Un-CGI Change Log

Version 1.11

Use strerror() rather than sys_errlist by default to produce human-readable error messages. For systems that don't have strerror(), supply an option in the Makefile to revert to the old behavior.

Version 1.10

Check for ".." elements in script paths; this closes a security hole that could be used to execute arbitrary applications on the server.

Add security-related compile-time option EXECUTABLES_ONLY. The old behavior may be retained by not setting the option.

Version 1.9

Fix a memory corruption bug that caused unpredictable results, especially in the presence of <select multiple> tags in a form.

The Netscape server is passing a PATH_TRANSLATED variable with an empty value, which was causing uncgi to crash or generate corrupt data.

Version 1.8

The NO_MAIN define has been changed to LIBRARY, which is more descriptive.

Various minor tweaks to increase readability.

Don't do the check for scripts beginning with #! on Linux systems, since some Linux versions have buggy fgets() implementations that will cause the check to hang if no newline occurs in a binary.

Version 1.7

If compiled with -DNO_QUERY_OK, it's not an error to run uncgi without a query string.

Un-CGI now prints a tagline linking back to its home page when it spits out an error message. From there you can check the FAQ and see if your problem is covered.

Modifications to support compilation under Turbo C on Windows 95. I do not support Un-CGI on Windows.

Version 1.6.2

Added a lot of debugging messages to help diagnose future bug reports.

Fixed a memory allocation problem.

Fixed a problem in the script name parser that was causing it to not execute scripts properly.

Version 1.6.1

Doing a "make install" won't return an error if you don't have a previous version of uncgi installed.

Incorporated a patch from Bruce Korb <bkorb@mport.com> to make the function that runs shell scripts more robust.

Version 1.6

Revamped the Makefile to make configuration less confusing.

Added an internal version of strdup() since Ultrix doesn't seem to include it in its system library.

Version 1.5

If an input field name begins with an underscore, Un-CGI will do some simple normalizing of the value. It will strip whitespace from the beginning and end of the value, and will change all end-of-line characters (including CR-LF pairs) to single linefeeds. This should make transmitting forms via E-mail more straightforward. This is mainly useful for <textarea> inputs.

Possible incompatibility! Change periods to underscores in variable names, so that shell scripts can access the coordinate values from "image" form fields. If you were using <input type=image> with Un-CGI before, or you had forms with periods in field names, you'll need to adjust your backend software.

Explicitly include <sys/types.h> before <sys/stat.h< for systems (e.g. BSDI) that don't do so implicitly; this makes uncgi compile properly.

Version 1.4

Un-CGI is now distributed in "tar" format, rather than "shar", which lots of people had trouble figuring out what to do with.

POST queries would sometimes cause heap corruption due to uncgi not mallocing enough space for an input buffer.

Scripts that had a space after the shell name but no additional arguments would cause uncgi to dump core. (E.g., scripts whose first line was "#!/bin/sh ".)

If a nonexistent script name is used, uncgi will no longer print the entire path to the script directory in its error message. This makes it harder for potential intruders to discover the location of the scripts.

Version 1.3

The SCRIPT_NAME environment variable is adjusted to include the name of the backend script run by uncgi.

The QUERY_STRING environment variable is passed to backend programs unchanged. It used to get mangled on some systems.

Backend programs can now be in subdirectories of the script directory. Un-CGI will adjust SCRIPT_NAME and PATH_INFO appropriately.

Version 1.2

Multiple selections with the same name are now supported (e.g. a <select multiple> form element.) All the values are stuffed into the same WWW_ environment variable, separated by pound signs. If you can think of a more elegant way to do it, let me know.

Version 1.1

Shell scripts, if they start with "#!", are now executed by running the shell directly with the script name as an argument. Some SVR3-based systems were having trouble running scripts via execve(), so this should work everywhere.

Empty query strings are handled properly.

Query strings containing entries that aren't of the form "x=y" cause empty environment variables to be created, i.e., a string "foo=" is entered into the environment. Version 1.0 just passed the variable name to setenv(), which isn't valid.

To the Un-CGI home page

Maintained by Steven Grimm <koreth@midwinter.com>.
Send mail if you have comments or suggestions.