mirror of
https://github.com/sheumann/hush.git
synced 2024-11-05 06:07:00 +00:00
2675 lines
85 KiB
HTML
2675 lines
85 KiB
HTML
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"
|
|
"http://www.w3.org/TR/REC-html40/loose.dtd">
|
|
<HTML>
|
|
<HEAD>
|
|
<TITLE>Common Gateway Interface - 1.1 *Draft 03* [http://cgi-spec.golux.com/draft-coar-cgi-v11-03-clean.html]
|
|
</TITLE>
|
|
<!--#if expr="$HTTP_USER_AGENT != /Lynx/" -->
|
|
<!--#set var="GUI" value="1" -->
|
|
<!--#endif -->
|
|
<LINK HREF="mailto:Ken.Coar@Golux.Com" rev="revised">
|
|
<LINK REL="STYLESHEET" HREF="cgip-style-rfc.css" TYPE="text/css">
|
|
<META name="latexstyle" content="rfc">
|
|
<META name="author" content="Ken A L Coar">
|
|
<META name="institute" content="IBM Corporation">
|
|
<META name="date" content="25 June 1999">
|
|
<META name="expires" content="Expires 31 December 1999">
|
|
<META name="document" content="INTERNET-DRAFT">
|
|
<META name="file" content="<draft-coar-cgi-v11-03.txt>">
|
|
<META name="group" content="INTERNET-DRAFT">
|
|
<!--
|
|
There are a lot of BNF fragments in this document. To make it work
|
|
in all possible browsers (including Lynx, which is used to turn it
|
|
into text/plain), we handle these by using PREformatted blocks with
|
|
a universal internal margin of 2, inside one-level DL blocks.
|
|
-->
|
|
</HEAD>
|
|
<BODY>
|
|
<!--
|
|
HTML doesn't do paper pagination, so we need to fake it out. Basing
|
|
our formatting upon RFC2068, there are four (4) lines of header and
|
|
four (4) lines of footer for each page.
|
|
|
|
<DIV ALIGN="CENTER">
|
|
<PRE>
|
|
|
|
|
|
|
|
|
|
Coar, et al. CGI/1.1 Specification May, 1998
|
|
INTERNET-DRAFT Expires 1 December 1998 [Page 2]
|
|
|
|
|
|
</PRE>
|
|
</DIV>
|
|
-->
|
|
<!--
|
|
The following weirdness wrt non-breaking spaces is to get Lynx
|
|
(which is barely TABLE-aware) to line the left/right justified
|
|
text up properly.
|
|
-->
|
|
<DIV ALIGN="CENTER">
|
|
<TABLE WIDTH="100%" CELLPADDING=0 CELLSPACING=0>
|
|
<TR VALIGN="TOP">
|
|
<TD ALIGN="LEFT">
|
|
INTERNET-DRAFT
|
|
</TD>
|
|
<TD ALIGN="RIGHT">
|
|
Ken A L Coar
|
|
</TD>
|
|
</TR>
|
|
<TR VALIGN="TOP">
|
|
<TD ALIGN="LEFT">
|
|
draft-coar-cgi-v11-03.{html,txt}
|
|
</TD>
|
|
<TD ALIGN="RIGHT">
|
|
IBM Corporation
|
|
</TD>
|
|
</TR>
|
|
<TR VALIGN="TOP">
|
|
<TD ALIGN="LEFT">
|
|
|
|
</TD>
|
|
<TD ALIGN="RIGHT">
|
|
D.R.T. Robinson
|
|
</TD>
|
|
</TR>
|
|
<TR VALIGN="TOP">
|
|
<TD ALIGN="LEFT">
|
|
|
|
</TD>
|
|
<TD ALIGN="RIGHT">
|
|
E*TRADE UK Ltd.
|
|
</TD>
|
|
</TR>
|
|
<TR VALIGN="TOP">
|
|
<TD ALIGN="LEFT">
|
|
|
|
</TD>
|
|
<TD ALIGN="RIGHT">
|
|
25 June 1999
|
|
</TD>
|
|
</TR>
|
|
</TABLE>
|
|
</DIV>
|
|
|
|
<H1 ALIGN="CENTER">
|
|
The WWW Common Gateway Interface
|
|
<BR>
|
|
Version 1.1
|
|
</H1>
|
|
|
|
<!--#include virtual="I-D-statement" -->
|
|
|
|
<H2>
|
|
<A NAME="Abstract">
|
|
Abstract
|
|
</A>
|
|
</H2>
|
|
<P>
|
|
The Common Gateway Interface (CGI) is a simple interface for running
|
|
external programs, software or gateways under an information server
|
|
in a platform-independent manner. Currently, the supported information
|
|
servers are HTTP servers.
|
|
</P>
|
|
<P>
|
|
The interface has been in use by the World-Wide Web since 1993. This
|
|
specification defines the
|
|
"current practice" parameters of the
|
|
'CGI/1.1' interface developed and documented at the U.S. National
|
|
Centre for Supercomputing Applications [NCSA-CGI].
|
|
This document also defines the use of the CGI/1.1 interface
|
|
on the Unix and AmigaDOS(tm) systems.
|
|
</P>
|
|
<P>
|
|
Discussion of this draft occurs on the CGI-WG mailing list; see the
|
|
project Web page at
|
|
<SAMP><URL:<A HREF="http://CGI-Spec.Golux.Com/"
|
|
>http://CGI-Spec.Golux.Com/</A>></SAMP>
|
|
for details on the mailing list and the status of the project.
|
|
</P>
|
|
|
|
<!--#if expr="$GUI" -->
|
|
<H2>
|
|
Revision History
|
|
</H2>
|
|
<P>
|
|
The revision history of this draft is being maintained using Web-based
|
|
GUI notation, such as struck-through characters and colour-coded
|
|
sections. The following legend describes how to determine the origin
|
|
of a particular revision according to the colour of the text:
|
|
</P>
|
|
<DL COMPACT>
|
|
<DT>Black
|
|
</DT>
|
|
<DD>Revision 00, released 28 May 1998
|
|
</DD>
|
|
<DT>Green
|
|
</DT>
|
|
<DD>Revision 01, released 28 December 1998
|
|
<BR>
|
|
Major structure change: Section 4, "Request Metadata (Meta-Variables)"
|
|
was moved entirely under <A HREF="#7.0">Section 7</A>, "Data Input to the
|
|
CGI Script."
|
|
Due to the size of this change, it is noted here and the text in its
|
|
former location does <EM>not</EM> appear as struckthrough. This has
|
|
caused major <A HREF="#6.0">sections 5</A> and following to decrement
|
|
by one. Other
|
|
large text movements are likewise not marked up. References to RFC
|
|
1738 were changed to 2396 (1738's replacement).
|
|
</DD>
|
|
<DT>Red
|
|
</DT>
|
|
<DD>Revision 02, released 2 April, 1999
|
|
<BR>
|
|
Added text to <A HREF="#8.3">section 8.3</A> defining correct handling
|
|
of HTTP/1.1
|
|
requests using "chunked" Transfer-Encoding. Labelled metavariable
|
|
names in <A HREF="#8.0">section 8</A> with the appropriate detail section
|
|
numbers.
|
|
Clarified allowed usage of <SAMP>Status</SAMP> and
|
|
<SAMP>Location</SAMP> response header fields. Included new
|
|
Internet-Draft language.
|
|
</DD>
|
|
<DT>Fuchsia
|
|
</DT>
|
|
<DD>Revision 03, released 25 June 1999
|
|
<BR>
|
|
Changed references from "HTTP" to "Protocol-Specific" for the listing of
|
|
things like HTTP_ACCEPT. Changed 'entity-body' and 'content-body' to
|
|
'message-body.' Added a note that response headers must comply with
|
|
requirements of the protocol level in use. Added a lot of stuff about
|
|
security (section 11). Clarified a bunch of productions. Pointed out
|
|
that zero-length and omitted values are indistinguishable in this
|
|
specification. Clarified production describing order of fields in
|
|
script response header. Clarified issues surrounding encoding of
|
|
data. Acknowledged additional contributors, and changed one of
|
|
the authors' addresses.
|
|
</DD>
|
|
</DL>
|
|
<!--#endif -->
|
|
|
|
<H2>
|
|
<A NAME="Contents">
|
|
Table of Contents
|
|
</A>
|
|
</H2>
|
|
<DIV ALIGN="CENTER">
|
|
<PRE>
|
|
1 Introduction..............................................<A
|
|
HREF="#1.0"
|
|
>TBD</A>
|
|
1.1 Purpose................................................<A
|
|
HREF="#1.1"
|
|
>TBD</A>
|
|
1.2 Requirements...........................................<A
|
|
HREF="#1.2"
|
|
>TBD</A>
|
|
1.3 Specifications.........................................<A
|
|
HREF="#1.3"
|
|
>TBD</A>
|
|
1.4 Terminology............................................<A
|
|
HREF="#1.4"
|
|
>TBD</A>
|
|
2 Notational Conventions and Generic Grammar................<A
|
|
HREF="#2.0"
|
|
>TBD</A>
|
|
2.1 Augmented BNF..........................................<A
|
|
HREF="#2.1"
|
|
>TBD</A>
|
|
2.2 Basic Rules............................................<A
|
|
HREF="#2.2"
|
|
>TBD</A>
|
|
3 Protocol Parameters.......................................<A
|
|
HREF="#3.0"
|
|
>TBD</A>
|
|
3.1 URL Encoding...........................................<A
|
|
HREF="#3.1"
|
|
>TBD</A>
|
|
3.2 The Script-URI.........................................<A
|
|
HREF="#3.2"
|
|
>TBD</A>
|
|
4 Invoking the Script.......................................<A
|
|
HREF="#4.0"
|
|
>TBD</A>
|
|
5 The CGI Script Command Line...............................<A
|
|
HREF="#5.0"
|
|
>TBD</A>
|
|
6 Data Input to the CGI Script..............................<A
|
|
HREF="#6.0"
|
|
>TBD</A>
|
|
6.1 Request Metadata (Metavariables).......................<A
|
|
HREF="#6.1"
|
|
>TBD</A>
|
|
6.1.1 AUTH_TYPE...........................................<A
|
|
HREF="#6.1.1"
|
|
>TBD</A>
|
|
6.1.2 CONTENT_LENGTH......................................<A
|
|
HREF="#6.1.2"
|
|
>TBD</A>
|
|
6.1.3 CONTENT_TYPE........................................<A
|
|
HREF="#6.1.3"
|
|
>TBD</A>
|
|
6.1.4 GATEWAY_INTERFACE...................................<A
|
|
HREF="#6.1.4"
|
|
>TBD</A>
|
|
6.1.5 Protocol-Specific Metavariables.....................<A
|
|
HREF="#6.1.5"
|
|
>TBD</A>
|
|
6.1.6 PATH_INFO...........................................<A
|
|
HREF="#6.1.6"
|
|
>TBD</A>
|
|
6.1.7 PATH_TRANSLATED.....................................<A
|
|
HREF="#6.1.7"
|
|
>TBD</A>
|
|
6.1.8 QUERY_STRING........................................<A
|
|
HREF="#6.1.8"
|
|
>TBD</A>
|
|
6.1.9 REMOTE_ADDR.........................................<A
|
|
HREF="#6.1.9"
|
|
>TBD</A>
|
|
6.1.10 REMOTE_HOST........................................<A
|
|
HREF="#6.1.10"
|
|
>TBD</A>
|
|
6.1.11 REMOTE_IDENT.......................................<A
|
|
HREF="#6.1.11"
|
|
>TBD</A>
|
|
6.1.12 REMOTE_USER........................................<A
|
|
HREF="#6.1.12"
|
|
>TBD</A>
|
|
6.1.13 REQUEST_METHOD.....................................<A
|
|
HREF="#6.1.13"
|
|
>TBD</A>
|
|
6.1.14 SCRIPT_NAME........................................<A
|
|
HREF="#6.1.14"
|
|
>TBD</A>
|
|
6.1.15 SERVER_NAME........................................<A
|
|
HREF="#6.1.15"
|
|
>TBD</A>
|
|
6.1.16 SERVER_PORT........................................<A
|
|
HREF="#6.1.16"
|
|
>TBD</A>
|
|
6.1.17 SERVER_PROTOCOL....................................<A
|
|
HREF="#6.1.17"
|
|
>TBD</A>
|
|
6.1.18 SERVER_SOFTWARE....................................<A
|
|
HREF="#6.1.18"
|
|
>TBD</A>
|
|
6.2 Request Message-Bodies................................<A
|
|
HREF="#6.2"
|
|
>TBD</A>
|
|
7 Data Output from the CGI Script...........................<A
