SCRIPT_NAME is not stripped from PATH_INFO when a placeholder is used
Flameborn opened this issue · 2 comments
When a SCRIPT_NAME environment variable containing a Caddy placeholder (e.g. regex) is defined inside the cgi directive, PATH_INFO is not stripped. For example:
I have a perl script, called as https://example.com/admin.pl/1234
I set SCRIPT_NAME to any placeholder, e.g.:
@perlFile path_regexp perlScript ^(/.*\.pl)
PATH_INFO is passed automatically, and it contains: /admin.pl/1234
According to RFC 3875, PATH_INFO should contain the path section after SCRIPT_NAME, up to the query string. Since it's optional, if a URL ends in SCRIPT_NAME, PATH_INFO may also remain empty.
I suspect that internally, the actual placeholder text is used, instead of the placeholder value.
Would it be possible to use the placeholder value instead?
I use Caddy v2.5.2, and Caddy-CGI v2, according to Caddy's download page.
Inspect returns:
CGI for Caddy inspection page
Executable .................... /usr/local/cgi-bin/admin.pl
Root .......................... /
Dir ........................... /usr/local/cgi-bin
Environment
PATH_INFO ................... /admin.pl/1234
REMOTE_USER .................
SCRIPT_EXEC ................. /usr/local/cgi-bin/admin.pl
SCRIPT_FILENAME ............. /usr/local/cgi-bin/admin.pl
SCRIPT_NAME ................. /admin.pl
SERVER_PORT .................
Inherited environment
Placeholders
{path} ...................... /admin.pl/1234
{root} ...................... /
{http.request.host} ......... example.com
{http.request.method} ....... GET
{http.request.uri.path} ..... /admin.pl/1234
Thanks for reporting this. Your suspicion was correct; the actual placeholder replacement was done too late.
Fantastic, thank you!