Re: CGI, semicolons, and so on...

John Franks ([email protected])
Thu, 30 Dec 1993 10:37:26 -0600 (CST)


According to Fisher Mark:
> The ability to,
> at will, change any script into a file by subtracting a ';' makes me
> nervous. My suspicion is that there will be more cases where you do not
> want to serve scripts as files than there will be cases of wanting to serve
> scripts as files ...

I think there is some confusion here. The suggestion under discussion
was to have a URL in which a path ending in ';' indicated a *request*
by the client to execute a file and one without the ';' indicated a
*request* to view it as a file. In my opinion, no sensible server
implementor would design a system where permission to execute a script
implied permission to to view it as a text file or vice versa.
Certainly no one in this discussion made that suggestion.

Any mechanism to determine who has permission to do what must necessarily
be independent of the URL since the client can write any URL it wants.

Other reasons have been pointed out why it is not a good idea to have
the existence of PATH_INFO data (i.e. a ';') imply the file is to be
executed.

John Franks Dept of Math. Northwestern University
[email protected]