|
|
HREF="#7.0"
|
|
>TBD</A>
|
|
7.1 Non-Parsed Header Output...............................<A
|
|
HREF="#7.1"
|
|
>TBD</A>
|
|
7.2 Parsed Header Output...................................<A
|
|
HREF="#7.2"
|
|
>TBD</A>
|
|
7.2.1 CGI header fields...................................<A
|
|
HREF="#7.2.1"
|
|
>TBD</A>
|
|
7.2.1.1 Content-Type.....................................<A
|
|
HREF="#7.2.1.1"
|
|
>TBD</A>
|
|
7.2.1.2 Location.........................................<A
|
|
HREF="#7.2.1.2"
|
|
>TBD</A>
|
|
7.2.1.3 Status...........................................<A
|
|
HREF="#7.2.1.3"
|
|
>TBD</A>
|
|
7.2.1.4 Extension header fields..........................<A
|
|
HREF="#7.2.1.3"
|
|
>TBD</A>
|
|
7.2.2 HTTP header fields..................................<A
|
|
HREF="#7.2.2"
|
|
>TBD</A>
|
|
8 Server Implementation.....................................<A
|
|
HREF="#8.0"
|
|
>TBD</A>
|
|
8.1 Requirements for Servers...............................<A
|
|
HREF="#8.1"
|
|
>TBD</A>
|
|
8.1.1 Script-URI..........................................<A
|
|
HREF="#8.1"
|
|
>TBD</A>
|
|
8.1.2 Request Message-body Handling.......................<A
|
|
HREF="#8.1.2"
|
|
>TBD</A>
|
|
8.1.3 Required Metavariables..............................<A
|
|
HREF="#8.1.3"
|
|
>TBD</A>
|
|
8.1.4 Response Compliance.................................<A
|
|
HREF="#8.1.4"
|
|
>TBD</A>
|
|
8.2 Recommendations for Servers............................<A
|
|
HREF="#8.2"
|
|
>TBD</A>
|
|
8.3 Summary of Metavariables...............................<A
|
|
HREF="#8.3"
|
|
>TBD</A>
|
|
9 Script Implementation.....................................<A
|
|
HREF="#9.0"
|
|
>TBD</A>
|
|
9.1 Requirements for Scripts...............................<A
|
|
HREF="#9.1"
|
|
>TBD</A>
|
|
9.2 Recommendations for Scripts............................<A
|
|
HREF="#9.2"
|
|
>TBD</A>
|
|
10 System Specifications....................................<A
|
|
HREF="#10.0"
|
|
>TBD</A>
|
|
10.1 AmigaDOS..............................................<A
|
|
HREF="#10.1"
|
|
>TBD</A>
|
|
10.2 Unix..................................................<A
|
|
HREF="#10.2"
|
|
>TBD</A>
|
|
11 Security Considerations..................................<A
|
|
HREF="#11.0"
|
|
>TBD</A>
|
|
11.1 Safe Methods..........................................<A
|
|
HREF="#11.1"
|
|
>TBD</A>
|
|
11.2 HTTP Header Fields Containing Sensitive Information...<A
|
|
HREF="#11.2"
|
|
>TBD</A>
|
|
11.3 Script Interference with the Server...................<A
|
|
HREF="#11.3"
|
|
>TBD</A>
|
|
11.4 Data Length and Buffering Considerations..............<A
|
|
HREF="#11.4"
|
|
>TBD</A>
|
|
11.5 Stateless Processing..................................<A
|
|
HREF="#11.5"
|
|
>TBD</A>
|
|
12 Acknowledgments..........................................<A
|
|
HREF="#12.0"
|
|
>TBD</A>
|
|
13 References...............................................<A
|
|
HREF="#13.0"
|
|
>TBD</A>
|
|
14 Authors' Addresses.......................................<A
|
|
HREF="#14.0"
|
|
>TBD</A>
|
|
</PRE>
|
|
</DIV>
|
|
|
|
<H2>
|
|
<A NAME="1.0">
|
|
1. Introduction
|
|
</A>
|
|
</H2>
|
|
|
|
<H3>
|
|
<A NAME="1.1">
|
|
1.1. Purpose
|
|
</A>
|
|
</H3>
|
|
<P>
|
|
Together the HTTP [<A HREF="#[3]">3</A>,<A HREF="#[8]">8</A>] server
|
|
and the CGI script are responsible
|
|
for servicing a client
|
|
request by sending back responses. The client
|
|
request comprises a Universal Resource Identifier (URI)
|
|
[<A HREF="#[1]">1</A>], a
|
|
request method, and various ancillary
|
|
information about the request
|
|
provided by the transport mechanism.
|
|
</P>
|
|
<P>
|
|
The CGI defines the abstract parameters, known as
|
|
metavariables,
|
|
which describe the client's
|
|
request. Together with a
|
|
concrete programmer interface this specifies a platform-independent
|
|
interface between the script and the HTTP server.
|
|
</P>
|
|
|
|
<H3>
|
|
<A NAME="1.2">
|
|
1.2. Requirements
|
|
</A>
|
|
</H3>
|
|
<P>
|
|
This specification uses the same words as RFC 1123
|
|
[<A HREF="#[5]">5</A>] to define the
|
|
significance of each particular requirement. These are:
|
|
</P><!--#if expr="! $GUI" -->
|
|
<P></P><!--#endif -->
|
|
<DL>
|
|
<DT><EM>MUST</EM>
|
|
</DT>
|
|
<DD>
|
|
<P>
|
|
This word or the adjective 'required' means that the item is an
|
|
absolute requirement of the specification.
|
|
</P>
|
|
</DD>
|
|
<DT><EM>SHOULD</EM>
|
|
</DT>
|
|
<DD>
|
|
<P>
|
|
This word or the adjective 'recommended' means that there may
|
|
exist valid reasons in particular circumstances to ignore this
|
|
item, but the full implications should be understood and the case
|
|
carefully weighed before choosing a different course.
|
|
</P>
|
|
</DD>
|
|
<DT><EM>MAY</EM>
|
|
</DT>
|
|
<DD>
|
|
<P>
|
|
This word or the adjective 'optional' means that this item is
|
|
truly optional. One vendor may choose to include the item because
|
|
a particular marketplace requires it or because it enhances the
|
|
product, for example; another vendor may omit the same item.
|
|
</P>
|
|
</DD>
|
|
</DL>
|
|
<P>
|
|
An implementation is not compliant if it fails to satisfy one or more
|
|
of the 'must' requirements for the protocols it implements. An
|
|
implementation that satisfies all of the 'must' and all of the
|
|
'should' requirements for its features is said to be 'unconditionally
|
|
compliant'; one that satisfies all of the 'must' requirements but not
|
|
all of the 'should' requirements for its features is said to be
|
|
'conditionally compliant.'
|
|
</P>
|
|
|
|
<H3>
|
|
<A NAME="1.3">
|
|
1.3. Specifications
|
|
</A>
|
|
</H3>
|
|
<P>
|
|
Not all of the functions and features of the CGI are defined in the
|
|
main part of this specification. The following phrases are used to
|
|
describe the features which are not specified:
|
|
</P>
|
|
<DL>
|
|
<DT><EM>system defined</EM>
|
|
</DT>
|
|
<DD>
|
|
<P>
|
|
The feature may differ between systems, but must be the same for
|
|
different implementations using the same system. A system will
|
|
usually identify a class of operating-systems. Some systems are
|
|
defined in
|
|
<A HREF="#10.0"
|
|
>section 10</A> of this document.
|
|
New systems may be defined
|
|
by new specifications without revision of this document.
|
|
</P>
|
|
</DD>
|
|
<DT><EM>implementation defined</EM>
|
|
</DT>
|
|
<DD>
|
|
<P>
|
|
The behaviour of the feature may vary from implementation to
|
|
implementation, but a particular implementation must document its
|
|
behaviour.
|
|
</P>
|
|
</DD>
|
|
</DL>
|
|
|
|
<H3>
|
|
<A NAME="1.4">
|
|
1.4. Terminology
|
|
</A>
|
|
</H3>
|
|
<P>
|
|
This specification uses many terms defined in the HTTP/1.1
|
|
specification [<A HREF="#[8]">8</A>]; however, the following terms are
|
|
used here in a
|
|
sense which may not accord with their definitions in that document,
|
|
or with their common meaning.
|
|
</P>
|
|
|
|
<DL>
|
|
<DT><EM>metavariable</EM>
|
|
</DT>
|
|
<DD>
|
|
<P>
|
|
A named parameter that carries information from the server to the
|
|
script. It is not necessarily a variable in the operating-system's
|
|
environment, although that is the most common implementation.
|
|
</P>
|
|
</DD>
|
|
|
|
<DT><EM>script</EM>
|
|
</DT>
|
|
<DD>
|
|
<P>
|
|
The software which is invoked by the server <EM>via</EM> this
|
|
interface. It
|
|
need not be a standalone program, but could be a
|
|
dynamically-loaded or shared library, or even a subroutine in the
|
|
server. It <EM>may</EM> be a set of statements
|
|
interpreted at run-time, as the term 'script' is frequently
|
|
understood, but that is not a requirement and within the context
|
|
of this specification the term has the broader definition stated.
|
|
</P>
|
|
</DD>
|
|
<DT><EM>server</EM>
|
|
</DT>
|
|
<DD>
|
|
<P>
|
|
The application program which invokes the script in order to service
|
|
requests.
|
|
</P>
|
|
</DD>
|
|
</DL>
|
|
|
|
<H2>
|
|
<A NAME="2.0">
|
|
2. Notational Conventions and Generic Grammar
|
|
</A>
|
|
</H2>
|
|
|
|
<H3>
|
|
<A NAME="2.1">
|
|
2.1. Augmented BNF
|
|
</A>
|
|
</H3>
|
|
<P>
|
|
All of the mechanisms specified in this document are described in
|
|
both prose and an augmented Backus-Naur Form (BNF) similar to that
|
|
used by RFC 822 [<A HREF="#[6]">6</A>]. This augmented BNF contains
|
|
the following constructs:
|
|
</P>
|
|
<DL>
|
|
<DT>name = definition
|
|
</DT>
|
|
<DD>
|
|
<P>
|
|
The
|
|
definition by the equal character ("="). Whitespace is only
|
|
significant in that continuation lines of a definition are
|
|
indented.
|
|
</P>
|
|
</DD>
|
|
<DT>"literal"
|
|
</DT>
|
|
<DD>
|
|
<P>
|
|
Quotation marks (") surround literal text, except for a literal
|
|
quotation mark, which is surrounded by angle-brackets ("<" and ">").
|
|
Unless stated otherwise, the text is case-sensitive.
|
|
</P>
|
|
</DD>
|
|
<DT>rule1 | rule2
|
|
</DT>
|
|
<DD>
|
|
<P>
|
|
Alternative rules are separated by a vertical bar ("|").
|
|
</P>
|
|
</DD>
|
|
<DT>(rule1 rule2 rule3)
|
|
</DT>
|
|
<DD>
|
|
<P>
|
|
Elements enclosed in parentheses are treated as a single element.
|
|
</P>
|
|
</DD>
|
|
<DT>*rule
|
|
</DT>
|
|
<DD>
|
|
<P>
|
|
A rule preceded by an asterisk ("*") may have zero or more
|
|
occurrences. A rule preceded by an integer followed by an asterisk
|
|
must occur at least the specified number of times.
|
|
</P>
|
|
</DD>
|
|
<DT>[rule]
|
|
</DT>
|
|
<DD>
|
|
<P>
|
|
An element enclosed in square
|
|
brackets ("[" and "]") is optional.
|
|
</P>
|
|
</DD>
|
|
</DL>
|
|
|
|
<H3>
|
|
<A NAME="2.2">
|
|
2.2. Basic Rules
|
|
</A>
|
|
</H3>
|
|
<P>
|
|
The following rules are used throughout this specification to
|
|
describe basic parsing constructs.
