The interface has been in use by the WWW since 1993. This specification defines the interface known as "CGI/1.1".
The following rules are used throughout this specification to describe basic parsing constructs.
alpha = lowalpha | hialphaNote that newline (NL) need not be a single character, but can be a character sequence.
lowalpha = "a" | "b" | "c" | "d" | "e" | "f" | "g" | "h" | "i" | "j" | "k" | "l" | "m" | "n" | "o" | "p" | "q" | "r" | "s" | "t" | "u" | "v" | "w" | "x" | "y" | "z"
hialpha = "A" | "B" | "C" | "D" | "E" | "F" | "G" | "H" | "I" | "J" | "K" | "L" | "M" | "N" | "O" | "P" | "Q" | "R" | "S" | "T" | "U" | "V" | "W" | "X" | "Y" | "Z"
digit = "0" | "1" | "2" | "3" | "4" | "5" | "6" | "7" | "8" | "9"
OCTET = <any 8-bit byte>
CHAR = <any character>
CTL = <any control character>
SP = <space character>
NL = <newline>
LWSP = SP | NL | <horizontal-tab>
tspecial = "(" | ")" | "@" | "," | ";" | ":" | "\" | <"> | "/" | "[" | "]" | "?" | SP
token = 1*<any CHAR except CTLs or tspecials>
quoted-string = ( <"> *qdtext <"> ) | ( "<" *qatext ">")
qdtext = <any CHAR except <"> and CTLs but including LWSP>
qatext = <any CHAR except "<", ">" and CTLs but including LWSP>
The CGI defines the abstract parameters, known as environment variables, which describe the client's request. Together with a concrete programmer interface, this specifies a platform-independent interface between this script and the HTTP server.
The script URI has the syntax of generic-RL as defined in section 2.1 of RFC 1808 [8], with the exception that object parameters and fragment identifiers are not permitted:
<scheme>://<host>:<port>/<path>?<query>The various components of the script URI are defined by some of the environment variables (see below);
script-uri = protocol "://" SERVER_NAME ":" SERVER_PORT enc-script enc-path-info "?" QUERY_STRINGwhere `protocol' is found from SERVER_PROTOCOL, `enc-script' is a URL-encoded version of SCRIPT_NAME and `enc-path-info' is a URL-encoded version of PATH_INFO.
Define URL-encoding
Case is not signifcant in the names, in that there cannot be two different variable whose names differ in case only. Here they are shown using a canonical representation of capitals plus underscore ("_"). The actual representation of the names is system specific; for a particular system the representation may be defined differently to this.
The standard variables are:
AUTH_TYPE
CONTENT_LENGTH
CONTENT_TYPE
GATEWAY_INTERFACE
HTTP_*
PATH_INFO
PATH_TRANSLATED
QUERY_STRING
REMOTE_ADDR
REMOTE_HOST
REMOTE_IDENT
REMOTE_USER
REQUEST_METHOD
SCRIPT_NAME
SERVER_NAME
SERVER_PORT
SERVER_PROTOCOL
SERVER_SOFTWARE
If the script URI would require access authentication for external access, then this variable is found from the `auth-scheme' token in the request, otherwise NULL.
AUTH_TYPE = "" | auth-scheme
auth-scheme = "Basic" | token
CONTENT_LENGTH = "" | [ 1*digit ]
CONTENT_TYPE = "" | media-type
media-type = type "/" subtype *( ";" parameter)
type = token
subtype = token
parameter = attribute "=" value
attribute = token
value = token | quoted-string
application/x-www-form-urlencoded
application/octet-stream
should be assumed.
GATEWAY_INTERFACE = "CGI" "/" 1*digit "." 1*digit
This document defines the 1.1 version of the CGI interface.
Note: the server needs to be able to identify any OS specific parts of the interface, and also any extensions that it provides.
Environment variables with names beginning with "HTTP_" contain header data read from the client, if the protocol used was HTTP. The HTTP header name is converted to upper case, has all occurrences of "-" replaced with "_" and has "HTTP_" prepended to give the environment variable name. The header data may be presented as sent by the client, or may be rewritten in ways which do not change its semantics. For example, the sever may remove comments from the header. The server must, if necessary, change the representation of the data to be appropriate for a CGI environment variable. Interpretation of these variables may depend on the value of SERVER_PROTOCOL.
