CGI Security Documentation

CGIWrap URL Quick Reference

This quick reference is designed to make CGIWrap URL usage easier to understand for both standard and password-protected installations. It summarizes the common execution paths, the special debugging variants, and the legacy syntax that appeared in older CGIWrap usage patterns.

In all of the examples below, replace SERVER with the hostname and port of your web server, replace USER with your userid, and replace SCRIPT with the name of the script located in your CGI directory. The goal here is not just to show the raw path patterns, but to make it clear what each variation is used for and when it matters.

Execution Modes

In the URLs below, you can replace cgiwrap depending on the kind of execution behavior you want. These variants are useful because CGIWrap is not limited to one simple execution path. Some names are intended for standard script execution, while others are meant for debugging or scripts that output binary data.

cgiwrap

Normal script execution.

cgiwrapd

Executes the script but returns debugging information. The output is also returned preformatted, which makes it easier to see the raw source that the script is producing during troubleshooting.

nph-cgiwrap

Used for non-parsed header execution. This can matter in situations where normal response handling is not appropriate and the script needs to send output more directly.

nph-cgiwrapd

Similar to the above, but also useful when debugging or when the script outputs binary data, such as an image counter script or other content that should not be altered by standard response handling.

Standard Installation of CGIWrap

For a standard installation, place your scripts in the ~/public_html/cgi-bin/ directory. A typical URL pattern would look like this: 

https://SERVER/cgi-bin/cgiwrap/USER/SCRIPT

You may also see references to the old deprecated syntax. While it still appears in historical documentation, it is generally clearer and easier to use the path-style format instead of older query-based forms. 

https://SERVER/cgi-bin/cgiwrap?user=USER&script=SCRIPT

Password Protected Installation of CGIWrap

For a password-protected installation, place your scripts in the ~/public_html/auth-cgi-bin/ directory. A typical protected CGIWrap URL pattern would look like this: 

https://SERVER/cgi-bin/auth-cgi-bin/cgiwrap/USER/SCRIPT

As with the standard setup, older deprecated forms may still be referenced in some legacy material: 

https://SERVER/cgi-bin/auth-cgi-bin/cgiwrap?user=USER&script=SCRIPT

Other URL Options

With certain web servers, the syntax can sometimes be shortened depending on how the local administrator has configured the environment. That means some sites may support cleaner or more direct URL patterns than the defaults shown above.

Example shortened syntax

https://SERVER/USER/SCRIPT
https://SERVER/cgiwrap/USER/SCRIPT
https://SERVER/cgi-bin/SCRIPT

These patterns are only examples of what may be possible when the server is set up with custom aliases, handlers, or rewrite rules.

The administrator can look at the tricks document for some ideas on configuring the server to support alternate URL styles.

Notes About Legacy Syntax

The syntax examples using user= and script= are carryovers from the original versions of CGIWrap and are not really needed anymore. It is highly recommended that you do not use them unless you are maintaining an older setup that still depends on that form. The path-based examples are much clearer, easier to read, and usually easier to maintain.

As a practical rule, use the path-style syntax whenever possible, use cgiwrapd when you need debugging output, and keep the NPH variants in mind for scripts that return binary data or need special header handling. That simple distinction covers most real-world CGIWrap URL usage.