httpd-bugs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject [Bug 59886] New: httpoxy: shouldn't suexec block the questonable HTTP_ variables
Date Tue, 19 Jul 2016 16:00:23 GMT
https://bz.apache.org/bugzilla/show_bug.cgi?id=59886

            Bug ID: 59886
           Summary: httpoxy: shouldn't suexec block the questonable HTTP_
                    variables
           Product: Apache httpd-2
           Version: 2.5-HEAD
          Hardware: All
                OS: All
            Status: NEW
          Severity: blocker
          Priority: P2
         Component: mod_suexec
          Assignee: bugs@httpd.apache.org
          Reporter: calestyo@scientia.net

Hey.

In the wake of httpoxy[0] shouldn't suexec also block the problematic HTTP_ env
vars from being passed on?

Right now it seems that anything starting with HTTP_ or SSL_ is passed through
which doesn't seem particularly trustworthy at a first glance.

Cheers,
Chris.


[0] https://httpoxy.org/

-- 
You are receiving this mail because:
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org


Mime
View raw message