Besides passing
query information to a CGI script, you can also pass additional
data, known as extra path information, as part of the URL. The extra
path information depends on the server knowing where the name of
the program ends, and understanding that anything following the
program name is "extra." Here is how you would call a script with
extra path information:
https://some.machine/cgi-bin/display.pl/cgi/cgi_doc.txt
Since the server knows that display.pl
is the name of the program, the string "/cgi/cgi_doc.txt" is stored
in the environment variable
PATH_INFO. Meanwhile, the
variable PATH_TRANSLATED is also set, which maps
the information stored in PATH_INFO to the document
root directory (e.g., /usr/local/etc/httpd/ public/cgi/cgi-doc.txt).
Here is a CGI script--display.pl--that
can be used to display text files located in the document root hierarchy:
#!/usr/local/bin/perl
$plaintext_file = $ENV{'PATH_TRANSLATED'};
print "Content-type: text/plain", "\n\n";
if ($plaintext_file =~ /\.\./) {
print "Sorry! You have entered invalid characters in the filename.", "\n";
print "Please check your specification and try again.", "\n";
} else {
if (open (FILE, "<" . $plaintext_file)) {
while (<FILE>) {
print;
}
close (FILE);
} else {
print "Sorry! The file you specified cannot be read!", "\n";
}
}
exit (0);
In this example, we perform a simple security check. We make
sure that the user didn't pass path information containing "..".
This is so that the user cannot access files located outside of
the document root directory.
Instead of using the PATH_TRANSLATED environment
variable, you can use a combination of PATH_INFO
and
DOCUMENT_ROOT,
which contains the physical path to the document root directory.
The variable PATH_TRANSLATED is equal to the
following statement:
$path_translated = join ("/", $ENV{'DOCUMENT_ROOT'}, $ENV{'PATH_INFO'};
However, the DOCUMENT_ROOT variable is
not set by all servers, and so it is much safer and easier to use
PATH_TRANSLATED.
