Bug 62663 - REQUEST_URI includes query string, contrary to documentation
Summary: REQUEST_URI includes query string, contrary to documentation
Status: NEW
Alias: None
Product: Apache httpd-2
Classification: Unclassified
Component: Core (show other bugs)
Version: 2.4.34
Hardware: PC Linux
: P2 normal (vote)
Target Milestone: ---
Assignee: Apache HTTPD Bugs Mailing List
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2018-08-30 15:48 UTC by felipe
Modified: 2019-05-07 19:11 UTC (History)
0 users



Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description felipe 2018-08-30 15:48:43 UTC
The only documentation I can find for the REQUEST_URI environment variable is in mod_rewrite’s documentation, which states:

-----
REQUEST_URI
    The path component of the requested URI, such as "/index.html". This notably excludes the query string which is available as its own variable named QUERY_STRING.

(https://httpd.apache.org/docs/current/mod/mod_rewrite.html)
-----

Yet when I print environment variables from a CGI, this variable clearly includes the query string:

-----
--- 
CONTEXT_DOCUMENT_ROOT: /usr/local/cpanel/3rdparty/mailman/cgi-bin/
CONTEXT_PREFIX: /mailman
DOCUMENT_ROOT: /var/www/html
GATEWAY_INTERFACE: CGI/1.1
HTTP_ACCEPT: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
HTTP_ACCEPT_ENCODING: gzip, deflate
HTTP_ACCEPT_LANGUAGE: en-CA,en-US;q=0.7,en;q=0.3
HTTP_CONNECTION: keep-alive
HTTP_DNT: 1
HTTP_HOST: felipe64
HTTP_UPGRADE_INSECURE_REQUESTS: 1
HTTP_USER_AGENT: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:62.0) Gecko/20100101 Firefox/62.0
PATH: /usr/local/jdk/bin:/usr/kerberos/sbin:/usr/kerberos/bin:/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/usr/X11R6/bin:/usr/local/bin:/usr/X11R6/bin:/root/bin:/opt/bin
QUERY_STRING: 12%C3%A93
REMOTE_ADDR: 10.1.4.84
REMOTE_PORT: 57231
REQUEST_METHOD: GET
REQUEST_SCHEME: http
REQUEST_URI: /mailman/env.pl?12%C3%A93
SCRIPT_FILENAME: /usr/local/cpanel/3rdparty/mailman/cgi-bin/env.pl
SCRIPT_NAME: /mailman/env.pl
SERVER_ADDR: 10.215.218.116
SERVER_ADMIN: felipe@cpanel.net
SERVER_NAME: felipe64
SERVER_PORT: 80
SERVER_PROTOCOL: HTTP/1.1
SERVER_SIGNATURE: ''
SERVER_SOFTWARE: Apache
TZ: America/Chicago
UNIQUE_ID: W4gNJQdsM-OMFF6C6rRjCQAAAAA
-----

This isn’t actually operating from behind mod_rewrite, so I’m not really sure why REQUEST_URI is being added to the environment. Regardless, should the documentation be updated? This would seem to be well-established behavior, such that I’d think altering REQUEST_URI’s value would do more harm than just updating the docs.
Comment 1 Eric Covener 2018-08-30 16:15:23 UTC
It looks like REQUEST_URI the internal environment variable (which gets copied to the environment for a CGI or is accessible as 'reqenv' in expressions) is the actual URI, whereas REQUEST_URI is the path component only. 

e.g. these give different results:

# not even in the env w/o CGI
Header always set "X-URI" "expr=%{reqenv:REQUEST_URI}"
# path only
Header always set "X-URI2" "expr=%{REQUEST_URI}"


I think it's worth a caveat a few places where directives can read "special" variables and similar "environment variables" (ap_expr, rewritecond, setenvif)
Comment 2 William A. Rowe Jr. 2018-08-30 16:17:50 UTC
Note that the CGI RFC doesn't define REQUEST_URI.

This is what it does define, Script-URI;

https://tools.ietf.org/html/rfc3875#section-3.3

This apparently includes path info and query string.
Comment 3 Peter Scott 2019-05-07 19:11:26 UTC
The query string is also included when REQUEST_URI is used in a RewriteRule substitution parameter.  The mod_rewrite documentation states that "The server-variables are the same as for the TestString of a RewriteCond directive" and the definitions of those variables under RewriteCond include the assertion that REQUEST_URI does not include QUERY_STRING.  This seems unambiguously incorrect.

We would like to know whether the documentation or the behavior of REQUEST_URI inside RewriteRule is going to be changed in future versions.