Each time the Web server executes a CGI script, it creates a number of environment variables to pass information to the CGI script. Theses variables inform the CGI script how the script is being invoked as well as provide information about the server and the Web browser being used by the client. Depending on how the CGI script is invoked, some environment variables may not be available in some cases.
Environment variables supplied to CGI scripts are always all uppercase. When they are being accessed by a C Program or Perl Script, or whichever language you are using, be sure to use all uppercase letters.
This section discusses the environment variables available to CGI scripts. By accessing these variables, CGI scripts can obtain certain information, such as the browser used to invoke the script. After the following discussion about environment variables, you learn how to access these variables from a Perl script, as well as a C program via CGI.
AUTH_TYPE
Some Web servers can be configured to authenticate users. If the server has authenticated a user, the authentication type used to validate the user is stored in the AUTH_TYPE variable. The authentication type is determined b y examining the Authorization Header the Web server might receive with an HTTP request.
CONTENT_LENGTH
Sometimes CGI scripts are invoked with additional information. This information is typically input for the CGI program. The length of this additional information is specified by the number of bytes taken up by the additional information in this variable. If a CGI script is called with the PUT or POST method, CONTENT_LENGTH is used to determine the length of the input.
CONTENT_TYPE
MIME content types are used to label various types of objects (HTML files, Microsoft Word files, GIF files, etc.). The MIME content type for data being submitted to a CGI script is stored in CONTENT_TYPE. For example, if data is submitted to a CGI script using the GET method, this variable will contain the value application/x-www-form-urlencoded. This is because responses to the form are encoded according to URL specifications
GATEWAY_INTERFACE
The CGI specification revision number stored in the GATEWAY_INTERFACE environment variable. The format of this variable is CGI/revision. By examining this variable, a CGI script can determine the version of CGI that the Web server is using.
HTTP_ACCEPT
Various Web clients can handle different MIME types. These MIME types are described in the HTTP_ACCEPT variable. MIME types accepted by the Web client calling the CGI script will be a list separated by commas. This list takes the format type/subtype, type/subtype. For example, if the Web client supports the two image formats GIF and JPEG, the HTTP_ACCEPT list will contain the two items image/gif, image/jpeg.
HTTP_USER_AGENT
By looking at this value, the Web browser used by the client can be determined. For example, if Netscape 2.0 beta 4 is being used by the client, the HTTP_USER_AGENT variable will contain the value Mozilla/2.0b4 (WinNT; I). The general format of this variable is software/version library/version.
PATH_INFO
The PATH_INFO variable is usually used to pass various options to a CGI program. These options follow the script's URL. Clients may access CGI scripts with additional information after the URL of the CGI script. PATH_INFO will always contain the string that was used to call the CGI script after the name of the CGI script. For example, PATH_INFO will have the value /These/Are/The/Arguments if the CGI script FunWithNT.EXE is called with the following URL :
http://your_server.your_domain/cgi-bin/FunWithNT.exe/These/Are/The/Arguments
PATH_TRANSLATED
In the event the CGI script needs to know the absolute path name of itself, the CGI script can obtain this information from PATH_TRANSLATED. For example, if the CGI script being invoked is HelloNTWorld.EXE, all CGI scripts are stored in H:\www\http\ns-home\root\cgi-bin, and the CGI script is accessed with the URL http://your_server.your_domain/root/cgi-bin/HelloNTWorld.EXE, PATH_TRANSLATED will contain the value the value H:\www\http\ns-home\root\cgi-bin\HelloNTWorld.EXE. If the CGI program needs to save or access any temporary files in its home directory, it can use PATH_TRANSLATED to determine its absolute location by examining this CGI variable.
QUERY_STRING
You may have noticed that when you submit some forms, there is a string of characters after a question mark, followed by the URL name of the script being called. This string of characters is referred to as the query string and contains everything after the question mark. When a CGI script is called with the GET method, QUERY_STRING typically contains variables and their values as entered by the person who filled in the form. QUERY_STRING is sometimes used by various search engines to examine the input when a form is submitted for a keyword search. For example, if a CGI applications is executed using the URL, http://www.server.com/cgi-bin/application.exe?WindowsNT=Fun, QUERY_STRING will contain the string "WindowsNT=Fun".
