Posted by Heine on August 21, 2008 at 6:08am
5 followers
| Project: | Drupal core |
| Version: | 6.x-dev |
| Component: | base system |
| Category: | bug report |
| Priority: | normal |
| Assigned: | Unassigned |
| Status: | closed (won't fix) |
Issue Summary
Sepeck and I were playing around with the IIS 7 URL Rewrite Module CTP when we noticed that Drupal is completely unusable on IIS 7 with fastcgi.
IIS 7 now has a $_SERVER['REQUEST_URI'] which, contrary to Apache, does not contain the query string and, when rewriting is enabled, does not even contain the entered URL.
This means that all form action attributes are action="/base_dir/index.php" preventing proper form submission. In addition, page caching (keyed on request uri) is broken as well.
IIS 7 + fastcgi gives us the following variables to play with:
Clean URLs ON:
[HTTP_X_ORIGINAL_URL] => /core6/node/add/story
[REQUEST_URI] => /core6/index.php
[QUERY_STRING] => q=node/add/story
Clean URLs OFF:
[HTTP_X_ORIGINAL_URL] => not set.
[REQUEST_URI] => /core6/index.php
[QUERY_STRING] => q=node/add/storyNote that the patch assumes the IIS URL rewrite module for clean URLs.
I really don't like testing $_SERVER['SERVER_SOFTWARE'], but I don't see a way around it.
| Attachment | Size | Status | Test result | Operations |
|---|---|---|---|---|
| request_uri_iis7.patch | 1.21 KB | Ignored: Check issue status. | None | None |
Comments
#1
Why not check first for $_SERVER['HTTP_X_ORIGINAL_URL'] then? Instead of server sniffing.
#2
We need to sniff anyway, as when URLs are not rewritten, REQUEST_URI still exists but should not be used for IIS.
#3
It's very easy to add an arbitrary HTTP_X_ORIGINAL_URL header, so we need to take care analysing possible security issues.
#4
The IIS team is aware of this issue and the hotfix for IIS7 fastcgi module will be provided at the end of August 2008. With the hotfix the REQUEST_URI server variable will include the query string, as well as path info. Also, in case of URL rewriting it will contain the original, un-rewritten URL.
#5
Thank you.
For those needing it badly: The hotfix is available at http://support.microsoft.com/kb/954946
#6
Maybe this should be documented on http://drupal.org/requirements ?
#7
I've added to requirements page.
#8
I will see about testing with the MS hotfix in the next two weeks
#9
I've tested with the hotfix, and it solves the issue at hand.
#10
The update for the IIS 7.0 FastCGI module that fixes this issue is now publicly available from Microsoft. You can download the update from here:
http://www.microsoft.com/downloads/results.aspx?pocId=&freetext=954946&DisplayLang=en
With this update the FastCGI module now sets the REQUEST_URI server variable to include query string and path info. Also, if URL rewriting is used on the web server then the REQUEST_URI will contain the originally requested URL, not the rewritten one.
More information about the update is available here: http://ruslany.net/2008/08/update-for-iis-70-fastcgi-module/
#11
Thanks ruslany. I will update the requirements page and get working on an install doc for it.