Opened 8 years ago

Closed 8 years ago

#143 closed defect (invalid)

Using fastcgi_split_path_info to populate PATH_TRANSLATED should comply with CGI 1.1 spec

Reported by: www.google.com/accounts/o8/id?id=AItOawn1qaPOFrfg8ikoVNFPuJeWiHVBlxJtEww Owned by: somebody
Priority: major Milestone:
Component: nginx-module Version: 1.0.x
Keywords: HttpFcgiModule Cc:
uname -a: Linux centos.vm 2.6.32-220.7.1.el6.i686 #1 SMP Tue Mar 6 21:21:22 GMT 2012 i686 i686 i386 GNU/Linux
nginx -V: nginx version: nginx/1.0.14 built by gcc 4.4.4 20100726 (Red Hat 4.4.4-13) (GCC) TLS SNI support enabled configure arguments: --prefix=/etc/nginx/ --sbin-path=/usr/sbin/nginx --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx --group=nginx --with-http_ssl_module --with-http_realip_module --with-http_addition_module --with-http_sub_module --with-http_dav_module --with-http_flv_module --with-http_mp4_module --with-http_gzip_static_module --with-http_random_index_module --with-http_secure_link_module --with-http_stub_status_module --with-mail --with-mail_ssl_module --with-file-aio --with-ipv6 --with-cc-opt='-O2 -g -march=i386 -mtune=i686'

Description

From RFC3875:

The server SHOULD set this meta-variable if the request URI includes a path-info component. If PATH_INFO is NULL, then the PATH_TRANSLATED variable MUST be set to NULL (or unset).

Recommended configuration from http://wiki.nginx.org/HttpFcgiModule#fastcgi_split_path_info:

fastcgi_split_path_info ^((?U).+\.php)(/?.+)$;
fastcgi_param PATH_INFO $fastcgi_path_info;
fastcgi_param PATH_TRANSLATED $document_root$fastcgi_path_info;

Using this configuration always results in PATH_TRANSLATED being populated even when PATH_INFO is empty. This is not compliant with the description above.

This can be resolved by not sending the PATH_TRANSLATED parameter when PATH_INFO is empty or not set.

Alternately, fastcgi_split_path_info could be a block directive where the block contents are only processed if the regex matches on both tags.
This could look like this:

fastcgi_split_path_info ^((?U).+\.php)(/?.+)$ {
  fastcgi_param PATH_INFO $fastcgi_path_info;
  fastcgi_param PATH_TRANSLATED $document_root$fastcgi_path_info;
}

This would allow the current non-RFC-compliant cofiguration if someone needs it for some reason, while allowing administrators to set compliant configurations as well.

The documentation should be updated with details of how to configure your server to be CGI 1.1 compliant.

Change History (1)

comment:1 Changed 8 years ago by mdounin

  • Resolution set to invalid
  • Status changed from new to closed

The wiki example is obviously contradicts RFC, feel free to fix it. An obvious fix would be to use 2 distinct locations, and set PATH_TRANSLATED in only one of them where PATH_INFO it's guaranteed to be not empty, e.g.

    location ~ \.php$ {
        fastcgi_pass ...
        include fastcgi_params;
        ...
    }

    location ~ \.php/ {
        fastcgi_pass ...
        fastcgi_split_path_info ^(.+\.php)(.*)$;
        include fastcgi_params;
        fastcgi_param PATH_INFO $fastcgi_path_info;
        fastcgi_param PATH_TRANSLATED $document_root$fastcgi_path_info;
        ...
    }

Official docs at http://nginx.org/r/fastcgi_split_path_info doesn't claim anything about setting PATH_TRANSLATED.

Note: See TracTickets for help on using tickets.