The server is not required to create environment variables for all the headers that it receives. In particular, it might remove any headers carrying authentication information, such as `Authorization'.
Notes: should there be a requirement not to pass on certain data?
Should the server be required to remove CRLF from folded headers?
PATH_INFO = "" | "/" path
path = segment *( "/" segment )
segment = *pchar
pchar = <any CHAR except "/">
The PATH_INFO string is some trailing part of the <path> component of the script URI, derived in some implementation defined manner.
protocol "://" SERVER_NAME ":" SERVER_PORT enc-path-info
PATH_TRANSLATED = *CHAR
PATH_TRANSLATED need not be supported by the server. The server may choose to set PATH_TRANSLATED to NULL for reasons of security, or because the path would not be interpretable by a CGI script; such as the object it represented was internal to the server and not visible in the filesystem; or for any other reason.
The algorithm httpd uses to derive PATH_TRANSLATED is obviously system dependent; CGI scripts which use this variable may suffer limited portability.
Note: httpd gets it `wrong' if the translated URI would require authentication.
QUERY_STRING = query-string
query-string = *qchar
qchar = unreserved | escape | ":" | "@" | "&" | "="
unreserved = alpha | digit | safe | extra
safe = "$" | "-" | "_" | "." | "+"
extra = "!" | "*" | "'" | "(" | ")" | ","
escape = "%" hex hex
hex = digit | "A" | "B" | "C" | "D" | "E" | "F" | "a" | "b" | "c" | "d" | "e" | "f"
REMOTE_ADDR = hostnumber
hostnumber = digits "." digits "." digits "." digits
digits = 1*digit
REMOTE_HOST = "" | hostname
hostname = *( domainlabel ".") toplabel
domainlabel = alphadigit [ *alphahypdigit alphadigit ]
toplabel = alpha [ *alphahypdigit alphadigit ]
alphahypdigit = alphadigit | "-"
alphadigit = alpha | digit
Note: the current documentation only requires this to be the `hostname', rather than the FQDN.
REMOTE_IDENT = *CHAR
If AUTH_TPYE is "Basic", then the user-ID sent by the client. If AUTH_TYPE is NULL, then NULL, otherwise undefined.
REMOTE_USER = "" | userid | *OCTET
userid = token
The method with which the request was made, as described in section 5.1.1 of the HTTP/1.0 specification [2].
REQUEST_METHOD = http-method
http-method = "GET" | "HEAD" | "POST" | extension-method
extension-method = token
SCRIPT_NAME = "" | "/" [ path ]
The SCRIPT_NAME string is some leading part of the <path> component of the script URI.
SERVER_NAME = hostname | hostnumber
SERVER_PORT = 1*digit
SERVER_PROTOCOL = HTTP-Version | extension-version
HTTP-Version = "HTTP" "/" 1*digit "." 1*digit
extension-version = protocol "/" 1*digit "." 1*digit
protocol = 1*( alpha | digit | "+" | "-" | "." )
SERVER_SOFTWARE = *CHAR
search-string = search-word *( "+" search-word )After parsing, each word is URL-decoded, optionally encoded in a system specific manner and then the argument list is set to the list of words.
search-word = 1*schar
schar = xunreserved | escape | ";" | ":" | "@" | "&"
xunreserved = alpha | digit | xsafe | extra
xsafe = "$" | "-" | "_" | "."
If the server cannot create any part of the argument list, then the server should generate no command line information. For example, the number of arguments may greater than operating system or server limitations, or one of the words may not be representable as an argument.
Note: the original documentation did not limit this to a GET or HEAD request
There will be at least CONTENT_LENGTH bytes available for the script to read. The script is not obliged to read the data, but it must not attempt to read more than CONTENT_LENGTH bytes, even if more data is available.
For non-parsed header (NPH) scripts (see below), the server should attempt to ensure that the script input comes directly from the client, with minimal buffering.
There are two forms of output that the script can give; non-parsed header (NPH) output, and parsed header output. A server is only required to support the latter; distinguishing between the two types of output (or scripts) is implementation defined.
The server should attempt to ensure that the script output is sent directly to the client, with minimal buffering.
