Holger wrote:So back to topic.
Good idea. I just found some time to read the (hopefully) relevant part the mentioned CGI spec
The SCRIPT_NAME variable MUST be set to a URI path (not URL-encoded) which could identify the CGI script
So when calling http://www.haptonomiedommelen.nl/
SCRIPT_NAME has to be "/servertest.php", as http://www.haptonomiedommelen.nl/hapton ... ertest.php
would lead nowhere. But wait! How can we make assumptions about SERVER_NAME? If SERVER_NAME is "http://www.praktijkdommelen.nl/
", then SCRIPT_NAME has to be "/haptonomiedommelen/servertest.php"
So the test script should be at least extended to output SERVER_NAME, which is quite likely to confirm my assumption that SERVER_NAME is indeed "http://www.praktijkdommelen.nl/
". So far this would be fine according to the CGI 1.1. specification. And even the setting of CMSIMPLE_ROOT seems
to be correct in this case (this has to be double-checked).
The problem are the cookies. These are set by the browser for the domain that was browsed (the HTTP HOST). As this is still http://www.haptonomiedommelen.nl/
, the cookie path has to be "/", so CMSIMPLE_ROOT is not appropriate in this case.
Something to consider!
PHP_SELF ist böse! Potentielles Cross Site Scripting (XSS)!
<CYNICAL>So I state: $_GET, $_POST, $_COOKIE are evil too, and have to be strictly avoided! I strongly suggest we remove these variables from the core of CMSimple. This will render CMSimple useless---but at least it doesn't allow for XSS!</CYNICAL>