On Thu, Sep 12, 2002 at 10:31:50PM +0200, Günter Knauf wrote:
> Hi,
> probably a stupid question, but I'm too lazy to look through the source;
> and I'm sure many of you here can answere this question at once:
> are the server-side vars generated by the server or only echoed vars which where
>provided by the browser??
> specially REQUEST_URI is of interest for me for security purposes in scripts, so is
>it generated from Apache self or can it be faked by the client?
In 1.3 it looks like it's set from the original request, but to be able
to fake it they can't call your script (right?)
./src/main/util_script.c: ap_table_setn(e, "REQUEST_URI", original_uri(r));
static char *original_uri(request_rec *r)
{
char *first, *last;
if (r->the_request == NULL) {
return (char *) ap_pcalloc(r->pool, 1);
}
first = r->the_request; /* use the request-line */
while (*first && !ap_isspace(*first)) {
++first; /* skip over the method */
}
while (ap_isspace(*first)) {
++first; /* and the space(s) */
}
last = first;
while (*last && !ap_isspace(*last)) {
++last; /* end at next whitespace */
}
return ap_pstrndup(r->pool, first, last - first);
}
--
Thomas Eibner <http://thomas.eibner.dk/> DnsZone <http://dnszone.org/>
mod_pointer <http://stderr.net/mod_pointer> <http://photos.eibner.dk/>
!(C)<http://copywrong.dk/> <http://apachegallery.dk/>
Putting the HEST in .COM <http://www.hestdesign.com/>
