APAR status
Closed as program error.
Error description
Behavior of tokenized query string on IBM HTTP Server 6.1 differs from 1.3. The latest candidate RFC for CGI disallows URLs with consecutive plus signs, but software must generally be liberal with what it accepts. This is a case where the behavior is undefined, but it seems more faithful to behave the way we did in 1.3
Local fix
Workaround the issue for one set ++ by the following settings: RewriteCond %{QUERY_STRING} (.*)\+\+(.*) RewriteRule (.*\.cgi)$ $1?%1+\%20+%2 [PT]
Problem summary
**************************************************************** * USERS AFFECTED: IBM HTTP Server configurations with mod_cgid * * loaded and ISINDEX CGI scripts that receive command line * * arguments via the query string instead of key/value pairs. * **************************************************************** * PROBLEM DESCRIPTION: ISINDEX query strings separate arguments* * with the '+' character. Consecutive '+' characters do not * * result in empty arguments being passed to the CGI script, * * but this is contrary to the behavior of mod_cgi (as used in * * IHS 1.3.x and IHS 2.0 and higher on Windows systems). * **************************************************************** * RECOMMENDATION: The fix is recommended for configurations * * where CGI scripts were used successfuly with IHS 1.3.x * * and are reporting an incorrect number of parameters with * * IHS 6.0 and higher. The URL for these scripts would include * * a query string containing no '=' characters and 1 or more '+'* * characters * **************************************************************** The CGI specifications allows for an "ISINDEX" style of CGI script that uses command line arguments instead of key/value pairs. Arguments for ISINDEX CGI scripts are separated by the '+' character, and the entire query string must not contain any '=' characters. The original specification did not concretely define the parsing of the ISINDEX query string, and later specifications do not allow consecutive '+' characters without text between them. The default behavior of mod_cgid is to discard these empty command-line arguments.
Problem conclusion
mod_cgid has been modified to respect a startup-time environment variable, IHS_CGID_PASS_NULL_ISINDEX_ARGUMENTS. When this variable is set to any value, mod_cgid will pass a null command line argument for each pair of consecutive '+' characters in the query string. This behavior matches the behavior of IHS 1.3.x. Example values in <ihsinst>/bin/envvars: IHS_CGID_PASS_NULL_ISINDEX_ARGUMENTS=1 export IHS_CGID_PASS_NULL_ISINDEX_ARGUMENTS Example ISINDEX CGI URL: http://example.com/cgi-bin/echoargs.cgi?a++b+c++d Default behavior without IHS_CGID_PASS_NULL_ISINDEX_ARGUMENTS: $1 = "a" $2 = "b" $3 = "c" Behavior with IHS_CGID_PASS_NULL_ISINDEX_ARGUMENTS: $1 = "a" $2 = "" $3 = "b" This fix is targeted for fix packs 6.1.0.21 6.0.2.33
Temporary fix
Comments
APAR Information
APAR number
PK70028
Reported component name
IBM HTTP SERVER
Reported component ID
5724J0801
Reported release
61A
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2008-08-04
Closed date
2008-08-06
Last modified date
2008-08-06
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Modules/Macros
MOD_CGID
Fix information
Fixed component name
IBM HTTP SERVER
Fixed component ID
5724J0801
Applicable component levels
R60A PSN
UP
R60H PSN
UP
R60P PSN
UP
R60I PSN
UP
R60S PSN
UP
R60Z PSN
UP
R61A PSN
UP
R61H PSN
UP
R61P PSN
UP
R61I PSN
UP
R61S PSN
UP
R61Z PSN
UP
[{"Line of Business":{"code":"LOB45","label":"Automation"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSEQTJ","label":"IBM HTTP Server"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"6.1"}]
Document Information
Modified date:
07 September 2022