CGI Environment Variable: QUERY_STRING

Matthias Diener
21 May 2007, 23:22
Hi Hugo,
I got a question about the QUERY_STRING, because it is not conform to the o Specification, which says: "It should not be decoded in any fashion." (
Is it a security feature of hiawatha that the variable is decoded?
Is there a switch to get the standard behaviour?
regards Matthias
Hugo Leisink
22 May 2007, 11:01
I wasn't aware of the fact that QUERY_STRING should not be decoded.

On the other hand, Hiawatha removes the potentially dangerous characters (ASCII value 31 and below) from the URL. There is no need for the rest of the characters to url-encode them. So, in Hiawatha there is actually no reason to not decode it. And I think a good and secure designed website doesn't need anymore characters then a-z, A-Z, 0-9, =, & and ? in the URL.

I've seen a lot of security issues in my daily work as a security auditor/consultant with 'weird' characters in an URL. The way Hiawatha handles the QUERY_STRING might not be in accordance with the RFC, but it's more secure this way. So, for now, I'll leave it this way.

If you think there is a good reason to change things, please let me know.
Matthias Diener
25 May 2007, 14:51
Hi Hugo,
I think you're right that special characters must not be used in URLs. I don't use them as well.
I just hope that there is no new security leak in fixing the first one.
e.g.: php (and other cgi frameworks) is doing url-decoding too and if you got a String like "this%25can%20be%20an%error" php will get a "%ca" to decode..
It might be the only problem, that a percent sign is created and has a potential hex-figure behind it..
regards Matthias
Hugo Leisink
25 May 2007, 18:30
Hi Matthias,

thanks for your reply. I was aware of the %25 issue. Actually, there are some more issues involving the %-sign. They will be fixed in the next release.

27 March 2009, 15:50
if the 2 or more people access the web server simultaneously
will this QUERY_STRING variable be polluted ????
or is the server thread safe and making this environment variable seperate to all.
Hugo Leisink
27 March 2009, 16:35
Of course it's thread safe. Every connection has its own thread, so no information will get mixed up.
28 March 2009, 07:19
Thanks a lot.
u made my life simple.
This topic has been closed.