From ad9bae0b85165ad96e35c202c96e4adb67786a90 Mon Sep 17 00:00:00 2001
Message-Id: <ad9bae0b85165ad96e35c202c96e4adb67786a90.1714766456.git.mdw@distorted.org.uk>
From: Mark Wooding <mdw@chiark.greenend.org.uk>
Date: Fri, 11 Jan 2008 12:00:55 +0000
Subject: [PATCH] Reject unwanted PATH_INFO per the RFC.
Organization: Straylight/Edgeware

From: rjk@greenend.org.uk <>

---
 server/cgimain.c | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/server/cgimain.c b/server/cgimain.c
index 5f83e7a..674e9c7 100644
--- a/server/cgimain.c
+++ b/server/cgimain.c
@@ -78,6 +78,15 @@ int main(int argc, char **argv) {
   struct cookiedata cd;
 
   if(argc > 0) progname = argv[0];
+  /* RFC 3875 s8.2 recommends rejecting PATH_INFO if we don't make use of
+   * it. */
+  if(getenv("PATH_INFO")) {
+    printf("Content-Type: text/html\n");
+    printf("Status: 404\n");
+    printf("\n");
+    printf("<p>Sorry, PATH_INFO not supported.</p>\n");
+    exit(0);
+  }
   cgi_parse();
   if((conf = getenv("DISORDER_CONFIG"))) configfile = xstrdup(conf);
   if(getenv("DISORDER_DEBUG")) debugging = 1;
@@ -111,7 +120,6 @@ int main(int argc, char **argv) {
     }
   }
   disorder_cgi_login(&s, &output);
-  /* TODO RFC 3875 s8.2 recommendations e.g. concerning PATH_INFO */
   disorder_cgi(&output, &s);
   if(fclose(stdout) < 0) fatal(errno, "error closing stdout");
   return 0;
-- 
[mdw]