-smashing'
  2368. or 'stack-overflow' vulnerabilities of the operating system.
  2369. Scripts may spool large submissions to disk or other buffering media,
  2370. but a rapid succession of large submissions may result in denial of
  2371. service conditions. If the CONTENT_LENGTH of a message-body is larger
  2372. than resource considerations allow, scripts should respond with an
  2373. error status appropriate for the protocol version; potentially applicable
  2374. status codes include '503 Service Unavailable' (HTTP/1.0 and HTTP/1.1),
  2375. '413 Request Entity Too Large' (HTTP/1.1), and
  2376. '414 Request-URI Too Long' (HTTP/1.1).
  2377. </P>
  2378. <H3>
  2379. <A NAME="11.5">
  2380. 11.5. Stateless Processing
  2381. </A>
  2382. </H3>
  2383. <P>
  2384. The stateless nature of the Web makes each script execution and resource
  2385. retrieval independent of all others even when multiple requests constitute a
  2386. single conceptual Web transaction. Because of this, a script should not
  2387. make any assumptions about the context of the user-agent submitting a
  2388. request. In particular, scripts should examine data obtained from the client
  2389. and verify that they are valid, both in form and content, before allowing
  2390. them to be used for sensitive purposes such as input to other
  2391. applications, commands, or operating system services. These uses
  2392. include, but are not
  2393. limited to: system call arguments, database writes, dynamically evaluated
  2394. source code, and input to billing or other secure processes. It is important
  2395. that applications be protected from invalid input regardless of whether
  2396. the invalidity is the result of user error, logic error, or malicious action.
  2397. </P>
  2398. <P>
  2399. Authors of scripts involved in multi-request transactions should be
  2400. particularly cautios about validating the state information;
  2401. undesirable effects may result from the substitution of dangerous
  2402. values for portions of the submission which might otherwise be
  2403. presumed safe. Subversion of this type occurs when alterations
  2404. are made to data from a prior stage of the transaction that were
  2405. not meant to be controlled by the client (<EM>e.g.</EM>, hidden
  2406. HTML form elements, cookies, embedded URLs, <EM>etc.</EM>).
  2407. </P>
  2408. <H2>
  2409. <A NAME="12.0">
  2410. 12. Acknowledgements
  2411. </A>
  2412. </H2>
  2413. <P>
  2414. This work is based on a draft published in 1997 by David R. Robinson,
  2415. which in turn was based on the original CGI interface that arose out of
  2416. discussions on the <EM>www-talk</EM> mailing list. In particular,
  2417. Rob McCool, John Franks, Ari Luotonen,
  2418. George Phillips and
  2419. Tony Sanders deserve special recognition for their efforts in
  2420. defining and implementing the early versions of this interface.
  2421. </P>
  2422. <P>
  2423. This document has also greatly benefited from the comments and
  2424. suggestions made by Chris Adie, Dave Kristol,
  2425. Mike Meyer, David Morris, Jeremy Madea,
  2426. Patrick M<SUP>c</SUP>Manus, Adam Donahue,
  2427. Ross Patterson, and Harald Alvestrand.
  2428. </P>
  2429. <H2>
  2430. <A NAME="13.0">
  2431. 13. References
  2432. </A>
  2433. </H2>
  2434. <DL COMPACT>
  2435. <DT><A NAME="[1]">[1]</A>
  2436. </DT>
  2437. <DD>Berners-Lee, T., 'Universal Resource Identifiers in WWW: A
  2438. Unifying Syntax for the Expression of Names and Addresses of
  2439. Objects on the Network as used in the World-Wide Web', RFC 1630,
  2440. CERN, June 1994.
  2441. <P>
  2442. </P>
  2443. </DD>
  2444. <DT><A NAME="[2]">[2]</A>
  2445. </DT>
  2446. <DD>Berners-Lee, T. and Connolly, D., 'Hypertext Markup Language -
  2447. 2.0', RFC 1866, MIT/W3C, November 1995.
