httpd-bugs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject DO NOT REPLY [Bug 22030] - SECURITY: 4097+ bytes of stderr from cgi script causes script to hang
Date Tue, 30 Sep 2003 16:37:29 GMT
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG 
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://nagoya.apache.org/bugzilla/show_bug.cgi?id=22030>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND 
INSERTED IN THE BUG DATABASE.

http://nagoya.apache.org/bugzilla/show_bug.cgi?id=22030

SECURITY: 4097+ bytes of stderr from cgi script causes script to hang





------- Additional Comments From trawick@apache.org  2003-09-30 16:37 -------
There is no fix in CVS for this problem.  There is no stable mod_cgi[d] that
handles 4097+ bytes from stderr mixed in with stdout processing.  I don't
recommend using any of the code in http://www.apache.org/~trawick/ in a
production environment.

I just uploaded jcgi.tar to www.apache.org/~trawick/.  Module was renamed to
mod_jcgi so that hopefully it doesn't get confused with real code from CVS.
This has fewer big picture problems than the mod_cgi.c hacks I had before, and
of course anyone is free to play with it and comment.  See included STATUS file
for some notes.

For production users: if your CGI spews gobs of stuff to stderr, change the CGI
for now.  For folks debugging CGIs and want to have them temporarily spew gobs
of stuff to stderr, play with the hacked up version mentioned here and send me
testcases for stuff that doesn't work.

As always, anybody should feel free to make alternate changes to the real
mod_cgi[d] and submit patches to dev@httpd.apache.org.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org


Mime
View raw message