CGI, SCGI and Certificates (was Re: [ANN] Gemini browser for iOS)

[Michael Lazar]

On Tue, Jun 9, 2020 at 7:14 PM Sean Conner <sean at conman.org> wrote:
>
> It was thus said that the Great solderpunk once stated:
> >
> > (following Sean's lead for now, although I need to bring up some points
> > for discussion about this in the near future).
>
>   So I have two CGI scripts set up.  Both are in a "protected" area of the
> server (on my development machine) that requires a client certificate.  One
> receives *just* the RFC-3875 defined variables:
>
> AUTH_TYPE=Certificate
> GEMINI_DOCUMENT_ROOT=/home/spc/projects/gemini/non-checkin/cgi-bin
> GEMINI_URL=gemini://lucy.roswell.area51/cgi-bin/beta/foobar?one=1&two=2
> GEMINI_URL_PATH=/cgi-bin/beta/foobar
> PATH_INFO=/foobar
> PATH_TRANSLATED=/home/spc/projects/gemini/non-checkin/cgi-bin/foobar
> QUERY_STRING=one=1&two=2
> REMOTE_ADDR=::ffff:192.168.1.10
> REMOTE_HOST=::ffff:192.168.1.10
> REMOTE_USER=Sean Conner
> REQUEST_METHOD=
> SCRIPT_NAME=/home/spc/projects/gemini/non-checkin/cgi-bin/./beta
> SERVER_NAME=lucy.roswell.area51
> SERVER_PORT=1965
> SERVER_PROTOCOL=GEMINI
> SERVER_SOFTWARE=GLV-1.12556/1

I believe this is using SCRIPT_NAME incorrectly per RFC 3875. The SCRIPT_NAME
should be the part of the URI path that comes before the PATH_INFO [1]. So in
your example:

GEMINI_URL=gemini://lucy.roswell.area51/cgi-bin/beta/foobar?one=1&two=2
SCRIPT_NAME=/cgi-bin/beta
PATH_INFO=/foobar

I'm also curious how you are handling URL-encoding in your CGI variables. For
jetforce, I followed my best interpretation of the RFC 3875 guidelines:

- GEMINI_URL: URL-encoded (not specified by the RFC, of course)
- QUERY_STRING: URL-encoded
- PATH_INFO: URL-decoded
- SCRIPT_NAME: URL-decoded

I have a CGI debug script setup here [2] if anybody wants to poke holes in my
implementation.

[1] https://tools.ietf.org/html/rfc3875#section-3.3
[2] gemini://mozz.us/cgi-bin/debug.cgi

Best,
Michael