The server should be careful of ".." path segments in the request
URI. These should be removed or resolved in the request URI before
it is split into the script-path and extra-path. Alternatively, when
the extra-path is used to find the PATH_TRANSLATED, care should be
taken to avoid the path resolution from providing translated paths
outside an expected path hierarchy.
9.9. Non-parsed Header Output
If a script returns a non-parsed header output, to be interpreted by
the client in its native protocol, then the script must address all
security considerations relating to that protocol.
This work is based on the original CGI interface that arose out of
discussions on the 'www-talk' mailing list. In particular, Rob
McCool, John Franks, Ari Luotonen, George Phillips and Tony Sanders
deserve special recognition for their efforts in defining and
implementing the early versions of this interface.
This document has also greatly benefited from the comments and
suggestions made Chris Adie, Dave Kristol and Mike Meyer; also David
Morris, Jeremy Madea, Patrick McManus, Adam Donahue, Ross Patterson
and Harald Alvestrand.
11.1 Normative References
 Berners-Lee, T., Fielding, R. and H. Frystyk, "Hypertext
Transfer Protocol -- HTTP/1.0", RFC 1945, May 1996.
 Berners-Lee, T., Fielding, R. and L. Masinter, "Uniform Resource
Identifiers (URI) : Generic Syntax", RFC 2396, August 1998.
 Bradner, S., "Key words for use in RFCs to Indicate Requirements
Levels", BCP 14, RFC 2119, March 1997.
 Fielding, R., Gettys, J., Mogul, J., Frystyk, H., Masinter, L.,
Leach, P., and T. Berners-Lee, "Hypertext Transfer Protocol --
HTTP/1.1", RFC 2616, June 1999.
 Franks, J., Hallam-Baker, P., Hostetler, J., Lawrence, S.,
Leach, P., Luotonen, A., and L. Stewart, "HTTP Authentication:
Basic and Digest Access Authentication", RFC 2617, June 1999.
RFC 3875 CGI Version 1.1 October 2004
 Freed, N. and N. Borenstein, "Multipurpose Internet Mail
Extensions (MIME) Part Two: Media Types", RFC 2046, November
 Hinden, R., Carpenter, B., and L. Masinter, "Format for Literal
IPv6 Addresses in URL's", RFC 2732, December 1999.
 "HTTP Status Code Registry",
 "Information Systems -- Coded Character Sets -- 7-bit American
Standard Code for Information Interchange (7-Bit ASCII)", ANSI
 "Information technology -- 8-bit single-byte coded graphic
character sets -- Part 1: Latin alphabet No. 1", ISO/IEC
11.2. Informative References
 Berners-Lee, T., "Universal Resource Identifiers in WWW: A
Unifying Syntax for the Expression of Names and Addresses of
Objects on the Network as used in the World-Wide Web", RFC 1630,
 Braden, R., Ed., "Requirements for Internet Hosts -- Application
and Support", STD 3, RFC 1123, October 1989.
 Crocker, D., "Standard for the Format of ARPA Internet Text
Messages", STD 11, RFC 822, August 1982.
 Dierks, T. and C. Allen, "The TLS Protocol Version 1.0", RFC
2246, January 1999.
 Hinden R. and S. Deering, "Internet Protocol Version 6 (IPv6)
Addressing Architecture", RFC 3513, April 2003.
 Masinter, L., "Returning Values from Forms:
multipart/form-data", RFC 2388, August 1998.
 Mockapetris, P., "Domain Names - Concepts and Facilities", STD
13, RFC 1034, November 1987.
 Raggett, D., Le Hors, A., and I. Jacobs, Eds., "HTML 4.01
Specification", W3C Recommendation December 1999,