[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
guile-www-2.9 (www cgi) bad cgi:values when a name has no "="
From: |
Alan Grover |
Subject: |
guile-www-2.9 (www cgi) bad cgi:values when a name has no "=" |
Date: |
Mon, 11 Apr 2005 19:45:32 -0400 |
User-agent: |
Mozilla Thunderbird 0.7 (X11/20040615) |
The (www cgi) module parses query-string/form-data parameters
incorrectly, thus cgi:value, cgi-values, cgi:names, and cgi:form-data?
will give incorrect results.
Module: www cgi
Version: 2.9
The low-level "split" function, separate-fields-discarding-char,
discards a "key" if there is no value. Example: http://gnu.org?bob will
have "bob" dropped, yielding no results for the values/names functions.
I believe this is a bug, as it is important in some cases to know that a
"key" appears even if it has no value. Only a "href" seems likely to
generate such a construct, as forms typically result in an empty value
(and thus an appearance like: "bob=").
Further, the internal data structure (form-variables) is sometimes
populated with bad alist entries such as (#f #f). E.g.
http://gnu.org?val=1&noval2 will create such an entry.
The applicable RFC seems to be 1866:
section 8.2.1: "Fields with null values may be omitted" by user agents.
Which implies that a null value is legal. Further, "the name [is]
separated from the value by `='" would imply that the "=" is not
optional. Thus, my example above may be strictly illegal. In fact,
without a "=" or "&", the query-string (as form-data) is
indistinguishable from an 'ISINDEX' query-string (see section 7.5).
However, many url-parsing implementations tolerate a missing "=". E.g.
Perl's widely used cgi.pm.
I'm working on a suggested change to (www cgi) that corrects this bug
and maintains the order of the form-data. It should be available within
the next 2 days.
--
Alan Grover
address@hidden
+1.734.476.0969
[Prev in Thread] |
Current Thread |
[Next in Thread] |
- guile-www-2.9 (www cgi) bad cgi:values when a name has no "=",
Alan Grover <=