12. System specifications
12.1. AmigaDOS
Environment variables
These are accessed by the DOS library routine GetVar. The flags
argument should be 0. Case is ignored, but upper case is
recommended for compatibility with case-sensitive systems.
The current working directory
The current working directory for the script is set to the
directory containing the script.
Character set
The US-ASCII character set is used for the definition of
environment variables and headers; the newline (NL) sequence is CR
LF.
12.2. Unix
For Unix compatible operating systems, the following are defined:
Environment variables
These are accessed by the C library routine getenv.
The command line
This is accessed using the the argc and argv arguments to main().
The words are have any characters which are `active' in the Bourne
shell escaped with a backslash.
The current working directory
The current working directory for the script is set to the
directory containing the script.
Character set
The US-ASCII character set is used for the definition of
environment variables and headers; the newline (NL) sequence is
LF; servers should also accept CR LF as a newline.
INTERNET-DRAFT Common Gateway Interface - 1.1 15 February 1996
13. Security Considerations
13.1. Safe Methods
As discussed in the security considerations of the HTTP specification
[3], the convention has been established that the GET and HEAD
methods should be `safe'; they should cause no side-effects and only
have the significance of resource retrieval.
13.2. HTTP headers containing sensitive information
Some HTTP headers may carry sensitive information which the server
should not pass on to the script unless explicitly configured to do
so. For example, if the server protects the script using the Basic
authentication scheme, then the client will send an Authorization
header containing a username and password. If the server, rather than
the script, validates this information then it should not pass on the
password via the HTTP_AUTHORIZATION environment variable.
13.3. Script interference with the server
The most common implementation of CGI invokes the script as a child
process using the same user and group as the server process. It
should therefore be ensured that the script cannot interfere with the
server process, its configuration or documents.
If the script is executed by calling a function linked in to the
server software (either at compile-time or run-time) then precautions
should be taken to protect the core memory of the server, or to
ensure that untrusted code cannot be executed.
14. Acknowledgements
This work is based on the original CGI interface that arose out of
discussions on the www-talk mailing list. In particular, Rob McCool,
John Franks, Ari Luotonen, George Phillips and Tony Sanders deserve
special recognition for their efforts in defining and implementing
the early versions of this interface.
This document has also greatly benefited from the comments and
suggestions made Chris Adie, Dave Kristol and Mike Meyer.
15. References
[1] Berners-Lee, T., `Universal Resource Identifiers in WWW: A
Unifying Syntax for the Expression of Names and Addresses of
Objects on the Network as used in the World-Wide Web', RFC 1630,
=10= |
Tweet