Note: This is an attempt to define the de facto CGI standard. I have tried to be consistent with the available documentation and the behaviour of existing software (in fact, only NCSA httpd.)
Together the HTTP server (httpd) and the CGI programs are responsible for servicing a client request by sending back responses. The client request comprises a Universal Resource Identifier (URI) , a request method, and various ancillary information about the request provided by the transport mechanism.
The following rules are used throughout this specification to describe basic parsing constructs.
alpha = lowalpha | hialphaNote that newline (NL) need not be a single character, but can be a character sequence.
lowalpha = "a" | "b" | "c" | "d" | "e" | "f" | "g" | "h" | "i" | "j" | "k" | "l" | "m" | "n" | "o" | "p" | "q" | "r" | "s" | "t" | "u" | "v" | "w" | "x" | "y" | "z"
hialpha = "A" | "B" | "C" | "D" | "E" | "F" | "G" | "H" | "I" | "J" | "K" | "L" | "M" | "N" | "O" | "P" | "Q" | "R" | "S" | "T" | "U" | "V" | "W" | "X" | "Y" | "Z"
digit = "0" | "1" | "2" | "3" | "4" | "5" | "6" | "7" | "8" | "9"
OCTET = <any 8-bit byte>
CHAR = <any character>
CTL = <any control character>
SP = <space character>
NL = <newline>
LWSP = SP | NL | <horizontal-tab>
tspecial = "(" | ")" | "@" | "," | ";" | ":" | "\" | <"> | "/" | "[" | "]" | "?" | SP
token = 1*<any CHAR except CTLs or tspecials>
quoted-string = ( <"> *qdtext <"> ) | ( "<" *qatext ">")
qdtext = <any CHAR except <"> and CTLs but including LWSP>
qatext = <any CHAR except "<", ">" and CTLs but including LWSP>
Case is not signifcant in the names, in that there cannot be two different variable whose names differ in case only. Here they are shown using capitals plus underscore ("_"). The actual representation of the names is system specific; for a particular system (e.g. Unix) the representation will be well defined (e.g. uppercase).
The standard variables are:
If the script URI would require access authentication for external access, then this variable is found from the `auth-scheme' token in the request, otherwise NULL.
AUTH_TYPE = "" | auth-scheme
auth-scheme = "Basic" | token
Notes: for httpd, replace `script URI' with `client URI'.
Are other auth schemes case insensitive? The HTTP spec does not say so.
CONTENT_LENGTH = "" | [ 1*digit ]
CONTENT_TYPE = "" | media-type
media-type = type "/" subtype *( ";" parameter)
type = token
subtype = token
parameter = attribute "=" value
attribute = token
value = token | quoted-string
application/octet-streamshould be assumed.
GATEWAY_INTERFACE = "CGI" "/" 1*digit "." 1*digit
This document defines the 1.1 version of the CGI interface.
Notes: the server needs to be able to identify any OS specific parts of the interface, and also any extensions that it provides.
Environment variables with names beginning with "HTTP_" contain header data read from the client, if the protocol used was HTTP. The HTTP header name is converted to upper case, has all occurrences of "-" replaced with "_" and has "HTTP_" prepended to give the environment variable name. The header data may be presented as sent by the client, or may be rewritten in ways which do not change its semantics. For example, the sever may remove comments from the header. The server must, if necessary, change the representation of the data to be appropriate for a CGI environment variable.
The server is not required to create environment variables for all the headers that it receives. In particular, it might remove any headers carrying authentication information, such as `Authorization'.
Notes: should there be a requirement not to pass on certain data?
Should the server be required to remove CRLF from folded headers?
PATH_INFO = "" | "/" path
path = segment *( "/" segment )
segment = *pchar
pchar = <any CHAR except "/">
The PATH_INFO may be some trailing part of the client URI, some string specified to the server or even the entire client URI path. It is not possible for the CGI script to determine how PATH_INFO was chosen on the basis of the CGI environment variables alone. The programmer must use her knowledge of the context in which the script will be used.