|
|
</P><!--#if expr="! $GUI" -->
|
|
<P></P><!--#endif -->
|
|
<PRE>
|
|
alpha = lowalpha | hialpha
|
|
alphanum = alpha | digit
|
|
lowalpha = "a" | "b" | "c" | "d" | "e" | "f" | "g" | "h"
|
|
| "i" | "j" | "k" | "l" | "m" | "n" | "o" | "p"
|
|
| "q" | "r" | "s" | "t" | "u" | "v" | "w" | "x"
|
|
| "y" | "z"
|
|
hialpha = "A" | "B" | "C" | "D" | "E" | "F" | "G" | "H"
|
|
| "I" | "J" | "K" | "L" | "M" | "N" | "O" | "P"
|
|
| "Q" | "R" | "S" | "T" | "U" | "V" | "W" | "X"
|
|
| "Y" | "Z"
|
|
digit = "0" | "1" | "2" | "3" | "4" | "5" | "6" | "7"
|
|
| "8" | "9"
|
|
hex = digit | "A" | "B" | "C" | "D" | "E" | "F" | "a"
|
|
| "b" | "c" | "d" | "e" | "f"
|
|
escaped = "%" hex hex
|
|
OCTET = <any 8-bit sequence of data>
|
|
CHAR = <any US-ASCII character (octets 0 - 127)>
|
|
CTL = <any US-ASCII control character
|
|
(octets 0 - 31) and DEL (127)>
|
|
CR = <US-ASCII CR, carriage return (13)>
|
|
LF = <US-ASCII LF, linefeed (10)>
|
|
SP = <US-ASCII SP, space (32)>
|
|
HT = <US-ASCII HT, horizontal tab (9)>
|
|
NL = CR | LF
|
|
LWSP = SP | HT | NL
|
|
tspecial = "(" | ")" | "@" | "," | ";" | ":" | "\" | <">
|
|
| "/" | "[" | "]" | "?" | "<" | ">" | "{" | "}"
|
|
| SP | HT | NL
|
|
token = 1*<any CHAR except CTLs or tspecials>
|
|
quoted-string = ( <"> *qdtext <"> ) | ( "<" *qatext ">")
|
|
qdtext = <any CHAR except <"> and CTLs but including LWSP>
|
|
qatext = <any CHAR except "<", ">" and CTLs but
|
|
including LWSP>
|
|
mark = "-" | "_" | "." | "!" | "~" | "*" | "'" | "(" | ")"
|
|
unreserved = alphanum | mark
|
|
reserved = ";" | "/" | "?" | ":" | "@" | "&" | "=" |
|
|
"$" | ","
|
|
uric = reserved | unreserved | escaped
|
|
</PRE>
|
|
<P>
|
|
Note that newline (NL) need not be a single character, but can be a
|
|
character sequence.
|
|
</P>
|
|
|
|
<H2>
|
|
<A NAME="3.0">
|
|
3. Protocol Parameters
|
|
</A>
|
|
</H2>
|
|
|
|
<H3>
|
|
<A NAME="3.1">
|
|
3.1. URL Encoding
|
|
</A>
|
|
</H3>
|
|
<P>
|
|
Some variables and constructs used here are described as being
|
|
'URL-encoded'. This encoding is described in section
|
|
2 of RFC
|
|
2396
|
|
[<A HREF="#[4]">4</A>].
|
|
</P>
|
|
<P>
|
|
An alternate "shortcut" encoding for representing the space
|
|
character exists and is in common use. Scripts MUST be prepared to
|
|
recognise both '+' and '%20' as an encoded space in a
|
|
URL-encoded value.
|
|
</P>
|
|
<P>
|
|
Note that some unsafe characters may have different semantics if
|
|
they are encoded. The definition of which characters are unsafe
|
|
depends on the context.
|
|
For example, the following two URLs do not
|
|
necessarily refer to the same resource:
|
|
</P><!--#if expr="! $GUI" -->
|
|
<P></P><!--#endif -->
|
|
<PRE>
|
|
http://somehost.com/somedir%2Fvalue
|
|
http://somehost.com/somedir/value
|
|
</PRE>
|
|
<P>
|
|
See section
|
|
2 of RFC
|
|
2396 [<A HREF="#[4]">4</A>]
|
|
for authoritative treatment of this issue.
|
|
</P>
|
|
|
|
<H3>
|
|
<A NAME="3.2">
|
|
3.2. The Script-URI
|
|
</A>
|
|
</H3>
|
|
<P>
|
|
The 'Script-URI' is defined as the URI of the resource identified
|
|
by the metavariables. Often,
|
|
this URI will be the same as
|
|
the URI requested by the client (the 'Client-URI'); however, it need
|
|
not be. Instead, it could be a URI invented by the server, and so it
|
|
can only be used in the context of the server and its CGI interface.
|
|
</P>
|
|
<P>
|
|
The Script-URI has the syntax of generic-RL as defined in section 2.1
|
|
of RFC 1808 [<A HREF="#[7]">7</A>], with the exception that object
|
|
parameters and
|
|
fragment identifiers are not permitted:
|
|
</P><!--#if expr="! $GUI" -->
|
|
<P></P><!--#endif -->
|
|
<PRE>
|
|
<scheme>://<host><port>/<path>?<query>
|
|
</PRE>
|
|
<P>
|
|
The various components of the
|
|
Script-URI
|
|
are defined by some of the
|
|
metavariables (see
|
|
<A HREF="#4.0">section 4</A>
|
|
below);
|
|
</P><!--#if expr="! $GUI" -->
|
|
<P></P><!--#endif -->
|
|
<PRE>
|
|
script-uri = protocol "://" SERVER_NAME ":" SERVER_PORT enc-script
|
|
enc-path-info "?" QUERY_STRING
|
|
</PRE>
|
|
<P>
|
|
where 'protocol' is obtained
|
|
from SERVER_PROTOCOL, 'enc-script' is a
|
|
URL-encoded version of SCRIPT_NAME and 'enc-path-info' is a
|
|
URL-encoded version of PATH_INFO. See
|
|
<A HREF="#4.6">section 4.6</A> for more information about the PATH_INFO
|
|
metavariable.
|
|
</P>
|
|
<P>
|
|
Note that the scheme and the protocol are <EM>not</EM> identical;
|
|
for instance, a resource accessed <EM>via</EM> an SSL mechanism
|
|
may have a Client-URI with a scheme of "<SAMP>https</SAMP>"
|
|
rather than "<SAMP>http</SAMP>". CGI/1.1 provides no means
|
|
for the script to reconstruct this, and therefore
|
|
the Script-URI includes the base protocol used.
|
|
</P>
|
|
|
|
<H2>
|
|
<A NAME="4.0">
|
|
4. Invoking the Script
|
|
</A>
|
|
</H2>
|
|
<P>
|
|
The
|
|
script is invoked in a system defined manner. Unless specified
|
|
otherwise, the file containing the script will be invoked as an
|
|
executable program.
|
|
</P>
|
|
|
|
<H2>
|
|
<A NAME="5.0">
|
|
5. The CGI Script Command Line
|
|
</A>
|
|
</H2>
|
|
<P>
|
|
Some systems support a method for supplying an array of strings to
|
|
the CGI script. This is only used in the case of an 'indexed' query.
|
|
This is identified by a "GET" or "HEAD" HTTP request with a URL
|
|
query
|
|
string not containing any unencoded "=" characters. For such a
|
|
request,
|
|
servers SHOULD parse the search string
|
|
into words, using the following rules:
|
|
</P><!--#if expr="! $GUI" -->
|
|
<P></P><!--#endif -->
|
|
<PRE>
|
|
search-string = search-word *( "+" search-word )
|
|
search-word = 1*schar
|
|
schar = xunreserved | escaped | xreserved
|
|
xunreserved = alpha | digit | xsafe | extra
|
|
xsafe = "$" | "-" | "_" | "."
|
|
xreserved = ";" | "/" | "?" | ":" | "@" | "&"
|
|
</PRE>
|
|
<P>
|
|
After parsing, each word is URL-decoded, optionally encoded in a
|
|
system defined manner,
|
|
and then the argument list is set to the list
|
|
of words.
|
|
</P>
|
|
<P>
|
|
If the server cannot create any part of the argument list, then the
|
|
server SHOULD NOT generate any command line information. For example, the
|
|
number of arguments may be greater than operating system or server
|
|
limitations permit, or one of the words may not be representable as an
|
|
argument.
|
|
</P>
|
|
<P>
|
|
Scripts SHOULD check to see if the QUERY_STRING value contains an
|
|
unencoded "=" character, and SHOULD NOT use the command line arguments
|
|
if it does.
|
|
</P>
|
|
|
|
<H2>
|
|
<A NAME="6.0">
|
|
6. Data Input to the CGI Script
|
|
</A>
|
|
</H2>
|
|
<P>
|
|
Information about a request comes from two different sources: the
|
|
request header, and any associated
|
|
message-body.
|
|
Servers MUST
|
|
make portions of this information available to
|
|
scripts.
|
|
</P>
|
|
|
|
<H3>
|
|
<A NAME="6.1">
|
|
6.1. Request Metadata
|
|
(Metavariables)
|
|
</A>
|
|
</H3>
|
|
<P>
|
|
Each CGI server
|
|
implementation MUST define a mechanism
|
|
to pass data about the request from
|
|
the server to the script.
|
|
The metavariables containing these
|
|
data
|
|
are accessed by the script in a system
|
|
defined manner.
|
|
The
|
|
representation of the characters in the
|
|
metavariables is
|
|
system defined.
|
|
</P>
|
|
<P>
|
|
This specification does not distinguish between the representation of
|
|
null values and missing ones. Whether null or missing values
|
|
(such as a query component of "?" or "", respectively) are represented
|
|
by undefined metavariables or by metavariables with values of "" is
|
|
implementation-defined.
|
|
</P>
|
|
<P>
|
|
Case is not significant in the
|
|
metavariable
|
|
names, in that there cannot be two
|
|
different variables
|
|
whose names differ in case only. Here they are
|
|
shown using a canonical representation of capitals plus underscore
|
|
("_"). The actual representation of the names is system defined; for
|
|
a particular system the representation MAY be defined differently
|
|
than this.
|
|
</P>
|
|
<P>
|
|
Metavariable
|
|
values MUST be
|
|
considered case-sensitive except as noted
|
|
otherwise.
|
|
</P>
|
|
<P>
|
|
The canonical
|
|
metavariables
|
|
defined by this specification are:
|
|
</P><!--#if expr="! $GUI" -->
|
|
<P></P><!--#endif -->
|
|
<PRE>
|
|
AUTH_TYPE
|
|
CONTENT_LENGTH
|
|
CONTENT_TYPE
|
|
GATEWAY_INTERFACE
|
|
PATH_INFO
|
|
PATH_TRANSLATED
|
|
QUERY_STRING
|
|
REMOTE_ADDR
|
|
REMOTE_HOST
|
|
REMOTE_IDENT
|
|
REMOTE_USER
|
|
REQUEST_METHOD
|
|
SCRIPT_NAME
|
|
SERVER_NAME
|
|
SERVER_PORT
|
|
SERVER_PROTOCOL
|
|
SERVER_SOFTWARE
|
|
</PRE>
|
|
<P>
|
|
Metavariables with names beginning with the protocol name (<EM>e.g.</EM>,
|
|
"HTTP_ACCEPT") are also canonical in their description of request header
|
|
fields. The number and meaning of these fields may change independently
|
|
of this specification. (See also <A HREF="#6.1.5">section 6.1.5</A>.)
|
|
</P>
|
|
|
|
<H4>
|
|
<A NAME="6.1.1">
|
|
6.1.1. AUTH_TYPE
|
|
</A>
|
|
</H4>
|
|
<P>
|
|
This variable is specific to requests made
|
|
<EM>via</EM> the
|
|
"<CODE>http</CODE>"
|
|
scheme.
|
|
</P>
|
|
<P>
|
|
If the Script-URI
|
|
required access authentication for external
|
|
access, then the server
|
|
MUST set
|
|
the value of
|
|
this variable
|
|
from the '<SAMP>auth-scheme</SAMP>' token in
|
|
the request's "<SAMP>Authorization</SAMP>" header
|
|
field.
|
|
Otherwise
|
|
it is
|
|
set to NULL.
|
|
</P><!--#if expr="! $GUI" -->
|
|
<P></P><!--#endif -->
|
|
<PRE>
|
|
AUTH_TYPE = "" | auth-scheme
|
|
auth-scheme = "Basic" | "Digest" | token
|
|
</PRE>
|
|
<P>
|
|
HTTP access authentication schemes are described in section 11 of the
|
|
HTTP/1.1 specification [<A HREF="#[8]">8</A>]. The auth-scheme is
|
|
not case-sensitive.
|
|
</P>
|
|
<P>
|
|
Servers
|
|
MUST
|
|
provide this metavariable
|
|
to scripts if the request
|
|
header included an "<SAMP>Authorization</SAMP>" field
|
|
that was authenticated.
|
|
</P>
|
|
|
|
<H4>
|
|
<A NAME="6.1.2">
|
|
6.1.2. CONTENT_LENGTH
|
|
</A>
|
|
</H4>
|
|
<P>
|
|
This
|
|
metavariable
|
|
is set to the
|
|
size of the message-body
|
|
entity attached to the request, if any, in decimal
|
|
number of octets. If no data are attached, then this
|
|
metavariable
|
|
is either NULL or not
|
|
defined. The syntax is
|
|
the same as for
|
|
the HTTP "<SAMP>Content-Length</SAMP>" header field (section 14.14, HTTP/1.1
|
|
specification [<A HREF="#[8]">8</A>]).
|
|
</P><!--#if expr="! $GUI" -->
|
|
<P></P><!--#endif -->
|
|
<PRE>
|
|
CONTENT_LENGTH = "" | 1*digit
|
|
</PRE>
|
|
<P>
|
|
Servers MUST provide this metavariable
|
|
to scripts if the request
|
|
was accompanied by a
|
|
message-body entity.
