My web host refused to help me with this, so I come to wise people here to help “black box debugging”. Here's an edited version of what I sent them:
I have two (among others) domains in dreamhost:
1) thefigtrees.net 2) mustivoteformccain.com
Today I noticed that when I place the CGI script on # 1, the CGI script is executed, the HTTP GET request string is passed to it as QUERY_STRING the environment variable has already been decrypted URL. This is a problem because it means that the standard CGI library (e.g. perl CGI.pm) will try to split on ampersands and then the string itself is decoded. There are two potential problems with this:
1) the string is binary decoded, so if the value is presented in a script, for example, "% 2525", it will be processed as "%" (decoded twice) and not "% 25" (decoded once)
2) (more general), if there is an ampersand in the presented value, then it will be (correctly) sent as% 26, but QUERY_STRING env. the variable will be already decoded into "&" and then the CGI library will incorrectly split the query string into this ampersand. This is a big problem!
The script at http://thefigtrees.net/test.cgi demonstrates this. He repeats with whom he is called. Browser Navigation:
http://thefigtrees.net/lee/test.cgi?x=y%26z
, REQUEST_URI x = y% 26z (unencoded),
QUERY_STRING x = y & z.
№2 (
http://www.shouldivoteformccain.com/test.cgi?x=y%26z) ,
QUERY_STRING , CGI.pm
.
.htaccess, ,
, .
- , -, , ?
,
Lee