httpd-bugs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject [Bug 59886] httpoxy: shouldn't suexec block the questonable HTTP_ variables
Date Tue, 19 Jul 2016 18:09:34 GMT
https://bz.apache.org/bugzilla/show_bug.cgi?id=59886

--- Comment #2 from Christoph Anton Mitterer <calestyo@scientia.net> ---
Well, AFAIU, you're anyway going to block at least the Proxy header in httpd
completely, now, aren't you?

1) has anyone checked whether such naming collisions occur on other HTTP_*
names (which suexec would let pass all)?

2) Could it be that people use suexec (i.e. the binary) outside of Apache (e.g.
behind some other webserver) and would thus benefit from blocking the env_var
at that level as well?


Cheers,
Chris.

-- 
You are receiving this mail because:
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org


Mime
View raw message