|
|
</P>
|
|
|
|
<H4>
|
|
<A NAME="6.1.3">
|
|
6.1.3. CONTENT_TYPE
|
|
</A>
|
|
</H4>
|
|
<P>
|
|
If the request includes a
|
|
message-body,
|
|
CONTENT_TYPE is set
|
|
to
|
|
the Internet Media Type
|
|
[<A HREF="#[9]">9</A>] of the attached
|
|
entity if the type was provided <EM>via</EM>
|
|
a "<SAMP>Content-type</SAMP>" field in the
|
|
request header, or if the server can determine it in the absence
|
|
of a supplied "<SAMP>Content-type</SAMP>" field. The syntax is the
|
|
same as for the HTTP
|
|
"<SAMP>Content-Type</SAMP>" header field.
|
|
</P><!--#if expr="! $GUI" -->
|
|
<P></P><!--#endif -->
|
|
<PRE>
|
|
CONTENT_TYPE = "" | media-type
|
|
media-type = type "/" subtype *( ";" parameter)
|
|
type = token
|
|
subtype = token
|
|
parameter = attribute "=" value
|
|
attribute = token
|
|
value = token | quoted-string
|
|
</PRE>
|
|
<P>
|
|
The type, subtype,
|
|
and parameter attribute names are not
|
|
case-sensitive. Parameter values MAY be case sensitive.
|
|
Media types and their use in HTTP are described
|
|
in section 3.7 of the
|
|
HTTP/1.1 specification [<A HREF="#[8]">8</A>].
|
|
</P>
|
|
<P>
|
|
Example:
|
|
</P><!--#if expr="! $GUI" -->
|
|
<P></P><!--#endif -->
|
|
<PRE>
|
|
application/x-www-form-urlencoded
|
|
</PRE>
|
|
<P>
|
|
There is no default value for this variable. If and only if it is
|
|
unset, then the script MAY attempt to determine the media type from
|
|
the data received. If the type remains unknown, then
|
|
the script MAY choose to either assume a
|
|
content-type of
|
|
<SAMP>application/octet-stream</SAMP>
|
|
or reject the request with a 415 ("Unsupported Media Type")
|
|
error. See <A HREF="#7.2.1.3">section 7.2.1.3</A>
|
|
for more information about returning error status values.
|
|
</P>
|
|
<P>
|
|
Servers MUST provide this metavariable
|
|
to scripts if
|
|
a "<SAMP>Content-Type</SAMP>" field was present
|
|
in the original request header. If the server receives a request
|
|
with an attached entity but no "<SAMP>Content-Type</SAMP>"
|
|
header field, it MAY attempt to
|
|
determine the correct datatype, or it MAY omit this
|
|
metavariable when
|
|
communicating the request information to the script.
|
|
</P>
|
|
|
|
<H4>
|
|
<A NAME="6.1.4">
|
|
6.1.4. GATEWAY_INTERFACE
|
|
</A>
|
|
</H4>
|
|
<P>
|
|
This
|
|
metavariable
|
|
is set to
|
|
the dialect of CGI being used
|
|
by the server to communicate with the script.
|
|
Syntax:
|
|
</P><!--#if expr="! $GUI" -->
|
|
<P></P><!--#endif -->
|
|
<PRE>
|
|
GATEWAY_INTERFACE = "CGI" "/" major "." minor
|
|
major = 1*digit
|
|
minor = 1*digit
|
|
</PRE>
|
|
<P>
|
|
Note that the major and minor numbers are treated as separate
|
|
integers and hence each may be
|
|
more than a single
|
|
digit. Thus CGI/2.4 is a lower version than CGI/2.13 which in turn
|
|
is lower than CGI/12.3. Leading zeros in either
|
|
the major or the minor number MUST be ignored by scripts and
|
|
SHOULD NOT be generated by servers.
|
|
</P>
|
|
<P>
|
|
This document defines the 1.1 version of the CGI interface
|
|
("CGI/1.1").
|
|
</P>
|
|
<P>
|
|
Servers MUST provide this metavariable
|
|
to scripts.
|
|
</P>
|
|
|
|
<H4>
|
|
<A NAME="6.1.5">
|
|
6.1.5. Protocol-Specific Metavariables
|
|
</A>
|
|
</H4>
|
|
<P>
|
|
These metavariables are specific to
|
|
the protocol
|
|
<EM>via</EM> which the request is made.
|
|
Interpretation of these variables depends on the value of
|
|
the
|
|
SERVER_PROTOCOL
|
|
metavariable
|
|
(see
|
|
<A HREF="#6.1.17">section 6.1.17</A>).
|
|
</P>
|
|
<P>
|
|
Metavariables
|
|
with names beginning with "HTTP_" contain
|
|
values from the request header, if the
|
|
scheme used was HTTP.
|
|
Each
|
|
HTTP header field name is converted to upper case, has all occurrences of
|
|
"-" replaced with "_",
|
|
and has "HTTP_" prepended to form
|
|
the metavariable name.
|
|
Similar transformations are applied for other
|
|
protocols.
|
|
The header data MAY be presented as sent
|
|
by the client, or MAY be rewritten in ways which do not change its
|
|
semantics. If multiple header fields with the same field-name are received
|
|
then the server
|
|
MUST rewrite them as though they
|
|
had been received as a single header field having the same
|
|
semantics before being represented in a
|
|
metavariable.
|
|
Similarly, a header field that is received on more than one line
|
|
MUST be merged into a single line. The server MUST, if necessary,
|
|
change the representation of the data (for example, the character
|
|
set) to be appropriate for a CGI
|
|
metavariable.
|
|
<!-- ###NOTE: See if 2068 describes this thoroughly, and
|
|
point there if so. -->
|
|
</P>
|
|
<P>
|
|
Servers are
|
|
not required to create
|
|
metavariables for all
|
|
the request
|
|
header fields that they
|
|
receive. In particular,
|
|
they MAY
|
|
decline to make available any
|
|
header fields carrying authentication information, such as
|
|
"<SAMP>Authorization</SAMP>", or
|
|
which are available to the script
|
|
<EM>via</EM> other metavariables,
|
|
such as "<SAMP>Content-Length</SAMP>" and "<SAMP>Content-Type</SAMP>".
|
|
</P>
|
|
|
|
<H4>
|
|
<A NAME="6.1.6">
|
|
6.1.6. PATH_INFO
|
|
</A>
|
|
</H4>
|
|
<P>
|
|
The PATH_INFO
|
|
metavariable
|
|
specifies
|
|
a path to be interpreted by the CGI script. It identifies the
|
|
resource or sub-resource to be returned
|
|
by the CGI
|
|
script, and it is derived from the portion
|
|
of the URI path following the script name but preceding
|
|
any query data.
|
|
The syntax
|
|
and semantics are similar to a decoded HTTP URL
|
|
'path' token
|
|
(defined in
|
|
RFC 2396
|
|
[<A HREF="#[4]">4</A>]), with the exception
|
|
that a PATH_INFO of "/"
|
|
represents a single void path segment.
|
|
</P><!--#if expr="! $GUI" -->
|
|
<P></P><!--#endif -->
|
|
<PRE>
|
|
PATH_INFO = "" | ( "/" path )
|
|
path = segment *( "/" segment )
|
|
segment = *pchar
|
|
pchar = <any CHAR except "/">
|
|
</PRE>
|
|
<P>
|
|
The PATH_INFO string is the trailing part of the <path> component of
|
|
the Script-URI
|
|
(see <A HREF="#3.2">section 3.2</A>)
|
|
that follows the SCRIPT_NAME
|
|
portion of the path.
|
|
</P>
|
|
<P>
|
|
Servers MAY impose their own restrictions and
|
|
limitations on what values they will accept for PATH_INFO, and MAY
|
|
reject or edit any values they
|
|
consider objectionable before passing
|
|
them to the script.
|
|
</P>
|
|
<P>
|
|
Servers MUST make this URI component available
|
|
to CGI scripts. The PATH_INFO
|
|
value is case-sensitive, and the
|
|
server MUST preserve the case of the PATH_INFO element of the URI
|
|
when making it available to scripts.
|
|
</P>
|
|
|
|
<H4>
|
|
<A NAME="6.1.7">
|
|
6.1.7. PATH_TRANSLATED
|
|
</A>
|
|
</H4>
|
|
<P>
|
|
PATH_TRANSLATED is derived by taking any path-info component of the
|
|
request URI (see
|
|
<A HREF="#6.1.6">section 6.1.6</A>), decoding it
|
|
(see <A HREF="#3.1">section 3.1</A>), parsing it as a URI in its own
|
|
right, and performing any virtual-to-physical
|
|
translation appropriate to map it onto the
|
|
server's document repository structure.
|
|
If the request URI includes no path-info
|
|
component, the PATH_TRANSLATED metavariable SHOULD NOT be defined.
|
|
</P><!--#if expr="! $GUI" -->
|
|
<P></P><!--#endif -->
|
|
<PRE>
|
|
PATH_TRANSLATED = *CHAR
|
|
</PRE>
|
|
<P>
|
|
For a request such as the following:
|
|
</P><!--#if expr="! $GUI" -->
|
|
<P></P><!--#endif -->
|
|
<PRE>
|
|
http://somehost.com/cgi-bin/somescript/this%2eis%2epath%2einfo
|
|
</PRE>
|
|
<P>
|
|
the PATH_INFO component would be decoded, and the result
|
|
parsed as though it were a request for the following:
|
|
</P><!--#if expr="! $GUI" -->
|
|
<P></P><!--#endif -->
|
|
<PRE>
|
|
http://somehost.com/this.is.the.path.info
|
|
</PRE>
|
|
<P>
|
|
This would then be translated to a
|
|
location in the server's document repository,
|
|
perhaps a filesystem path something
|
|
like this:
|
|
</P><!--#if expr="! $GUI" -->
|
|
<P></P><!--#endif -->
|
|
<PRE>
|
|
/usr/local/www/htdocs/this.is.the.path.info
|
|
</PRE>
|
|
<P>
|
|
The result of the translation is the value of PATH_TRANSLATED.
|
|
</P>
|
|
<P>
|
|
The value of PATH_TRANSLATED may or may not map to a valid
|
|
repository
|
|
location.
|
|
Servers MUST preserve the case of the path-info
|
|
segment if and only if the underlying
|
|
repository
|
|
supports case-sensitive
|
|
names. If the
|
|
repository
|
|
is only case-aware, case-preserving, or case-blind
|
|
with regard to
|
|
document names,
|
|
servers are not required to preserve the
|
|
case of the original segment through the translation.
|
|
</P>
|
|
<P>
|
|
The
|
|
translation
|
|
algorithm the server uses to derive PATH_TRANSLATED is
|
|
implementation defined; CGI scripts which use this variable may
|
|
suffer limited portability.
|
|
</P>
|
|
<P>
|
|
Servers SHOULD provide this metavariable
|
|
to scripts if and only if the request URI includes a
|
|
path-info component.
|
|
</P>
|
|
|
|
<H4>
|
|
<A NAME="6.1.8">
|
|
6.1.8. QUERY_STRING
|
|
</A>
|
|
</H4>
|
|
<P>
|
|
A URL-encoded
|
|
string; the <query> part of the
|
|
Script-URI.
|
|
(See
|
|
<A HREF="#3.2">section 3.2</A>.)
|
|
</P><!--#if expr="! $GUI" -->
|
|
<P></P><!--#endif -->
|
|
<PRE>
|
|
QUERY_STRING = query-string
|
|
query-string = *uric
|
|
</PRE>
|
|
<P>
|
|
The URL syntax for a query
|
|
string is described in
|
|
section 3 of
|
|
RFC 2396
|
|
[<A HREF="#[4]">4</A>].
|
|
</P>
|
|
<P>
|
|
Servers MUST supply this value to scripts.
|
|
The QUERY_STRING value is case-sensitive.
|
|
If the Script-URI does not include a query component,
|
|
the QUERY_STRING metavariable MUST be defined as an empty string ("").
|
|
</P>
|
|
|
|
<H4>
|
|
<A NAME="6.1.9">
|
|
6.1.9. REMOTE_ADDR
|
|
</A>
|
|
</H4>
|
|
<P>
|
|
The IP address of the client
|
|
sending the request to the server. This
|
|
is not necessarily that of the user
|
|
agent
|
|
(such as if the request came through a proxy).
|
|
</P><!--#if expr="! $GUI" -->
|
|
<P></P><!--#endif -->
|
|
<PRE>
|
|
REMOTE_ADDR = hostnumber
|
|
hostnumber = ipv4-address | ipv6-address
|
|
</PRE>
|
|
<P>
|
|
The definitions of <SAMP>ipv4-address</SAMP> and <SAMP>ipv6-address</SAMP>
|
|
are provided in Appendix B of RFC 2373 [<A HREF="#[13]">13</A>].
|
|
</P>
|
|
<P>
|
|
Servers MUST supply this value to scripts.
