[ic] Adding backdoor for Interchange administration to the dancefloor

Jon Jensen jon at endpoint.com
Fri Sep 14 22:53:16 UTC 2012


On Fri, 14 Sep 2012, Stefan Hornburg (Racke) wrote:

> Does anyone know which kind of commandline parameters can be passed to 
> CGI in order to adjust the send_arguments function for the plugin?

Welcome to the 1990s!

Mike may be the only one who remembers for sure, but I think that dates 
from the Minivend 3 days before named arguments were used in GET requests, 
as defined in section 7 of the CGI spec:

http://tools.ietf.org/html/draft-robinson-www-interface-00

and as parsed by Interchange in &Vend::Server::parse_post (which gets 
called for GET requests too), in the current version's lines 378-383:

     if( defined $pairs[0] and $pairs[0] =~ /^   (\w{8,32})? ; /x)  {
         @CGI::values{qw/ mv_session_id mv_arg mv_pc /}
             = split /;/, $pairs[0], 3;
         shift @pairs;
     }

Back then a Minivend 3 URL looked something like:

http://site/cgi-bin/vlink/flypage?01234567;somesku;987

And as per CGI spec, because there's no unencoded = in the query string, 
it's passed as a command line argument to the CGI program, appearing as 
@ARGV.

The whole arg will show up in $ARGV[0] unless there are + characters, in 
which case those are spaces and it splits the other words into the rest of 
@ARGV.

Anyway, Mike would have to confirm, but if I'm remembering this right, and 
you're not using ancient Minivend 3 args, you can probably just ignore 
this stuff altogether for your Dancer plugin.

Jon

-- 
Jon Jensen
End Point Corporation
http://www.endpoint.com/



More information about the interchange-users mailing list