Browse Source

revert 1.4.40 swap of REQUEST_URI, REDIRECT_URI (fixes #2738)

reverts part of commit:dbdab5db which swapped REQUEST_URI, REDIRECT_URI

x-ref:
  "mediawiki redirect loop if REQUEST_URI not orig req in 1.4.40"
  https://redmine.lighttpd.net/issues/2738

Explanation:

REQUEST_URI and REDIRECT_URI are not part of CGI standard environment.
The reason for their existence is that PATH_INFO in CGI environment may
be different from the path in the current request.  The main reason for
this potential difference is that the URI path is normalized to a path
in the filesystem and tested against the filesystem to determine which
part is SCRIPT_NAME and which part is PATH_INFO.  In case-insensitive
filesystems, the URI might be lowercased before testing against the
filesystem, leading to loss of case-sensitive submission in any
resulting PATH_INFO.  Also, duplicated slashes "///" and directory
references "/." and "/.." are removed, including prior path component in
the case of "/..".  This might be undesirable when the information after
the SCRIPT_NAME is virtual information and there target script needs the
virtual path preserved as-is.  In that case, the target script can
re-parse REQUEST_URI (or REDIRECT_URI, as appropriate) to obtain the
unmodified information from the URI.

con->request.uri is equivalent to con->request.orig_uri unless the
request has been internally rewritten (e.g. by mod_rewrite, mod_magnet,
others), in which case con->request.orig_uri is the request made by the
client, and con->request.uri is the current URI being processed.

Historical REQUEST_URI (environment variable) lighttpd inconsistencies
- mod_cml     set REQUEST_URI to con->request.orig_uri
- mod_cgi     set REQUEST_URI to con->request.orig_uri
- mod_fastcgi set REQUEST_URI to con->request.orig_uri
- mod_scgi    set REQUEST_URI to con->request.orig_uri

- mod_ssi     set            REQUEST_URI to current con->request.uri
- mod_magnet  set MAGNET_ENV_REQUEST_URI to current con->request.uri
              and MAGNET_ENV_REQUEST_ORIG_URI to con->request.orig_uri

Historical REDIRECT_URI (environment variable) previously set only in
mod_fastcgi and mod_scgi, and set to con->request.uri

Since lighttpd 1.4.40 provides REDIRECT_URI with con->request.orig_uri,
changes were made to REQUEST_URI for consistency, with the hope that
there would be little impact to existing configurations since the
request uri and original request uri are the same unless there has been
an internal redirect.  It turns out that various PHP frameworks use
REQUEST_URI and require that it be the original URI requested by client.

Therefore, this change is being reverted, and lighttpd will set
REQUEST_URI to con->request.orig_uri in mod_cgi, mod_fastcgi, mod_scgi
as was done in lighttpd 1.4.39 and earlier.  Similarly, REDIRECT_URI
also has the prior behavior in mod_fastcgi and mod_scgi, and added to
mod_cgi.

A future release of lighttpd might change mod_ssi to be consistent with
the other modules in setting REQUEST_URI to con->request.orig_uri and to
add REDIRECT_URI, when an internal redirect has occurred.
personal/stbuehler/mod-csrf-old
Glenn Strauss 5 years ago
parent
commit
9af58a9716
  1. 2
      src/connections.c
  2. 14
      src/mod_cgi.c
  3. 5
      src/mod_fastcgi.c
  4. 7
      src/mod_scgi.c
  5. 5
      tests/docroot/www/404.pl

2
src/connections.c

@ -1110,13 +1110,11 @@ int connection_state_machine(server *srv, connection *con) {
con->response.content_length = -1;
con->response.transfer_encoding = 0;
array_set_key_value(con->environment, CONST_STR_LEN("REDIRECT_URI"), CONST_BUF_LEN(con->request.orig_uri));
con->error_handler_saved_status = con->http_status;
con->error_handler_saved_method = con->request.http_method;
con->request.http_method = HTTP_METHOD_GET;
} else { /*(preserve behavior for server.error-handler-404)*/
array_set_key_value(con->environment, CONST_STR_LEN("REDIRECT_URI"), CONST_BUF_LEN(error_handler));
con->error_handler_saved_status = -con->http_status; /*(negative to flag old behavior)*/
}