|
|
</P>
|
|
|
|
<H4>
|
|
<A NAME="6.1.10">
|
|
6.1.10. REMOTE_HOST
|
|
</A>
|
|
</H4>
|
|
<P>
|
|
The fully qualified domain name of the
|
|
client sending the request to
|
|
the server, if available, otherwise NULL.
|
|
(See <A HREF="#6.1.9">section 6.1.9</A>.)
|
|
Fully qualified domain names take the form as described in
|
|
section 3.5 of RFC 1034 [<A HREF="#[10]">10</A>] and section 2.1 of
|
|
RFC 1123 [<A HREF="#[5]">5</A>]. Domain names are not case sensitive.
|
|
</P>
|
|
<P>
|
|
Servers SHOULD provide this information to
|
|
scripts.
|
|
</P>
|
|
|
|
<H4>
|
|
<A NAME="6.1.11">
|
|
6.1.11. REMOTE_IDENT
|
|
</A>
|
|
</H4>
|
|
<P>
|
|
The identity information reported about the connection by a
|
|
RFC 1413 [<A HREF="#[11]">11</A>] request to the remote agent, if
|
|
available. Servers
|
|
MAY choose not
|
|
to support this feature, or not to request the data
|
|
for efficiency reasons.
|
|
</P><!--#if expr="! $GUI" -->
|
|
<P></P><!--#endif -->
|
|
<PRE>
|
|
REMOTE_IDENT = *CHAR
|
|
</PRE>
|
|
<P>
|
|
The data returned
|
|
may be used for authentication purposes, but the level
|
|
of trust reposed in them should be minimal.
|
|
</P>
|
|
<P>
|
|
Servers MAY supply this information to scripts if the
|
|
RFC1413 [<A HREF="#[11]">11</A>] lookup is performed.
|
|
</P>
|
|
|
|
<H4>
|
|
<A NAME="6.1.12">
|
|
6.1.12. REMOTE_USER
|
|
</A>
|
|
</H4>
|
|
<P>
|
|
If the request required authentication using the "Basic"
|
|
mechanism (<EM>i.e.</EM>, the AUTH_TYPE
|
|
metavariable is set
|
|
to "Basic"), then the value of the REMOTE_USER
|
|
metavariable is set to the
|
|
user-ID supplied. In all other cases
|
|
the value of this metavariable
|
|
is undefined.
|
|
</P><!--#if expr="! $GUI" -->
|
|
<P></P><!--#endif -->
|
|
<PRE>
|
|
REMOTE_USER = *OCTET
|
|
</PRE>
|
|
<P>
|
|
This variable is specific to requests made <EM>via</EM> the
|
|
HTTP protocol.
|
|
</P>
|
|
<P>
|
|
Servers SHOULD provide this metavariable
|
|
to scripts.
|
|
</P>
|
|
|
|
<H4>
|
|
<A NAME="6.1.13">
|
|
6.1.13. REQUEST_METHOD
|
|
</A>
|
|
</H4>
|
|
<P>
|
|
The REQUEST_METHOD
|
|
metavariable
|
|
is set to the
|
|
method with which the request was made, as described in section
|
|
5.1.1 of the HTTP/1.0 specification [<A HREF="#[3]">3</A>] and
|
|
section 5.1.1 of the
|
|
HTTP/1.1 specification [<A HREF="#[8]">8</A>].
|
|
</P><!--#if expr="! $GUI" -->
|
|
<P></P><!--#endif -->
|
|
<PRE>
|
|
REQUEST_METHOD = http-method
|
|
http-method = "GET" | "HEAD" | "POST" | "PUT" | "DELETE"
|
|
| "OPTIONS" | "TRACE" | extension-method
|
|
extension-method = token
|
|
</PRE>
|
|
<P>
|
|
The method is case sensitive.
|
|
CGI/1.1 servers MAY choose to process some methods
|
|
directly rather than passing them to scripts.
|
|
</P>
|
|
<P>
|
|
This variable is specific to requests made with HTTP.
|
|
</P>
|
|
<P>
|
|
Servers MUST provide this metavariable
|
|
to scripts.
|
|
</P>
|
|
|
|
<H4>
|
|
<A NAME="6.1.14">
|
|
6.1.14. SCRIPT_NAME
|
|
</A>
|
|
</H4>
|
|
<P>
|
|
The SCRIPT_NAME
|
|
metavariable
|
|
is
|
|
set to a URL path that could identify the CGI script (rather than the
|
|
script's
|
|
output). The syntax and semantics are identical to a
|
|
decoded HTTP URL 'path' token
|
|
(see RFC 2396
|
|
[<A HREF="#[4]">4</A>]).
|
|
</P><!--#if expr="! $GUI" -->
|
|
<P></P><!--#endif -->
|
|
<PRE>
|
|
SCRIPT_NAME = "" | ( "/" [ path ] )
|
|
</PRE>
|
|
<P>
|
|
The SCRIPT_NAME string is some leading part of the <path> component
|
|
of the Script-URI derived in some
|
|
implementation defined manner.
|
|
No PATH_INFO or QUERY_STRING segments
|
|
(see sections <A HREF="#6.1.6">6.1.6</A> and
|
|
<A HREF="#6.1.8">6.1.8</A>) are included
|
|
in the SCRIPT_NAME value.
|
|
</P>
|
|
<P>
|
|
Servers MUST provide this metavariable
|
|
to scripts.
|
|
</P>
|
|
|
|
<H4>
|
|
<A NAME="6.1.15">
|
|
6.1.15. SERVER_NAME
|
|
</A>
|
|
</H4>
|
|
<P>
|
|
The SERVER_NAME
|
|
metavariable
|
|
is set to the
|
|
name of the
|
|
server, as
|
|
derived from the <host> part of the
|
|
Script-URI
|
|
(see <A HREF="#3.2">section 3.2</A>).
|
|
</P><!--#if expr="! $GUI" -->
|
|
<P></P><!--#endif -->
|
|
<PRE>
|
|
SERVER_NAME = hostname | hostnumber
|
|
</PRE>
|
|
<P>
|
|
Servers MUST provide this metavariable
|
|
to scripts.
|
|
</P>
|
|
|
|
<H4>
|
|
<A NAME="6.1.16">
|
|
6.1.16. SERVER_PORT
|
|
</A>
|
|
</H4>
|
|
<P>
|
|
The SERVER_PORT
|
|
metavariable
|
|
is set to the
|
|
port on which the
|
|
request was received, as used in the <port>
|
|
part of the Script-URI.
|
|
</P><!--#if expr="! $GUI" -->
|
|
<P></P><!--#endif -->
|
|
<PRE>
|
|
SERVER_PORT = 1*digit
|
|
</PRE>
|
|
<P>
|
|
If the <port> portion of the script-URI is blank, the actual
|
|
port number upon which the request was received MUST be supplied.
|
|
</P>
|
|
<P>
|
|
Servers MUST provide this metavariable
|
|
to scripts.
|
|
</P>
|
|
|
|
<H4>
|
|
<A NAME="6.1.17">
|
|
6.1.17. SERVER_PROTOCOL
|
|
</A>
|
|
</H4>
|
|
<P>
|
|
The SERVER_PROTOCOL
|
|
metavariable
|
|
is set to
|
|
the
|
|
name and revision of the information protocol with which
|
|
the
|
|
request
|
|
arrived. This is not necessarily the same as the protocol version used by
|
|
the server in its response to the client.
|
|
</P><!--#if expr="! $GUI" -->
|
|
<P></P><!--#endif -->
|
|
<PRE>
|
|
SERVER_PROTOCOL = HTTP-Version | extension-version
|
|
| extension-token
|
|
HTTP-Version = "HTTP" "/" 1*digit "." 1*digit
|
|
extension-version = protocol "/" 1*digit "." 1*digit
|
|
protocol = 1*( alpha | digit | "+" | "-" | "." )
|
|
extension-token = token
|
|
</PRE>
|
|
<P>
|
|
'protocol' is a version of the <scheme> part of the
|
|
Script-URI, but is
|
|
not identical to it. For example, the scheme of a request may be
|
|
"<SAMP>https</SAMP>" while the protocol remains "<SAMP>http</SAMP>".
|
|
The protocol is not case sensitive, but
|
|
by convention, 'protocol' is in
|
|
upper case.
|
|
</P>
|
|
<P>
|
|
A well-known extension token value is "INCLUDED",
|
|
which signals that the current document is being included as part of
|
|
a composite document, rather than being the direct target of the
|
|
client request.
|
|
</P>
|
|
<P>
|
|
Servers MUST provide this metavariable
|
|
to scripts.
|
|
</P>
|
|
|
|
<H4>
|
|
<A NAME="6.1.18">
|
|
6.1.18. SERVER_SOFTWARE
|
|
</A>
|
|
</H4>
|
|
<P>
|
|
The SERVER_SOFTWARE
|
|
metavariable
|
|
is set to the
|
|
name and version of the information server software answering the
|
|
request (and running the gateway).
|
|
</P><!--#if expr="! $GUI" -->
|
|
<P></P><!--#endif -->
|
|
<PRE>
|
|
SERVER_SOFTWARE = 1*product
|
|
product = token [ "/" product-version ]
|
|
product-version = token
|
|
</PRE>
|
|
<P>
|
|
Servers MUST provide this metavariable
|
|
to scripts.
|
|
</P>
|
|
|
|
<H3>
|
|
<A NAME="6.2">
|
|
6.2. Request Message-Bodies
|
|
</A>
|
|
</H3>
|
|
<P>
|
|
As there may be a data entity attached to the request, there MUST be
|
|
a system defined method for the script to read
|
|
these data. Unless
|
|
defined otherwise, this will be <EM>via</EM> the 'standard input' file
|
|
descriptor.
|
|
</P>
|
|
<P>
|
|
If the CONTENT_LENGTH value (see <A HREF="#6.1.2">section 6.1.2</A>)
|
|
is non-NULL, the server MUST supply at least that many bytes to
|
|
scripts on the standard input stream.
|
|
Scripts are
|
|
not obliged to read the data.
|
|
Servers MAY signal an EOF condition after CONTENT_LENGTH bytes have been
|
|
read, but are
|
|
not obligated to do so. Therefore, scripts
|
|
MUST NOT
|
|
attempt to read more than CONTENT_LENGTH bytes, even if more data
|
|
are available.
|
|
</P>
|
|
<P>
|
|
For non-parsed header (NPH) scripts (see
|
|
<A HREF="#7.1">section 7.1</A>
|
|
below),
|
|
servers SHOULD
|
|
attempt to ensure that the data
|
|
supplied to the script are precisely
|
|
as supplied by the client and unaltered by
|
|
the server.
|
|
</P>
|
|
<P>
|
|
<A HREF="#8.1.2">Section 8.1.2</A> describes the requirements of
|
|
servers with regard to requests that include
|
|
message-bodies.
|
|
</P>
|
|
|
|
<H2>
|
|
<A NAME="7.0">
|
|
7. Data Output from the CGI Script
|
|
</A>
|
|
</H2>
|
|
<P>
|
|
There MUST be a system defined method for the script to send data
|
|
back to the server or client; a script MUST always return some data.
|
|
Unless defined otherwise, this will be <EM>via</EM> the 'standard
|
|
output' file descriptor.
|
|
</P>
|
|
<P>
|
|
There are two forms of output that scripts can supply to servers: non-parsed
|
|
header (NPH) output, and parsed header output.
|
|
Servers MUST support parsed header
|
|
output and MAY support NPH output. The method of
|
|
distinguishing between the two
|
|
types of output (or scripts) is implementation defined.
|
|
</P>
|
|
<P>
|
|
Servers MAY implement a timeout period within which data must be
|
|
received from scripts. If a server implementation defines such
|
|
a timeout and receives no data from a script within the timeout
|
|
period, the server MAY terminate the script process and SHOULD
|
|
abort the client request with
|
|
either a
|
|
'504 Gateway Timed Out' or a
|
|
'500 Internal Server Error' response.
|
|
</P>
|
|
|
|
<H3>
|
|
<A NAME="7.1">
|
|
7.1. Non-Parsed Header Output
|
|
</A>
|
|
</H3>
|
|
<P>
|
|
Scripts using the NPH output form
|
|
MUST return a complete HTTP response message, as described
|
|
in Section 6 of the HTTP specifications
|
|
[<A HREF="#[3]">3</A>,<A HREF="#[8]">8</A>].
|
|
NPH scripts
|
|
MUST use the SERVER_PROTOCOL variable to determine the appropriate format
|
|
for a response.
|
|
</P>
|
|
<P>
|
|
Servers
|
|
SHOULD attempt to ensure that the script output is sent
|
|
directly to the client, with minimal
|
|
internal and no transport-visible
|
|
buffering.