  2448. <P>
  2449. </P>
  2450. </DD>
  2451. <DT><A NAME="[3]">[3]</A>
  2452. </DT>
  2453. <DD>Berners-Lee, T., Fielding, R. T. and Frystyk, H.,
  2454. 'Hypertext Transfer Protocol -- HTTP/1.0', RFC 1945, MIT/LCS,
  2455. UC Irvine, May 1996.
  2456. <P>
  2457. </P>
  2458. </DD>
  2459. <DT><A NAME="[4]">[4]</A>
  2460. </DT>
  2461. <DD>Berners-Lee, T., Fielding, R., and Masinter, L., Editors,
  2462. 'Uniform Resource Identifiers (URI): Generic Syntax', RFC 2396,
  2463. MIT, U.C. Irvine, Xerox Corporation, August 1996.
  2464. <P>
  2465. </P>
  2466. </DD>
  2467. <DT><A NAME="[5]">[5]</A>
  2468. </DT>
  2469. <DD>Braden, R., Editor, 'Requirements for Internet Hosts --
  2470. Application and Support', STD 3, RFC 1123, IETF, October 1989.
  2471. <P>
  2472. </P>
  2473. </DD>
  2474. <DT><A NAME="[6]">[6]</A>
  2475. </DT>
  2476. <DD>Crocker, D.H., 'Standard for the Format of ARPA Internet Text
  2477. Messages', STD 11, RFC 822, University of Delaware, August 1982.
  2478. <P>
  2479. </P>
  2480. </DD>
  2481. <DT><A NAME="[7]">[7]</A>
  2482. </DT>
  2483. <DD>Fielding, R., 'Relative Uniform Resource Locators', RFC 1808,
  2484. UC Irvine, June 1995.
  2485. <P>
  2486. </P>
  2487. </DD>
  2488. <DT><A NAME="[8]">[8]</A>
  2489. </DT>
  2490. <DD>Fielding, R., Gettys, J., Mogul, J., Frystyk, H. and
  2491. Berners-Lee, T., 'Hypertext Transfer Protocol -- HTTP/1.1',
  2492. RFC 2068, UC Irvine, DEC,
  2493. MIT/LCS, January 1997.
  2494. <P>
  2495. </P>
  2496. </DD>
  2497. <DT><A NAME="[9]">[9]</A>
  2498. </DT>
  2499. <DD>Freed, N. and Borenstein N., 'Multipurpose Internet Mail
  2500. Extensions (MIME) Part Two: Media Types', RFC 2046, Innosoft,
  2501. First Virtual, November 1996.
  2502. <P>
  2503. </P>
  2504. </DD>
  2505. <DT><A NAME="[10]">[10]</A>
  2506. </DT>
  2507. <DD>Mockapetris, P., 'Domain Names - Concepts and Facilities',
  2508. STD 13, RFC 1034, ISI, November 1987.
  2509. <P>
  2510. </P>
  2511. </DD>
  2512. <DT><A NAME="[11]">[11]</A>
  2513. </DT>
  2514. <DD>St. Johns, M., 'Identification Protocol', RFC 1431, US
  2515. Department of Defense, February 1993.
  2516. <P>
  2517. </P>
  2518. </DD>
  2519. <DT><A NAME="[12]">[12]</A>
  2520. </DT>
  2521. <DD>'Coded Character Set -- 7-bit American Standard Code for
  2522. Information Interchange', ANSI X3.4-1986.
  2523. <P>
  2524. </P>
  2525. </DD>
  2526. <DT><A NAME="[13]">[13]</A>
  2527. </DT>
  2528. <DD>Hinden, R. and Deering, S.,
  2529. 'IP Version 6 Addressing Architecture', RFC 2373,
  2530. Nokia, Cisco Systems,
  2531. July 1998.
  2532. <P>
  2533. </P>
  2534. </DD>
  2535. </DL>
  2536. <H2>
  2537. <A NAME="14.0">
  2538. 14. Authors' Addresses
  2539. </A>
  2540. </H2>
  2541. <ADDRESS>
  2542. <P>
  2543. Ken A L Coar
  2544. <BR>
  2545. MeepZor Consulting
  2546. <BR>
  2547. 7824 Mayfaire Crest Lane, Suite 202
  2548. <BR>
  2549. Raleigh, NC 27615-4875
  2550. <BR>
  2551. U.S.A.
  2552. </P>
  2553. <P>
  2554. Tel: +1 (919) 254.4237
  2555. <BR>
  2556. Fax: +1 (919) 254.5250
  2557. <BR>
  2558. Email:
  2559. <A
  2560. HREF="mailto:Ken.Coar@Golux.Com"
  2561. ><SAMP>Ken.Coar@Golux.Com</SAMP></A>
  2562. </P>
  2563. </ADDRESS>
  2564. <ADDRESS>
  2565. <P>
  2566. David Robinson
  2567. <BR>
  2568. E*TRADE UK Ltd
  2569. <BR>
  2570. Mount Pleasant House
  2571. <BR>
  2572. 2 Mount Pleasant
  2573. <BR>
  2574. Huntingdon Road
  2575. <BR>
  2576. Cambridge CB3 0RN
  2577. <BR>
  2578. UK
  2579. </P>
  2580. <P>
  2581. Tel: +44 (1223) 566926
  2582. <BR>
  2583. Fax: +44 (1223) 506288
  2584. <BR>
  2585. Email:
  2586. <A
  2587. HREF="mailto:drtr@etrade.co.uk"
  2588. ><SAMP>drtr@etrade.co.uk</SAMP></A>
  2589. </ADDRESS>
  2590. </BODY>
  2591. </HTML>