14
src/mod_cgi.c

@ -528,13 +528,6 @@ static int cgi_demux_response(server *srv, handler_ctx *hctx) {
return FDEVENT_HANDLED_FINISHED;
}
if (!buffer_is_equal(con->request.uri, con->request.orig_uri)
&& !array_get_element(con->environment, "REDIRECT_URI")) {
array_set_key_value(con->environment,
CONST_STR_LEN("REDIRECT_URI"),
CONST_BUF_LEN(con->request.orig_uri));
}
buffer_copy_buffer(con->request.uri, ds->value);
if (con->request.content_length) {
@ -1211,10 +1204,9 @@ static int cgi_create_env(server *srv, connection *con, plugin_data *p, handler_
} else {
cgi_env_add(&env, CONST_STR_LEN("QUERY_STRING"), CONST_STR_LEN(""));
}
if (con->error_handler_saved_status >= 0) {
cgi_env_add(&env, CONST_STR_LEN("REQUEST_URI"), CONST_BUF_LEN(con->request.uri));
} else {
cgi_env_add(&env, CONST_STR_LEN("REQUEST_URI"), CONST_BUF_LEN(con->request.orig_uri));
cgi_env_add(&env, CONST_STR_LEN("REQUEST_URI"), CONST_BUF_LEN(con->request.orig_uri));
if (!buffer_is_equal(con->request.uri, con->request.orig_uri)) {
cgi_env_add(&env, CONST_STR_LEN("REDIRECT_URI"), CONST_BUF_LEN(con->request.uri));
}
/* set REDIRECT_STATUS for php compiled with --force-redirect
* (if REDIRECT_STATUS has not already been set by error handler) */

5
src/mod_fastcgi.c

@ -1965,7 +1965,7 @@ static int fcgi_create_env(server *srv, handler_ctx *hctx, int request_id) {
fcgi_extension_host *host= hctx->host;
connection *con = hctx->remote_conn;
buffer * const req_uri = (con->error_handler_saved_status >= 0) ? con->request.uri : con->request.orig_uri;
buffer * const req_uri = con->request.orig_uri;
server_socket *srv_sock = con->srv_socket;
sock_addr our_addr;
@ -2142,6 +2142,9 @@ static int fcgi_create_env(server *srv, handler_ctx *hctx, int request_id) {
} else {
FCGI_ENV_ADD_CHECK(fcgi_env_add(p->fcgi_env, CONST_STR_LEN("REQUEST_URI"), CONST_BUF_LEN(req_uri)),con)
}
if (!buffer_is_equal(con->request.uri, con->request.orig_uri)) {
FCGI_ENV_ADD_CHECK(fcgi_env_add(p->fcgi_env, CONST_STR_LEN("REDIRECT_URI"), CONST_BUF_LEN(con->request.uri)),con);
}
if (!buffer_string_is_empty(con->uri.query)) {
FCGI_ENV_ADD_CHECK(fcgi_env_add(p->fcgi_env, CONST_STR_LEN("QUERY_STRING"), CONST_BUF_LEN(con->uri.query)),con)
} else {

7
src/mod_scgi.c

@ -1704,10 +1704,9 @@ static int scgi_create_env(server *srv, handler_ctx *hctx) {
scgi_env_add(p->scgi_env, CONST_STR_LEN("SCRIPT_FILENAME"), CONST_BUF_LEN(p->path));
scgi_env_add(p->scgi_env, CONST_STR_LEN("DOCUMENT_ROOT"), CONST_BUF_LEN(con->physical.basedir));
}
if (con->error_handler_saved_status >= 0) {
scgi_env_add(p->scgi_env, CONST_STR_LEN("REQUEST_URI"), CONST_BUF_LEN(con->request.uri));
} else {
scgi_env_add(p->scgi_env, CONST_STR_LEN("REQUEST_URI"), CONST_BUF_LEN(con->request.orig_uri));
scgi_env_add(p->scgi_env, CONST_STR_LEN("REQUEST_URI"), CONST_BUF_LEN(con->request.orig_uri));
if (!buffer_is_equal(con->request.uri, con->request.orig_uri)) {
scgi_env_add(p->scgi_env, CONST_STR_LEN("REDIRECT_URI"), CONST_BUF_LEN(con->request.uri));
}
if (!buffer_string_is_empty(con->uri.query)) {
scgi_env_add(p->scgi_env, CONST_STR_LEN("QUERY_STRING"), CONST_BUF_LEN(con->uri.query));

5
tests/docroot/www/404.pl

@ -1,7 +1,6 @@
#!/usr/bin/env perl
my $request_uri = $ENV{'REQUEST_URI'}; # server.error-handler-404
my $redirect_uri= $ENV{'REDIRECT_URI'}; # server.error-handler
my $request_uri = $ENV{'REQUEST_URI'};
if ($request_uri =~ m/^\/dynamic\/200\// ) {
print "Status: 200\n",
@ -29,7 +28,7 @@ elsif ($request_uri =~ m/^\/send404\.pl/ ) {
elsif ($request_uri =~ m/^\/dynamic\/nostatus\// ) {
print ("found here\n");
}
elsif ($redirect_uri =~ m/^\/dynamic\/redirect_status\// ) {
elsif ($request_uri =~ m/^\/dynamic\/redirect_status\// ) {
print "Status: $ENV{'REDIRECT_STATUS'}\n",
"Content-Type: text/plain\n",
"\n",

Loading…
Cancel
Save