CGI, SCGI and Certificates (was Re: [ANN] Gemini browser for iOS)

[Sean Conner]

It was thus said that the Great Michael Lazar once stated:
> On Tue, Jun 9, 2020 at 7:14 PM Sean Conner <sean at conman.org> wrote:
> >
> > It was thus said that the Great solderpunk once stated:
> > >
> > > (following Sean's lead for now, although I need to bring up some points
> > > for discussion about this in the near future).
> >
> >   So I have two CGI scripts set up.  Both are in a "protected" area of the
> > server (on my development machine) that requires a client certificate.  One
> > receives *just* the RFC-3875 defined variables:
> >
> > AUTH_TYPE=Certificate
> > GEMINI_DOCUMENT_ROOT=/home/spc/projects/gemini/non-checkin/cgi-bin
> > GEMINI_URL=gemini://lucy.roswell.area51/cgi-bin/beta/foobar?one=1&two=2
> > GEMINI_URL_PATH=/cgi-bin/beta/foobar
> > PATH_INFO=/foobar
> > PATH_TRANSLATED=/home/spc/projects/gemini/non-checkin/cgi-bin/foobar
> > QUERY_STRING=one=1&two=2
> > REMOTE_ADDR=::ffff:192.168.1.10
> > REMOTE_HOST=::ffff:192.168.1.10
> > REMOTE_USER=Sean Conner
> > REQUEST_METHOD=
> > SCRIPT_NAME=/home/spc/projects/gemini/non-checkin/cgi-bin/./beta
> > SERVER_NAME=lucy.roswell.area51
> > SERVER_PORT=1965
> > SERVER_PROTOCOL=GEMINI
> > SERVER_SOFTWARE=GLV-1.12556/1
> 
> I believe this is using SCRIPT_NAME incorrectly per RFC 3875. 

  You are correct.  Sigh.  Off to fix it ...

> I'm also curious how you are handling URL-encoding in your CGI variables. For
> jetforce, I followed my best interpretation of the RFC 3875 guidelines:
> 
> - GEMINI_URL: URL-encoded (not specified by the RFC, of course)

  I also URL-encode this.

> - QUERY_STRING: URL-encoded

  I don't URL-decode the query, so what gets passed to the script is what
was passed as the request.

> - PATH_INFO: URL-decoded
> - SCRIPT_NAME: URL-decoded

  Same here, modulo the incorrect SCRIPT_NAME in GLV-1.12556.

  -spc