REMOTE_ADDR
The IP address of the client that called the CGI program is stored in the REMOTE_ADDR environment variable. Due to security reasons, the value of this variable should never be used for user authentication purposes. It's not very hard to trick your Web server into believing a client is connecting to your Web server from a different IP address.
REMOTE_HOST
If the Web server can do a DNS lookup of the client's IP address and finds the alias of the IP address, the REMOTE_HOST variable will contain the alias name of the client's IP address. Some Web server allow DNS lookups to be turned on or off. If you will be using this variable to find the IP address alias of clients, be sure the DNS lookup option is turned on. The Web server can find the IP address aliases of most clients, but it might not be capable of getting the aliases of some clients. In such an event, the REMOTE_HOST variable will not be assigned the client's DNS alias value, it will just contain the client's IP address. This value should never be used for user authentication purposes.
REMOTE_IDENT
If the Web server being used supports RFC 931 identification, this variable will contain the user name retrieved from the server. Unfortunately, this value cannot be trusted when transmitting sensitive data. Typically a Web server obtains this value by contacting the client that initialized the HTTP request and speaking with the client's authentication server.
REMOTE_USER
Some Web server support user authentication. If a user is authenticated, the CGI script can find out the username of the person browsing the Web site by looking at the value of the REMOTE_USER environment variable. The REMOTE_USER CGI variable is available only if the user has been authenticated using an authentication mechanism.
REQUEST_METHOD
A client can call a CGI script in a number o f ways. The method used by the client to call the CGI script i s in the REQUEST_METHOD variable. This variable can have a value like HEAD, POST, GET, or PUT. CGI scripts use the value of this variable to find where to obtain data passed to the CGI script.
SCRIPT_NAME
All files on a Web server are usually referenced relative to its document root directory. SCRIPT_NAME contains the virtual path name of the script called relative to the document root directory. For example, if the document root directory is c:\www\http\ns-home\root, all CGI scripts are stored in c:\www\http\ns-home\root\cgi-bin\ and the CGI script HelloNTWorld.EXE is called, the SCRIPT_NAME variable will contain the value \cgi-bin\HelloNTWorld.EXE. The advantage of this variable is that is allows the CGI script to refer to itself. This is handy if somewhere in the output, the script's URL needs to be made into a hypertext link.
SERVER_NAME
The domain name of the Web server that invoked the CGI script is stored in this variable. This domain name can either be an IP address or DNS alias.
SERVER_PORT
Typically, Web servers listen to HTTP requests on port 80. However, a Web server can listen to any port that's not in use by another application. A CGI program can find out the port the Web server is serving HTTP requests by looking at the value of the SERVER_PORT environment variable. When displaying self-referencing hypertext links at runtime by examining the contents of SERVER_NAME, be sure to append the port number of the Web server (typically port 80) by concatenating it with the value of SERVER_PORT.
SERVER_PROTOCOL
Web servers speak the HyperText Transport Protocol (HTTP). The version of HTTP the Web server is using can be determined by examining the SERVER_PROTOCOL environment variable. The SERVER_PROTOCOL variable contains the name and revision data of the protocol being used. This information is in the format protocol/revision. For example, if the server speaks HTTP 1.0, this variable will have the value HTTP/1.0.
SERVER_SOFTWARE
The name of the Web server that invoked the CGI script is stored in the SERVER_SOFTWARE environment variable. This environment variable is in the format name/version. If a CGI script is designed to make use of various special capabilities of a Web server, the CGI script can determine the Web server being used by examining this variable before those special capabilities are used.
References :
Sanjaya Hettihewa, Windows NT 4, Web Development, Sams net, Indianapolis, First Edition, 1996
출처 : http://www.invir.com/int-prog-cgivar.html
'ARM & 펌웨어 분석' 카테고리의 다른 글
[펌] upnp 접속 개발 구현 (1) | 2012.11.30 |
---|---|
CGI 분석 이야기 (The story of CGI analysis) (0) | 2012.11.14 |
[ 펌 ] How to Create a Shellcode on ARM Architecture (0) | 2012.11.13 |
ARM execve NOT NULL 27byte (1) | 2012.11.13 |
ARM core execve("/bin/sh") shellocde (0) | 2012.11.12 |