Notes: I originally defined this to be the same as the path allowed in an HTTP request, but that is not sufficiently tied down.
The existing CGI documentation requires PATH_INFO to be derived from part of the client URI; this specification does not.
protocol "://" SERVER_NAME ":" SERVER_PORT enc-path
PATH_TRANSLATED = *CHAR
PATH_TRANSLATED need not be supported by the server. The server may choose to set PATH_TRANSLATED to NULL for reasons of security, or because the path would not be interpretable by a CGI script; such as the object it represented was internal to the server and not visible in the filesystem; or for any other reason.
The algorithm httpd uses to derive PATH_TRANSLATED is obviously system dependent; CGI scripts which use this variable may suffer limited portability.
Notes: httpd gets it `wrong' if the translated URI would invoke a CGI script, or use multiviews etc., or if the translated URI would require authentication.
QUERY_STRING = query-string
query-string = *qchar
qchar = unreserved | escape | ";" | ":" | "@" | "&" | "="
unreserved = alpha | digit | safe | extra
safe = "$" | "-" | "_" | "." | "+"
extra = "!" | "*" | "'" | "(" | ")" | ","
escape = "%" hex hex
hex = digit | "A" | "B" | "C" | "D" | "E" | "F" | "a" | "b" | "c" | "d" | "e" | "f"
REMOTE_ADDR = hostnumber
hostnumber = digits "." digits "." digits "." digits
digits = 1*digit
REMOTE_HOST = "" | hostname
hostname = *( domainlabel ".") toplabel
domainlabel = alphadigit [ *alphahypdigit alphadigit ]
toplabel = alpha [ *alphahypdigit alphadigit ]
alphahypdigit = alphadigit | "-"
alphadigit = alpha | digit
Note: the current documentation only requires this to be the `hostname', rather than the FQDN.
REMOTE_IDENT = *CHAR
If AUTH_TPYE is "Basic", then the user-ID sent by the client. If AUTH_TYPE is NULL, then NULL, otherwise undefined.
REMOTE_USER = "" | userid | *OCTET
userid = token
The method with which the request was made, as described in section 5.2 of the HTTP/1.0 specification .
REQUEST_METHOD = http-method
http-method = "GET" | "HEAD" | "PUT" | "POST" | "DELETE" | "LINK" | "UNLINK" | extension-method
extension-method = token
SCRIPT_NAME = "" | "/" [ path ]
Note: again, this is slightly different to the current HTTP/1.0 specification  of Request-URI.
SERVER_NAME = hostname | hostnumber
SERVER_PORT = 1*digit
SERVER_PROTOCOL = HTTP-Version | extension-version
HTTP-Version = "HTTP" "/" 1*digit "." 1*digit
extension-version = protocol "/" 1*digit "." 1*digit
protocol = 1*( alpha | digit | "+" | "-" | "." )
Note: the current documentation does not define a syntax for protocol.
SERVER_SOFTWARE = *CHAR
script-uri = protocol "://" SERVER_NAME ":" SERVER_PORT enc-script enc-path "?" QUERY_STRING
This URI does not necessarily have any meaning outside the context of the server and CGI script. Hence we do not define the environment variables in terms of this URI, but instead use this URI as a convenient representation of the environment variables.
search-string = search-word *( "+" search-word )After parsing, each word is URL-decoded, optionally encoded in a system specific manner and then the argument list is set to the list of words.
search-word = 1*schar
schar = xunreserved | escape | ";" | ":" | "@" | "&"
xunreserved = alpha | digit | xsafe | extra
xsafe = "$" | "-" | "_" | "."
If the server cannot create any part of the argument list, then the server should generate no command line information. For example, the number of arguments may greater than operating system or server limitations, or one of the words may not be representable as an argument.
Note: the original documentation did not limit this to a GET request
There will be at least CONTENT_LENGTH bytes available for the script to read. The script is not obliged to read the data, but it must not attempt to read more than CONTENT_LENGTH bytes, even if more data is available.