|
|
</P>
|
|
|
|
<H3>
|
|
<A NAME="7.2">
|
|
7.2. Parsed Header Output
|
|
</A>
|
|
</H3>
|
|
<P>
|
|
Scripts using the parsed header output form MUST supply
|
|
a CGI response message to the server
|
|
as follows:
|
|
</P><!--#if expr="! $GUI" -->
|
|
<P></P><!--#endif -->
|
|
<PRE>
|
|
CGI-Response = *optional-field CGI-Field *optional-field NL [ Message-Body ]
|
|
optional-field = ( CGI-Field | HTTP-Field )
|
|
CGI-Field = Content-type
|
|
| Location
|
|
| Status
|
|
| extension-header
|
|
</PRE>
|
|
<P><!-- ##### If HTTP defines x-headers, remove ours except x-cgi- -->
|
|
The response comprises a header and a body, separated by a blank line.
|
|
The body may be NULL.
|
|
The header fields are either CGI header fields to be interpreted by
|
|
the server, or HTTP header fields
|
|
to be included in the response returned
|
|
to the client
|
|
if the request method is HTTP. At least one
|
|
CGI-Field MUST be
|
|
supplied, but no CGI field name may be used more than once
|
|
in a response.
|
|
If a body is supplied, then a "<SAMP>Content-type</SAMP>"
|
|
header field MUST be
|
|
supplied by the script,
|
|
otherwise the script MUST send a "<SAMP>Location</SAMP>"
|
|
or "<SAMP>Status</SAMP>" header field. If a
|
|
<SAMP>Location</SAMP> CGI-Field
|
|
is returned, then the script MUST NOT supply
|
|
any HTTP-Fields.
|
|
</P>
|
|
<P>
|
|
Each header field in a CGI-Response MUST be specified on a single line;
|
|
CGI/1.1 does not support continuation lines.
|
|
</P>
|
|
|
|
<H4>
|
|
<A NAME="7.2.1">
|
|
7.2.1. CGI header fields
|
|
</A>
|
|
</H4>
|
|
<P>
|
|
The CGI header fields have the generic syntax:
|
|
</P><!--#if expr="! $GUI" -->
|
|
<P></P><!--#endif -->
|
|
<PRE>
|
|
generic-field = field-name ":" [ field-value ] NL
|
|
field-name = token
|
|
field-value = *( field-content | LWSP )
|
|
field-content = *( token | tspecial | quoted-string )
|
|
</PRE>
|
|
<P>
|
|
The field-name is not case sensitive; a NULL field value is
|
|
equivalent to the header field not being sent.
|
|
</P>
|
|
|
|
<H4>
|
|
<A NAME="7.2.1.1">
|
|
7.2.1.1. Content-Type
|
|
</A>
|
|
</H4>
|
|
<P>
|
|
The Internet Media Type [<A HREF="#[9]">9</A>] of the entity
|
|
body, which is to be sent unmodified to the client.
|
|
</P><!--#if expr="! $GUI" -->
|
|
<P></P><!--#endif -->
|
|
<PRE>
|
|
Content-Type = "Content-Type" ":" media-type NL
|
|
</PRE>
|
|
<P>
|
|
This is actually an HTTP-Field
|
|
rather than a CGI-Field, but
|
|
it is listed here because of its importance in the CGI dialogue as
|
|
a member of the "one of these is required" set of header
|
|
fields.
|
|
</P>
|
|
|
|
<H4>
|
|
<A NAME="7.2.1.2">
|
|
7.2.1.2. Location
|
|
</A>
|
|
</H4>
|
|
<P>
|
|
This is used to specify to the server that the script is returning a
|
|
reference to a document rather than an actual document.
|
|
</P><!--#if expr="! $GUI" -->
|
|
<P></P><!--#endif -->
|
|
<PRE>
|
|
Location = "Location" ":"
|
|
( fragment-URI | rel-URL-abs-path ) NL
|
|
fragment-URI = URI [ # fragmentid ]
|
|
URI = scheme ":" *qchar
|
|
fragmentid = *qchar
|
|
rel-URL-abs-path = "/" [ hpath ] [ "?" query-string ]
|
|
hpath = fpsegment *( "/" psegment )
|
|
fpsegment = 1*hchar
|
|
psegment = *hchar
|
|
hchar = alpha | digit | safe | extra
|
|
| ":" | "@" | "& | "="
|
|
</PRE>
|
|
<P>
|
|
The Location
|
|
value is either an absolute URI with optional fragment,
|
|
as defined in RFC 1630 [<A HREF="#[1]">1</A>], or an absolute path
|
|
within the server's URI space (<EM>i.e.</EM>,
|
|
omitting the scheme and network-related fields) and optional
|
|
query-string. If an absolute URI is returned by the script,
|
|
then the
|
|
server MUST generate a
|
|
'302 redirect' HTTP response
|
|
message unless the script has supplied an
|
|
explicit Status response header field.
|
|
Scripts returning an absolute URI MAY choose to
|
|
provide a message-body. Servers MUST make any appropriate modifications
|
|
to the script's output to ensure the response to the user-agent complies
|
|
with the response protocol version.
|
|
If the Location value is a path, then the server
|
|
MUST generate
|
|
the response that it would have produced in response to a request
|
|
containing the URL
|
|
</P><!--#if expr="! $GUI" -->
|
|
<P></P><!--#endif -->
|
|
<PRE>
|
|
scheme "://" SERVER_NAME ":" SERVER_PORT rel-URL-abs-path
|
|
</PRE>
|
|
<P>
|
|
Note: If the request was accompanied by a
|
|
message-body
|
|
(such as for a POST request), and the script
|
|
redirects the request with a Location field, the
|
|
message-body
|
|
may not be
|
|
available to the resource that is the target of the redirect.
|
|
</P>
|
|
|
|
<H4>
|
|
<A NAME="7.2.1.3">
|
|
7.2.1.3. Status
|
|
</A>
|
|
</H4>
|
|
<P>
|
|
The "<SAMP>Status</SAMP>" header field is used to indicate to the server what
|
|
status code the server MUST use in the response message.
|
|
</P><!--#if expr="! $GUI" -->
|
|
<P></P><!--#endif -->
|
|
<PRE>
|
|
Status = "Status" ":" digit digit digit SP reason-phrase NL
|
|
reason-phrase = *<CHAR, excluding CTLs, NL>
|
|
</PRE>
|
|
<P>
|
|
The valid status codes are listed in section 6.1.1 of the HTTP/1.0
|
|
specifications [<A HREF="#[3]">3</A>]. If the SERVER_PROTOCOL is
|
|
"HTTP/1.1", then the status codes defined in the HTTP/1.1
|
|
specification [<A HREF="#[8]">8</A>] may
|
|
be used. If the script does not return a "<SAMP>Status</SAMP>" header
|
|
field, then "200 OK" SHOULD be assumed by the server.
|
|
</P>
|
|
<P>
|
|
If a script is being used to handle a particular error or condition
|
|
encountered by the server, such as a '404 Not Found' error, the script
|
|
SHOULD use the "<SAMP>Status</SAMP>" CGI header field to propagate the error
|
|
condition back to the client. <EM>E.g.</EM>, in the example mentioned it
|
|
SHOULD include a "Status: 404 Not Found" in the
|
|
header data returned to the server.
|
|
</P>
|
|
|
|
<H4>
|
|
<A NAME="7.2.1.4">
|
|
7.2.1.4. Extension header fields
|
|
</A>
|
|
</H4>
|
|
<P>
|
|
Scripts MAY include in their CGI response header additional fields
|
|
not defined in this or the HTTP specification.
|
|
These are called "extension" fields,
|
|
and have the syntax of a <SAMP>generic-field</SAMP> as defined in
|
|
<A HREF="#7.2.1">section 7.2.1</A>. The name of an extension field
|
|
MUST NOT conflict with a field name defined in this or any other
|
|
specification; extension field names SHOULD begin with "X-CGI-"
|
|
to ensure uniqueness.
|
|
</P>
|
|
|
|
<H4>
|
|
<A NAME="7.2.2">
|
|
7.2.2. HTTP header fields
|
|
</A>
|
|
</H4>
|
|
<P>
|
|
The script MAY return any other header fields defined by the
|
|
specification
|
|
for the SERVER_PROTOCOL (HTTP/1.0 [<A HREF="#[3]">3</A>] or HTTP/1.1
|
|
[<A HREF="#[8]">8</A>]).
|
|
Servers MUST resolve conflicts beteen CGI header
|
|
and HTTP header formats or names (see <A HREF="#8.0">section 8</A>).
|
|
</P>
|
|
|
|
<H2>
|
|
<A NAME="8.0">
|
|
8. Server Implementation
|
|
</A>
|
|
</H2>
|
|
<P>
|
|
This section defines the requirements that must be met by HTTP
|
|
servers in order to provide a coherent and correct CGI/1.1
|
|
environment in which scripts may function. It is intended
|
|
primarily for server implementors, but it is useful for
|
|
script authors to be familiar with the information as well.
|
|
</P>
|
|
|
|
<H3>
|
|
<A NAME="8.1">
|
|
8.1. Requirements for Servers
|
|
</A>
|
|
</H3>
|
|
<P>
|
|
In order to be considered CGI/1.1-compliant, a server must meet
|
|
certain basic criteria and provide certain minimal functionality.
|
|
The details of these requirements are described in the following sections.
|
|
</P>
|
|
|
|
<H3>
|
|
<A NAME="8.1.1">
|
|
8.1.1. Script-URI
|
|
</A>
|
|
</H3>
|
|
<P>
|
|
Servers MUST support the standard mechanism (described below) which
|
|
allows
|
|
script authors to determine
|
|
what URL to use in documents
|
|
which reference the script;
|
|
specifically, what URL to use in order to
|
|
achieve particular settings of the
|
|
metavariables. This
|
|
mechanism is as follows:
|
|
</P>
|
|
<P>
|
|
The server
|
|
MUST translate the header data from the CGI header field syntax to
|
|
the HTTP
|
|
header field syntax if these differ. For example, the character
|
|
sequence for
|
|
newline (such as Unix's ASCII NL) used by CGI scripts may not be the
|
|
same as that used by HTTP (ASCII CR followed by LF). The server MUST
|
|
also resolve any conflicts between header fields returned by the script
|
|
and header fields that it would otherwise send itself.
|
|
</P>
|
|
|
|
<H3>
|
|
<A NAME="8.1.2">
|
|
8.1.2. Request Message-body Handling
|
|
</A>
|
|
</H3>
|
|
<P>
|
|
These are the requirements for server handling of message-bodies directed
|
|
to CGI/1.1 resources:
|
|
</P>
|
|
<OL>
|
|
<LI>The message-body the server provides to the CGI script MUST
|
|
have any transfer encodings removed.
|
|
</LI>
|
|
<LI>The server MUST derive and provide a value for the CONTENT_LENGTH
|
|
metavariable that reflects the length of the message-body after any
|
|
transfer decoding.
|
|
</LI>
|
|
<LI>The server MUST leave intact any content-encodings of the message-body.
|
|
</LI>
|
|
</OL>
|
|
|
|
<H3>
|
|
<A NAME="8.1.3">
|
|
8.1.3. Required Metavariables
|
|
</A>
|
|
</H3>
|
|
<P>
|
|
Servers MUST provide scripts with certain information and
|
|
metavariables
|
|
as described in <A HREF="#8.3">section 8.3</A>.
|
|
</P>
|
|
|
|
<H3>
|
|
<A NAME="8.1.4">
|
|
8.1.4. Response Compliance
|
|
</A>
|
|
</H3>
|
|
<P>
|
|
Servers MUST ensure that responses sent to the user-agent meet all
|
|
requirements of the protocol level in effect. This may involve
|
|
modifying, deleting, or augmenting any header
|
|
fields and/or message-body supplied by the script.
|
|
</P>
|
|
|
|
<H3>
|
|
<A NAME="8.2">
|
|
8.2. Recommendations for Servers
|
|
</A>
|
|
</H3>
|
|
<P>
|
|
Servers SHOULD provide the "<SAMP>query</SAMP>" component of the script-URI
|
|
as command-line arguments to scripts if it does not
|
|
contain any unencoded '=' characters and the command-line arguments can
|
|
be generated in an unambiguous manner.
|
|
(See <A HREF="#5.0">section 5</A>.)
|
|
</P>
|
|
<P>
|
|
Servers SHOULD set the AUTH_TYPE
|
|
metavariable to the value of the
|
|
'<SAMP>auth-scheme</SAMP>' token of the "<SAMP>Authorization</SAMP>"
|
|
field if it was supplied as part of the request header.
|
|
(See <A HREF="#6.1.1">section 6.1.1</A>.)
|
|
</P>
|
|
<P>
|
|
Where applicable, servers SHOULD set the current working directory
|
|
to the directory in which the script is located before invoking
|
|
it.
|
|
</P>
|
|
<P>
|
|
Servers MAY reject with error '404 Not Found'
|
|
any requests that would result in
|
|
an encoded "/" being decoded into PATH_INFO or SCRIPT_NAME, as this
|
|
might represent a loss of information to the script.
