Bug 49043

Summary: Using ssi include directive overwrites QUERY_STRING variable
Product: Apache httpd-2 Reporter: Dennis Jacobfeuerborn <dennisml>
Component: mod_includeAssignee: Apache HTTPD Bugs Mailing List <bugs>
Status: RESOLVED LATER    
Severity: major Keywords: MassUpdate
Priority: P2    
Version: 2.2.15   
Target Milestone: ---   
Hardware: PC   
OS: Linux   

Description Dennis Jacobfeuerborn 2010-04-04 01:12:47 UTC
It looks like there is a serious bug in the handling of virtual includes with
Apaches SSI filter.

Take the following code:
<html><body>
<!--#echo var="QUERY_STRING"-->
<!--#include virtual="/ssi2.php?abc=1"-->
<!--#echo var="QUERY_STRING"-->
</body></html>

If this is called with the query string "(url)?test=1" then the first echo will
print "test=1" as expected but the second one will output "abc=1".
Apparently the include in the middle completely obliterates the original query
string making it unusable for subsequent includes.

That's a major problem as soon as you use more than one SSI include with
QUERY_STRING in your pages.

(I'm seeing this with the httpd from the latest Centos as well as the newer httpd from Fedora using the SSI output filter)
Comment 1 Niko Theiner 2010-12-02 10:25:34 UTC
Yeah, we're suffering from the same problem (Apache 2.2.16 Linux). We have established a work-around now which stores the original query string in a backup variable and restores it after the include:

<!--#set var="QUERY_STRING_BAK" value="$QUERY_STRING"-->
<!--#include virtual="include.html" -->
<!--#set var="QUERY_STRING" value="$QUERY_STRING_BAK"-->

Not nice, but working ;)

Any chance for a fix soon?
Comment 2 William A. Rowe Jr. 2018-11-07 21:09:32 UTC
Please help us to refine our list of open and current defects; this is a mass update of old and inactive Bugzilla reports which reflect user error, already resolved defects, and still-existing defects in httpd.

As repeatedly announced, the Apache HTTP Server Project has discontinued all development and patch review of the 2.2.x series of releases. The final release 2.2.34 was published in July 2017, and no further evaluation of bug reports or security risks will be considered or published for 2.2.x releases. All reports older than 2.4.x have been updated to status RESOLVED/LATER; no further action is expected unless the report still applies to a current version of httpd.

If your report represented a question or confusion about how to use an httpd feature, an unexpected server behavior, problems building or installing httpd, or working with an external component (a third party module, browser etc.) we ask you to start by bringing your question to the User Support and Discussion mailing list, see [https://httpd.apache.org/lists.html#http-users] for details. Include a link to this Bugzilla report for completeness with your question.

If your report was clearly a defect in httpd or a feature request, we ask that you retest using a modern httpd release (2.4.33 or later) released in the past year. If it can be reproduced, please reopen this bug and change the Version field above to the httpd version you have reconfirmed with.

Your help in identifying defects or enhancements still applicable to the current httpd server software release is greatly appreciated.