Return-Path: X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183]) by cust-asf2.ponee.io (Postfix) with ESMTP id 157CE200B49 for ; Tue, 19 Jul 2016 20:09:42 +0200 (CEST) Received: by cust-asf.ponee.io (Postfix) id 142E2160A76; Tue, 19 Jul 2016 18:09:42 +0000 (UTC) Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by cust-asf.ponee.io (Postfix) with SMTP id 5ACA9160A5C for ; Tue, 19 Jul 2016 20:09:41 +0200 (CEST) Received: (qmail 55958 invoked by uid 500); 19 Jul 2016 18:09:40 -0000 Mailing-List: contact bugs-help@httpd.apache.org; run by ezmlm Precedence: bulk List-Post: List-Help: List-Unsubscribe: Reply-To: "Apache HTTPD Bugs Notification List" List-Id: Delivered-To: mailing list bugs@httpd.apache.org Received: (qmail 55949 invoked by uid 99); 19 Jul 2016 18:09:40 -0000 Received: from pnap-us-west-generic-nat.apache.org (HELO spamd2-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 19 Jul 2016 18:09:40 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd2-us-west.apache.org (ASF Mail Server at spamd2-us-west.apache.org) with ESMTP id E323E1A82D9 for ; Tue, 19 Jul 2016 18:09:39 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd2-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: -0.426 X-Spam-Level: X-Spam-Status: No, score=-0.426 tagged_above=-999 required=6.31 tests=[KAM_LAZY_DOMAIN_SECURITY=1, RP_MATCHES_RCVD=-1.426] autolearn=disabled Received: from mx2-lw-us.apache.org ([10.40.0.8]) by localhost (spamd2-us-west.apache.org [10.40.0.9]) (amavisd-new, port 10024) with ESMTP id wXE4e-HEZydc for ; Tue, 19 Jul 2016 18:09:38 +0000 (UTC) Received: from mailrelay1-us-west.apache.org (mailrelay1-us-west.apache.org [209.188.14.139]) by mx2-lw-us.apache.org (ASF Mail Server at mx2-lw-us.apache.org) with ESMTP id E0E095FACF for ; Tue, 19 Jul 2016 18:09:36 +0000 (UTC) Received: from asf-bz1-us-mid.priv.apache.org (unknown [162.242.174.13]) by mailrelay1-us-west.apache.org (ASF Mail Server at mailrelay1-us-west.apache.org) with ESMTPS id E8599E0099 for ; Tue, 19 Jul 2016 18:09:35 +0000 (UTC) Received: by asf-bz1-us-mid.priv.apache.org (ASF Mail Server at asf-bz1-us-mid.priv.apache.org, from userid 33) id 5637560826; Tue, 19 Jul 2016 18:09:14 +0000 (UTC) From: bugzilla@apache.org To: bugs@httpd.apache.org Subject: [Bug 59886] httpoxy: shouldn't suexec block the questonable HTTP_ variables Date: Tue, 19 Jul 2016 18:09:34 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Apache httpd-2 X-Bugzilla-Component: mod_suexec X-Bugzilla-Version: 2.5-HEAD X-Bugzilla-Keywords: X-Bugzilla-Severity: blocker X-Bugzilla-Who: calestyo@scientia.net X-Bugzilla-Status: NEW X-Bugzilla-Priority: P2 X-Bugzilla-Assigned-To: bugs@httpd.apache.org X-Bugzilla-Target-Milestone: --- X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: 7bit X-Bugzilla-URL: https://bz.apache.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 archived-at: Tue, 19 Jul 2016 18:09:42 -0000 https://bz.apache.org/bugzilla/show_bug.cgi?id=59886 --- Comment #2 from Christoph Anton Mitterer --- Well, AFAIU, you're anyway going to block at least the Proxy header in httpd completely, now, aren't you? 1) has anyone checked whether such naming collisions occur on other HTTP_* names (which suexec would let pass all)? 2) Could it be that people use suexec (i.e. the binary) outside of Apache (e.g. behind some other webserver) and would thus benefit from blocking the env_var at that level as well? Cheers, Chris. -- You are receiving this mail because: You are the assignee for the bug. --------------------------------------------------------------------- To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org For additional commands, e-mail: bugs-help@httpd.apache.org