URL is changed after processing in C/CGI

Question

Hello All,

I have a C/CGI application. In order to redirect to the same page

const char * redirect_page_format =
"<html>\n"
"<head>\n"
"<meta http-equiv=\"REFRESH\"\n"
"content=\"0;url=%s\">\n"
"</head>\n"
"</html>\n";
printf (redirect_page_format, getenv (URL));

Before this the url is like this "http://ipaddress/page.html".

For some pages, I am able to redirect correctly.

But some html pages,

1. The url is either appended with a character like this "http://ipaddress/page.htmlP"

2. Or the url is changed like one of the following:

http://ipaddress/page.htm

http://ipaddress/page.hX

Edit 1

I will send the url through query string. It will be got using the command.

getenv("QUERY_STRING")

By parsing the query string, url can be got and it is given as an argument to redirect command.

printf (redirect_page_format, getenv (URL));

Answer 1

I can't see anything that would cause that in the above code. Sounds like some wayward pointer writing somewhere else in the script might have written data to corrupt the end of the variable string?

What is getenv(URL) anyway? There isn't a standard CGI environment variable that gives you the current URL; you usually have to tiresomely piece it together from REQUEST_METHOD/HTTP_HOST/SERVER_PORT/SCRIPT_NAME/PATH_INFO/QUERY_STRING. On Apache you do get REQUEST_URI but it won't work on other servers.

Whilst it wouldn't usually cause the problem you quote, there is an issue with printfing text into an HTML context like you have above: you don't have any HTML-escaping, so any &, " or < characters in the URL will cause invalid output. Every time you add text or attribute value content from a string you must HTML-escape it, or you risk a cross-site-scripting security hole. (" and < are unlikely to exist in a URL but can get there depending on how you're handling SCRIPT_NAME/PATH_INFO. & is very likely to appear in the URL.)

Finally, <meta refresh> for redirect is highly undesirable. Why not a proper Location-based redirect?