|
|
</P>
|
|
<P>
|
|
Although the server and the CGI script need not be consistent in
|
|
their handling of URL paths (client URLs and the PATH_INFO data,
|
|
respectively), server authors may wish to impose consistency.
|
|
So the server implementation SHOULD define its behaviour for the
|
|
following cases:
|
|
</P>
|
|
<OL>
|
|
<LI>define any restrictions on allowed characters, in particular
|
|
whether ASCII NUL is permitted;
|
|
</LI>
|
|
<LI>define any restrictions on allowed path segments, in particular
|
|
whether non-terminal NULL segments are permitted;
|
|
</LI>
|
|
<LI>define the behaviour for <SAMP>"."</SAMP> or <SAMP>".."</SAMP> path
|
|
segments; <EM>i.e.</EM>, whether they are prohibited, treated as
|
|
ordinary path
|
|
segments or interpreted in accordance with the relative URL
|
|
specification [<A HREF="#[7]">7</A>];
|
|
</LI>
|
|
<LI>define any limits of the implementation, including limits on path or
|
|
search string lengths, and limits on the volume of header data the server
|
|
will parse.
|
|
</LI><!-- ##### Move the field resolution/translation para below here -->
|
|
</OL>
|
|
<P>
|
|
Servers MAY generate the
|
|
Script-URI in
|
|
any way from the client URI,
|
|
or from any other data (but the behaviour SHOULD be documented).
|
|
</P>
|
|
<P>
|
|
For non-parsed header (NPH) scripts (see
|
|
<A HREF="#7.1">section 7.1</A>), servers SHOULD
|
|
attempt to ensure that the script input comes directly from the
|
|
client, with minimal buffering. For all scripts the data will be
|
|
as supplied by the client.
|
|
</P>
|
|
|
|
<H3>
|
|
<A NAME="8.3">
|
|
8.3. Summary of
|
|
MetaVariables
|
|
</A>
|
|
</H3>
|
|
<P>
|
|
Servers MUST provide the following
|
|
metavariables to
|
|
scripts. See the individual descriptions for exceptions and semantics.
|
|
</P><!--#if expr="! $GUI" -->
|
|
<P></P><!--#endif -->
|
|
<PRE>
|
|
CONTENT_LENGTH (section <A HREF="#6.1.2">6.1.2</A>)
|
|
CONTENT_TYPE (section <A HREF="#6.1.3">6.1.3</A>)
|
|
GATEWAY_INTERFACE (section <A HREF="#6.1.4">6.1.4</A>)
|
|
PATH_INFO (section <A HREF="#6.1.6">6.1.6</A>)
|
|
QUERY_STRING (section <A HREF="#6.1.8">6.1.8</A>)
|
|
REMOTE_ADDR (section <A HREF="#6.1.9">6.1.9</A>)
|
|
REQUEST_METHOD (section <A HREF="#6.1.13">6.1.13</A>)
|
|
SCRIPT_NAME (section <A HREF="#6.1.14">6.1.14</A>)
|
|
SERVER_NAME (section <A HREF="#6.1.15">6.1.15</A>)
|
|
SERVER_PORT (section <A HREF="#6.1.16">6.1.16</A>)
|
|
SERVER_PROTOCOL (section <A HREF="#6.1.17">6.1.17</A>)
|
|
SERVER_SOFTWARE (section <A HREF="#6.1.18">6.1.18</A>)
|
|
</PRE>
|
|
<P>
|
|
Servers SHOULD define the following
|
|
metavariables for scripts.
|
|
See the individual descriptions for exceptions and semantics.
|
|
</P><!--#if expr="! $GUI" -->
|
|
<P></P><!--#endif -->
|
|
<PRE>
|
|
AUTH_TYPE (section <A HREF="#6.1.1">6.1.1</A>)
|
|
REMOTE_HOST (section <A HREF="#6.1.10">6.1.10</A>)
|
|
</PRE>
|
|
<P>
|
|
In addition, servers SHOULD provide
|
|
metavariables for all fields present
|
|
in the HTTP request header, with the exception of those involved with
|
|
access control. Servers MAY at their discretion provide
|
|
metavariables
|
|
for access control fields.
|
|
</P>
|
|
<P>
|
|
Servers MAY define the following
|
|
metavariables. See the individual
|
|
descriptions for exceptions and semantics.
|
|
</P><!--#if expr="! $GUI" -->
|
|
<P></P><!--#endif -->
|
|
<PRE>
|
|
PATH_TRANSLATED (section <A HREF="#6.1.7">6.1.7</A>)
|
|
REMOTE_IDENT (section <A HREF="#6.1.11">6.1.11</A>)
|
|
REMOTE_USER (section <A HREF="#6.1.12">6.1.12</A>)
|
|
</PRE>
|
|
<P>
|
|
Servers MAY
|
|
at their discretion define additional implementation-specific
|
|
extension metavariables
|
|
provided their names do not
|
|
conflict with defined header field names. Implementation-specific
|
|
metavariable names SHOULD
|
|
be prefixed with "X_" (<EM>e.g.</EM>,
|
|
"X_DBA") to avoid the potential for such conflicts.
|
|
</P>
|
|
|
|
<H2>
|
|
<A NAME="9.0">
|
|
9.
|
|
Script Implementation
|
|
</A>
|
|
</H2>
|
|
<P>
|
|
This section defines the requirements and recommendations for scripts
|
|
that are intended to function in a CGI/1.1 environment. It is intended
|
|
primarily as a reference for script authors, but server implementors
|
|
should be familiar with these issues as well.
|
|
</P>
|
|
|
|
<H3>
|
|
<A NAME="9.1">
|
|
9.1. Requirements for Scripts
|
|
</A>
|
|
</H3>
|
|
<P>
|
|
Scripts using the parsed-header method to communicate with servers
|
|
MUST supply a response header to the server.
|
|
(See <A HREF="#7.0">section 7</A>.)
|
|
</P>
|
|
<P>
|
|
Scripts using the NPH method to communicate with servers MUST
|
|
provide complete HTTP responses, and MUST use the value of the
|
|
SERVER_PROTOCOL metavariable
|
|
to determine the appropriate format.
|
|
(See <A HREF="#7.1">section 7.1</A>.)
|
|
</P>
|
|
<P>
|
|
Scripts MUST check the value of the REQUEST_METHOD
|
|
metavariable in order
|
|
to provide an appropriate response.
|
|
(See <A HREF="#6.1.13">section 6.1.13</A>.)
|
|
</P>
|
|
<P>
|
|
Scripts MUST be prepared to handled URL-encoded values in
|
|
metavariables.
|
|
In addition, they MUST recognise both "+" and "%20" in URL-encoded
|
|
quantities as representing the space character.
|
|
(See <A HREF="#3.1">section 3.1</A>.)
|
|
</P>
|
|
<P>
|
|
Scripts MUST ignore leading zeros in the major and minor version numbers
|
|
in the GATEWAY_INTERFACE
|
|
metavariable value. (See
|
|
<A HREF="#6.1.4">section 6.1.4</A>.)
|
|
</P>
|
|
<P>
|
|
When processing requests that include a
|
|
message-body, scripts
|
|
MUST NOT read more than CONTENT_LENGTH bytes from the input stream.
|
|
(See sections <A HREF="#6.1.2">6.1.2</A> and <A HREF="#6.2">6.2</A>.)
|
|
</P>
|
|
|
|
<H3>
|
|
<A NAME="9.2">
|
|
9.2. Recommendations for Scripts
|
|
</A>
|
|
</H3>
|
|
<P>
|
|
Servers may interrupt or terminate script execution at any time
|
|
and without warning, so scripts SHOULD be prepared to deal with
|
|
abnormal termination.
|
|
</P>
|
|
<P>
|
|
Scripts MUST
|
|
reject with
|
|
error '405 Method Not
|
|
Allowed' requests
|
|
made using methods that they do not support. If the script does
|
|
not intend
|
|
processing the PATH_INFO data, then it SHOULD reject the request with
|
|
'404 Not
|
|
Found' if PATH_INFO is not NULL.
|
|
</P>
|
|
<P>
|
|
If a script is processing the output of a form, it SHOULD
|
|
verify that the CONTENT_TYPE
|
|
is "<SAMP>application/x-www-form-urlencoded</SAMP>" [<A HREF="#[2]">2</A>]
|
|
or whatever other media type is expected.
|
|
</P>
|
|
<P>
|
|
Scripts parsing PATH_INFO,
|
|
PATH_TRANSLATED, or SCRIPT_NAME
|
|
SHOULD be careful
|
|
of void path segments ("<SAMP>//</SAMP>") and special path segments
|
|
(<SAMP>"."</SAMP> and
|
|
<SAMP>".."</SAMP>). They SHOULD either be removed from the path before
|
|
use in OS
|
|
system calls, or the request SHOULD be rejected with
|
|
'404 Not Found'.
|
|
</P>
|
|
<P>
|
|
As it is impossible for
|
|
scripts to determine the client URI that
|
|
initiated a
|
|
request without knowledge of the specific server in
|
|
use, the script SHOULD NOT return "<SAMP>text/html</SAMP>"
|
|
documents containing
|
|
relative URL links without including a "<SAMP><BASE></SAMP>"
|
|
tag in the document.
|
|
</P>
|
|
<P>
|
|
When returning header fields,
|
|
scripts SHOULD try to send the CGI
|
|
header fields (see section
|
|
<A HREF="#7.2">7.2</A>) as soon as possible, and
|
|
SHOULD send them
|
|
before any HTTP header fields. This may
|
|
help reduce the server's memory requirements.
|
|
</P>
|
|
|
|
<H2>
|
|
<A NAME="10.0">
|
|
10. System Specifications
|
|
</A>
|
|
</H2>
|
|
|
|
<H3>
|
|
<A NAME="10.1">
|
|
10.1. AmigaDOS
|
|
</A>
|
|
</H3>
|
|
<P>
|
|
The implementation of the CGI on an AmigaDOS operating system platform
|
|
SHOULD use environment variables as the mechanism of providing
|
|
request metadata to CGI scripts.
|
|
</P>
|
|
<DL>
|
|
<DT><STRONG>Environment variables</STRONG>
|
|
</DT>
|
|
<DD>
|
|
<P>
|
|
These are accessed by the DOS library routine <SAMP>GetVar</SAMP>. The
|
|
flags argument SHOULD be 0. Case is ignored, but upper case is
|
|
recommended for compatibility with case-sensitive systems.
|
|
</P>
|
|
</DD>
|
|
<DT><STRONG>The current working directory</STRONG>
|
|
</DT>
|
|
<DD>
|
|
<P>
|
|
The current working directory for the script is set to the directory
|
|
containing the script.
|
|
</P>
|
|
</DD>
|
|
<DT><STRONG>Character set</STRONG>
|
|
</DT>
|
|
<DD>
|
|
<P>
|
|
The US-ASCII character set is used for the definition of environment
|
|
variable names and header
|
|
field names; the newline (NL) sequence is LF;
|
|
servers SHOULD also accept CR LF as a newline.
|
|
</P>
|
|
</DD>
|
|
</DL>
|
|
|
|
<H3>
|
|
<A NAME="10.2">
|
|
10.2. Unix
|
|
</A>
|
|
</H3>
|
|
<P>
|
|
The implementation of the CGI on a UNIX operating system platform
|
|
SHOULD use environment variables as the mechanism of providing
|
|
request metadata to CGI scripts.
|
|
</P>
|
|
<P>
|
|
For Unix compatible operating systems, the following are defined:
|
|
</P>
|
|
<DL>
|
|
<DT><STRONG>Environment variables</STRONG>
|
|
</DT>
|
|
<DD>
|
|
<P>
|
|
These are accessed by the C library routine <SAMP>getenv</SAMP>.
|
|
</P>
|
|
</DD>
|
|
<DT><STRONG>The command line</STRONG>
|
|
</DT>
|
|
<DD>
|
|
<P>
|
|
This is accessed using the
|
|
<SAMP>argc</SAMP> and <SAMP>argv</SAMP>
|
|
arguments to <SAMP>main()</SAMP>. The words have any characters
|
|
that
|
|
are 'active' in the Bourne shell escaped with a backslash.
|
|
If the value of the QUERY_STRING
|
|
metavariable
|
|
contains an unencoded equals-sign '=', then the command line
|
|
SHOULD NOT be used by the script.
|
|
</P>
|
|
</DD>
|
|
<DT><STRONG>The current working directory</STRONG>
|
|
</DT>
|
|
<DD>
|
|
<P>
|
|
The current working directory for the script
|
|
SHOULD be set to the directory
|
|
containing the script.
|
|
</P>
|
|
</DD>
|
|
<DT><STRONG>Character set</STRONG>
|
|
</DT>
|
|
<DD>
|
|
<P>
|
|
The US-ASCII character set is used for the definition of environment
|
|
variable names and header field names; the newline (NL) sequence is LF;
|
|
servers SHOULD also accept CR LF as a newline.