The format of the data output is only defined if the request protocol is HTTP.
CGI-Response = 1*CGI-Header *( HTTP-Header ) NL [ Entity-Body ]The response comprises headers and a body, separated by a blank line. The headers are either CGI headers to be interpreted by the server, or HTTP headers to be included in the response returned to the client. If a body is supplied, then a Content-type header is required, otherwise the script must send a Location or Status header.
CGI-Header = Content-type
Note: If the body is optional, then how can a zero-length body be detected?The CGI headers have the generic syntax:
generic-header = field-name ":" [ field-value ] NLThe field-name is not case sensitive; a NULL field value is equivalent to the header not being sent.
field-name = 1*<any CHAR, excluding CTLs, SP and ":">
field-value = *( field-content | LWSP )
field-content = * ( token | tspecial | quoted-string)
Content-Type = "Content-Type" ":" media-type NL
Note: should this be optional? If so, what value should the server or client assume? And does the presence of the header imply the presence of a message body?
Location = "Location" ":" fragment-URI | rel-URL-abs-path NL
fragment-URI = URI [ # fragmentid ]
rel-URL-abs-path = "/" [ URL-path ] [ "?" query-string ]
URL-path = psegment *( "/" psegment )
psegment = *qchar
protocol "://" SERVER_NAME ":" SERVER_PORT rel-URL-abs-path
Status = "Status" ":" 3digit NL
The value for SCRIPT_NAME is governed by the server configuration and the location of the script in the OS filesystem. Given this, any access to the partial URI
SCRIPT_NAME extra-path ? query-informationwhere extra-path is either NULL or begins with a "/" and satisfies any other server requirements, will cause the CGI script to be executed with PATH_INFO set to the decoded extra-path, and QUERY_STRING set to query-information (not decoded).
Servers should reject with error 404 any requests that would result in an encoded "/" being decoded into PATH_INFO or SCRIPT_NAME.
Note: this should be made a requirement.
Servers may impose arbitrary restrictions on paths to ensure consistency with the server's own treatment of paths, such as restrictions on allowed characters (e.g. disallow ASCII NULL), restriction on specific path segments (such as non-terminal NULL segments, or "." or "..") or restrictions on path or search string lengths.
Servers may generate the script URI in any way from the client URI, or from any other data (but the behaviour should be documented!).
If the output of a form is being processed, check that CONTENT_TYPE is "application/x-www-form-urlencoded".
Note: presumably 400 is the appropriate error code in this case.If parsing PATH_INFO, PATH_TRANSLATED or SCRIPT_NAME then be careful of void path segments ("//") and special path segments ("." and ".."). They should either be removed from the path before use in OS system calls, or the request should be rejected with 404 Not Found. It is very unlikely that any other use could be made of these.
As it is impossible for the script to determine the client URI that initiated this request, the script should not return text/html documents containing relative-URL links without including a <BASE> tag in the document.
getenvand their names are in uppercase.
main(). The words are have any characters which are `active' in the bourne shell escaped with a backslash.
stdinstream; output must be written on the
 Berners-Lee, T., Fielding, R. T. and Frystyk Nielsen, H., `Hypertext Transfer Protocol - HTTP/1.0', Work in Progress, March 1995.
 Berners-Lee, T., Masinter, L. and McCahill, M., Editors, `Uniform Resource Locators (URL)', RFC 1738, CERN, Xerox Corporation, University of Minnesota, December 1994.
 Braden, R., Editor, `Requirements for Internet Hosts - Application and Support', STD 3, RFC 1123, IETF, October 1989.
 Mockapetris, P., `Domain Names - Concepts and Facilities', STD 13, RFC 1034, ISI, November 1987.
 Postel, J., `Media Type Registration Procedure', ISI, March 1994.
 StJohns, M., `Authentication Server', RFC 931, TPSC, January 1985.