Besides passing query information to a CGI script, you can also pass additional data, known as extra path information, as part of the URL. The extra path information depends on the server knowing where the name of the program ends, and understanding that anything following the program name is "extra." Here is how you would call a script with extra path information:
http://some.machine/cgi-bin/display.pl/cgi/cgi_doc.txt
Since the server knows that display.pl is the name of the program, the string "/cgi/cgi_doc.txt" is stored in the environment variable PATH_INFO. Meanwhile, the variable PATH_TRANSLATED is also set, which maps the information stored in PATH_INFO to the document root directory (e.g., /usr/local/etc/httpd/ public/cgi/cgi-doc.txt).
Here is a CGI script-display.pl-that can be used to display text files located in the document root hierarchy:
#!/usr/local/bin/perl $plaintext_file = $ENV{'PATH_TRANSLATED'}; print "Content-type: text/plain", "\n\n"; if ($plaintext_file =~ /\.\./) { print "Sorry! You have entered invalid characters in the filename.", "\n"; print "Please check your specification and try again.", "\n"; } else { if (open (FILE, "<" . $plaintext_file)) { while (<FILE>) { print; } close (FILE); } else { print "Sorry! The file you specified cannot be read!", "\n"; } } exit (0);
In this example, we perform a simple security check. We make sure that the user didn't pass path information containing "..". This is so that the user cannot access files located outside of the document root directory.
Instead of using the PATH_TRANSLATED environment variable, you can use a combination of PATH_INFO and DOCUMENT_ROOT, which contains the physical path to the document root directory. The variable PATH_TRANSLATED is equal to the following statement:
$path_translated = join ("/", $ENV{'DOCUMENT_ROOT'}, $ENV{'PATH_INFO'};
However, the DOCUMENT_ROOT variable is not set by all servers, and so it is much safer and easier to use PATH_TRANSLATED.