|
|
</P>
|
|
</DD>
|
|
</DL>
|
|
|
|
<H2>
|
|
<A NAME="11.0">
|
|
11. Security Considerations
|
|
</A>
|
|
</H2>
|
|
|
|
<H3>
|
|
<A NAME="11.1">
|
|
11.1. Safe Methods
|
|
</A>
|
|
</H3>
|
|
<P>
|
|
As discussed in the security considerations of the HTTP
|
|
specifications [<A HREF="#[3]">3</A>,<A HREF="#[8]">8</A>], the
|
|
convention has been established that the
|
|
GET and HEAD methods should be 'safe'; they should cause no
|
|
side-effects and only have the significance of resource retrieval.
|
|
</P>
|
|
<P>
|
|
CGI scripts are responsible for enforcing any HTTP security considerations
|
|
[<A HREF="#[3]">3</A>,<A HREF="#[8]">8</A>]
|
|
with respect to the protocol version level of the request and
|
|
any side effects generated by the scripts on behalf of
|
|
the server. Primary
|
|
among these
|
|
are the considerations of safe and idempotent methods. Idempotent
|
|
requests are those that may be repeated an arbitrary number of times
|
|
and produce side effects identical to a single request.
|
|
</P>
|
|
|
|
<H3>
|
|
<A NAME="11.2">
|
|
11.2. HTTP Header
|
|
Fields Containing Sensitive Information
|
|
</A>
|
|
</H3>
|
|
<P>
|
|
Some HTTP header fields may carry sensitive information which the server
|
|
SHOULD NOT pass on to the script unless explicitly configured to do
|
|
so. For example, if the server protects the script using the
|
|
"<SAMP>Basic</SAMP>"
|
|
authentication scheme, then the client will send an
|
|
"<SAMP>Authorization</SAMP>"
|
|
header field containing a username and password. If the server, rather
|
|
than the script, validates this information then the password SHOULD
|
|
NOT be passed on to the script <EM>via</EM> the HTTP_AUTHORIZATION
|
|
metavariable
|
|
without careful consideration.
|
|
This also applies to the
|
|
Proxy-Authorization header field and the corresponding
|
|
HTTP_PROXY_AUTHORIZATION
|
|
metavariable.
|
|
</P>
|
|
|
|
<H3>
|
|
<A NAME="11.3">
|
|
11.3. Script
|
|
Interference with the Server
|
|
</A>
|
|
</H3>
|
|
<P>
|
|
The most common implementation of CGI invokes the script as a child
|
|
process using the same user and group as the server process. It
|
|
SHOULD therefore be ensured that the script cannot interfere with the
|
|
server process, its configuration, or documents.
|
|
</P>
|
|
<P>
|
|
If the script is executed by calling a function linked in to the
|
|
server software (either at compile-time or run-time) then precautions
|
|
SHOULD be taken to protect the core memory of the server, or to
|
|
ensure that untrusted code cannot be executed.
|
|
</P>
|
|
|
|
<H3>
|
|
<A NAME="11.4">
|
|
11.4. Data Length and Buffering Considerations
|
|
</A>
|
|
</H3>
|
|
<P>
|
|
This specification places no limits on the length of message-bodies
|
|
presented to the script. Scripts should not assume that statically
|
|
allocated buffers of any size are sufficient to contain the entire
|
|
submission at one time. Use of a fixed length buffer without careful
|
|
overflow checking may result in an attacker exploiting 'stack-smashing'
|
|
or 'stack-overflow' vulnerabilities of the operating system.
|
|
Scripts may spool large submissions to disk or other buffering media,
|
|
but a rapid succession of large submissions may result in denial of
|
|
service conditions. If the CONTENT_LENGTH of a message-body is larger
|
|
than resource considerations allow, scripts should respond with an
|
|
error status appropriate for the protocol version; potentially applicable
|
|
status codes include '503 Service Unavailable' (HTTP/1.0 and HTTP/1.1),
|
|
'413 Request Entity Too Large' (HTTP/1.1), and
|
|
'414 Request-URI Too Long' (HTTP/1.1).
|
|
</P>
|
|
|
|
<H3>
|
|
<A NAME="11.5">
|
|
11.5. Stateless Processing
|
|
</A>
|
|
</H3>
|
|
<P>
|
|
The stateless nature of the Web makes each script execution and resource
|
|
retrieval independent of all others even when multiple requests constitute a
|
|
single conceptual Web transaction. Because of this, a script should not
|
|
make any assumptions about the context of the user-agent submitting a
|
|
request. In particular, scripts should examine data obtained from the client
|
|
and verify that they are valid, both in form and content, before allowing
|
|
them to be used for sensitive purposes such as input to other
|
|
applications, commands, or operating system services. These uses
|
|
include, but are not
|
|
limited to: system call arguments, database writes, dynamically evaluated
|
|
source code, and input to billing or other secure processes. It is important
|
|
that applications be protected from invalid input regardless of whether
|
|
the invalidity is the result of user error, logic error, or malicious action.
|
|
</P>
|
|
<P>
|
|
Authors of scripts involved in multi-request transactions should be
|
|
particularly cautios about validating the state information;
|
|
undesirable effects may result from the substitution of dangerous
|
|
values for portions of the submission which might otherwise be
|
|
presumed safe. Subversion of this type occurs when alterations
|
|
are made to data from a prior stage of the transaction that were
|
|
not meant to be controlled by the client (<EM>e.g.</EM>, hidden
|
|
HTML form elements, cookies, embedded URLs, <EM>etc.</EM>).
|
|
</P>
|
|
|
|
<H2>
|
|
<A NAME="12.0">
|
|
12. Acknowledgements
|
|
</A>
|
|
</H2>
|
|
<P>
|
|
This work is based on a draft published in 1997 by David R. Robinson,
|
|
which in turn was based on the original CGI interface that arose out of
|
|
discussions on the <EM>www-talk</EM> mailing list. In particular,
|
|
Rob McCool, John Franks, Ari Luotonen,
|
|
George Phillips and
|
|
Tony Sanders deserve special recognition for their efforts in
|
|
defining and implementing the early versions of this interface.
|
|
</P>
|
|
<P>
|
|
This document has also greatly benefited from the comments and
|
|
suggestions made by Chris Adie, Dave Kristol,
|
|
Mike Meyer, David Morris, Jeremy Madea,
|
|
Patrick M<SUP>c</SUP>Manus, Adam Donahue,
|
|
Ross Patterson, and Harald Alvestrand.
|
|
</P>
|
|
|
|
<H2>
|
|
<A NAME="13.0">
|
|
13. References
|
|
</A>
|
|
</H2>
|
|
<DL COMPACT>
|
|
<DT><A NAME="[1]">[1]</A>
|
|
</DT>
|
|
<DD>Berners-Lee, T., 'Universal Resource Identifiers in WWW: A
|
|
Unifying Syntax for the Expression of Names and Addresses of
|
|
Objects on the Network as used in the World-Wide Web', RFC 1630,
|
|
CERN, June 1994.
|
|
<P>
|
|
</P>
|
|
</DD>
|
|
<DT><A NAME="[2]">[2]</A>
|
|
</DT>
|
|
<DD>Berners-Lee, T. and Connolly, D., 'Hypertext Markup Language -
|
|
2.0', RFC 1866, MIT/W3C, November 1995.
|
|
<P>
|
|
</P>
|
|
</DD>
|
|
<DT><A NAME="[3]">[3]</A>
|
|
</DT>
|
|
<DD>Berners-Lee, T., Fielding, R. T. and Frystyk, H.,
|
|
'Hypertext Transfer Protocol -- HTTP/1.0', RFC 1945, MIT/LCS,
|
|
UC Irvine, May 1996.
|
|
<P>
|
|
</P>
|
|
</DD>
|
|
|
|
<DT><A NAME="[4]">[4]</A>
|
|
</DT>
|
|
<DD>Berners-Lee, T., Fielding, R., and Masinter, L., Editors,
|
|
'Uniform Resource Identifiers (URI): Generic Syntax', RFC 2396,
|
|
MIT, U.C. Irvine, Xerox Corporation, August 1996.
|
|
<P>
|
|
</P>
|
|
</DD>
|
|
|
|
<DT><A NAME="[5]">[5]</A>
|
|
</DT>
|
|
<DD>Braden, R., Editor, 'Requirements for Internet Hosts --
|
|
Application and Support', STD 3, RFC 1123, IETF, October 1989.
|
|
<P>
|
|
</P>
|
|
</DD>
|
|
<DT><A NAME="[6]">[6]</A>
|
|
</DT>
|
|
<DD>Crocker, D.H., 'Standard for the Format of ARPA Internet Text
|
|
Messages', STD 11, RFC 822, University of Delaware, August 1982.
|
|
<P>
|
|
</P>
|
|
</DD>
|
|
<DT><A NAME="[7]">[7]</A>
|
|
</DT>
|
|
<DD>Fielding, R., 'Relative Uniform Resource Locators', RFC 1808,
|
|
UC Irvine, June 1995.
|
|
<P>
|
|
</P>
|
|
</DD>
|
|
<DT><A NAME="[8]">[8]</A>
|
|
</DT>
|
|
<DD>Fielding, R., Gettys, J., Mogul, J., Frystyk, H. and
|
|
Berners-Lee, T., 'Hypertext Transfer Protocol -- HTTP/1.1',
|
|
RFC 2068, UC Irvine, DEC,
|
|
MIT/LCS, January 1997.
|
|
<P>
|
|
</P>
|
|
</DD>
|
|
<DT><A NAME="[9]">[9]</A>
|
|
</DT>
|
|
<DD>Freed, N. and Borenstein N., 'Multipurpose Internet Mail
|
|
Extensions (MIME) Part Two: Media Types', RFC 2046, Innosoft,
|
|
First Virtual, November 1996.
|
|
<P>
|
|
</P>
|
|
</DD>
|
|
<DT><A NAME="[10]">[10]</A>
|
|
</DT>
|
|
<DD>Mockapetris, P., 'Domain Names - Concepts and Facilities',
|
|
STD 13, RFC 1034, ISI, November 1987.
|
|
<P>
|
|
</P>
|
|
</DD>
|
|
<DT><A NAME="[11]">[11]</A>
|
|
</DT>
|
|
<DD>St. Johns, M., 'Identification Protocol', RFC 1431, US
|
|
Department of Defense, February 1993.
|
|
<P>
|
|
</P>
|
|
</DD>
|
|
<DT><A NAME="[12]">[12]</A>
|
|
</DT>
|
|
<DD>'Coded Character Set -- 7-bit American Standard Code for
|
|
Information Interchange', ANSI X3.4-1986.
|
|
<P>
|
|
</P>
|
|
</DD>
|
|
<DT><A NAME="[13]">[13]</A>
|
|
</DT>
|
|
<DD>Hinden, R. and Deering, S.,
|
|
'IP Version 6 Addressing Architecture', RFC 2373,
|
|
Nokia, Cisco Systems,
|
|
July 1998.
|
|
<P>
|
|
</P>
|
|
</DD>
|
|
</DL>
|
|
|
|
<H2>
|
|
<A NAME="14.0">
|
|
14. Authors' Addresses
|
|
</A>
|
|
</H2>
|
|
<ADDRESS>
|
|
<P>
|
|
Ken A L Coar
|
|
<BR>
|
|
MeepZor Consulting
|
|
<BR>
|
|
7824 Mayfaire Crest Lane, Suite 202
|
|
<BR>
|
|
Raleigh, NC 27615-4875
|
|
<BR>
|
|
U.S.A.
|
|
</P>
|
|
<P>
|
|
Tel: +1 (919) 254.4237
|
|
<BR>
|
|
Fax: +1 (919) 254.5250
|
|
<BR>
|
|
Email:
|
|
<A
|
|
HREF="mailto:Ken.Coar@Golux.Com"
|
|
><SAMP>Ken.Coar@Golux.Com</SAMP></A>
|
|
</P>
|
|
</ADDRESS>
|
|
<ADDRESS>
|
|
<P>
|
|
David Robinson
|
|
<BR>
|
|
E*TRADE UK Ltd
|
|
<BR>
|
|
Mount Pleasant House
|
|
<BR>
|
|
2 Mount Pleasant
|
|
<BR>
|
|
Huntingdon Road
|
|
<BR>
|
|
Cambridge CB3 0RN
|
|
<BR>
|
|
UK
|
|
</P>
|
|
<P>
|
|
Tel: +44 (1223) 566926
|
|
<BR>
|
|
Fax: +44 (1223) 506288
|
|
<BR>
|
|
Email:
|
|
<A
|
|
HREF="mailto:drtr@etrade.co.uk"
|
|
><SAMP>drtr@etrade.co.uk</SAMP></A>
|
|
</ADDRESS>
|
|
|
|
</BODY>
|
|
</HTML>
|