httpd-bugs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject DO NOT REPLY [Bug 22030] - SECURITY: 4097+ bytes of stderr from cgi script causes script to hang
Date Thu, 09 Oct 2003 10:52:37 GMT
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG 
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://nagoya.apache.org/bugzilla/show_bug.cgi?id=22030>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND 
INSERTED IN THE BUG DATABASE.

http://nagoya.apache.org/bugzilla/show_bug.cgi?id=22030

SECURITY: 4097+ bytes of stderr from cgi script causes script to hang





------- Additional Comments From trawick@apache.org  2003-10-09 10:52 -------
Regarding Greg's comments about a special CGI bucket type being produced by mod_cgi:

There is another issue to solve with mod_cgi[d] that exists in 1.3 as well:
hangs will occur if all body data isn't read first, before the script starts
producing output.  Clearly this isn't something that many scripts have
encountered, but solving this enables some interesting CGI behavior.

My own work on this problem has been to handle all three channels (script's
stdin -- request body, stdout, and stderr) right in mod_cgi.  Sending a special
CGI bucket down the filter chain to solve the stdout/stderr problem doesn't deal
with writing request body to the script as the script can handle it.  With the
I/O handled directly in mod_cgi, an extra channel doesn't need a different model.

An unfortunate problem to solve regardless of where stderr is read is that APR
doesn't support polling on pipes on Win32.  In the long term hopefully some
Win32 gurus will provide a workable solution, but in the short term special
handling is required.  (See APR_FILES_AS_SOCKETS.)

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org


Mime
View raw message