CGI-Response = *( CGI-Header | HTTP-Header ) NL [ Entity-Body ]The response comprises headers and a body, separated by a blank line. The headers are either CGI headers to be interpreted by the server, or HTTP headers to be included in the response returned to the client if the request method is HTTP. At least one CGI-Header must be supplied. If a body is supplied, then a Content-type header is required, otherwise the script must send a Location or Status header.
CGI-Header = Content-type
| Location
| Status
| extension-header
The CGI headers have the generic syntax:
generic-header = field-name ":" [ field-value ] NLThe field-name is not case sensitive; a NULL field value is equivalent to the header not being sent.
field-name = 1*<any CHAR, excluding CTLs, SP and ":">
field-value = *( field-content | LWSP )
field-content = * ( token | tspecial | quoted-string)
Content-Type = "Content-Type" ":" media-type NL
Location = "Location" ":" fragment-URI | rel-URL-abs-path NL
fragment-URI = URI [ # fragmentid ]
rel-URL-abs-path = "/" [ URL-path ] [ "?" query-string ]
URL-path = psegment *( "/" psegment )
psegment = *qchar
protocol "://" SERVER_NAME ":" SERVER_PORT rel-URL-abs-path
Status = "Status" ":" 3digit SP reason-phrase NL
reason-phrase = *<CHAR, excluding CTLs, NL>
The value for SCRIPT_NAME is governed by the server configuration and the location of the script in the OS filesystem. Given this, any access to the partial URI
SCRIPT_NAME extra-path ? query-informationwhere extra-path is either NULL or begins with a "/" and satisfies any other server requirements, will cause the CGI script to be executed with PATH_INFO set to the decoded extra-path, and QUERY_STRING set to query-information (not decoded).
Servers should reject with error 404 any requests that would result in an encoded "/" being decoded into PATH_INFO or SCRIPT_NAME.
Note: this should be made a requirement.
Although the server and the CGI script need not be consistent in their handling of URL paths (client URLs and the PATH_INFO data, respectively), server authors may wish to impose consistency. So the server implementation should define its behaviour for the following cases:
"."
or ".."
path
segments; i.e. whether they are prohibited, treated as ordinary path
segments or interpreted in accordance with the relative URL
specification [8];
If the output of a form is being processed, check that CONTENT_TYPE is "application/x-www-form-urlencoded" [9].
Note: presumably 400 is the appropriate error code in this case.If parsing PATH_INFO, PATH_TRANSLATED or SCRIPT_NAME then be careful of void path segments ("//") and special path segments ("." and ".."). They should either be removed from the path before use in OS system calls, or the request should be rejected with 404 Not Found. It is very unlikely that any other use could be made of these.
As it is impossible for the script to determine the client URI that initiated this request, the script should not return text/html documents containing relative-URL links without including a <BASE> tag in the document.
When returning headers, the script should try to send the CGI headers as soon as possible, and preferably before any HTTP headers. This may help reduce the server's memory requirements.
GetVar
. The
flags argument should be 0. Case is ignored, but upper case is
recommended for compatability with case-sensitive systems.
getenv
.
argc
and argv
arguments to main()
. The words are have any characters which
are `active' in the bourne shell escaped with a backslash.
[2] Berners-Lee, T., Fielding, R. T. and Frystyk Nielsen, H., `Hypertext Transfer Protocol -- HTTP/1.0', Work in progress (draft-ietf-http-v10-spec-04.txt), MIT/LCS, UC Irvine, October 1995.
[3] Postel, J., `Media Type Registration Procedure', RFC 1590, ISI, March 1994.
[4] Berners-Lee, T., Masinter, L. and McCahill, M., Editors, `Uniform Resource Locators (URL)', RFC 1738, CERN, Xerox Corporation, University of Minnesota, December 1994.
[5] Mockapetris, P., `Domain Names - Concepts and Facilities', STD 13, RFC 1034, ISI, November 1987.
[6] Braden, R., Editor, `Requirements for Internet Hosts -- Application and Support', STD 3, RFC 1123, IETF, October 1989.
[7] StJohns, M., `Authentication Server', RFC 931, TPSC, January 1985.
[8] Fielding, R., `Relative Uniform Resource Locators', RFC 1808, UC Irving, June 1995.
[9] Berners-Lee, T. and Connolly, D., `Hypertext Markup Language - 2.0', RFC 1866, MIT/W3C, November 1995.