httpd-cvs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From dgau...@hyperreal.org
Subject cvs commit: apachen/src/main util_script.c
Date Wed, 21 Jan 1998 22:31:47 GMT
dgaudet     98/01/21 14:31:47

  Modified:    src      CHANGES
               src/main util_script.c
  Log:
  Let people shoot themselves by passing Authorization to CGIs if they
  define SECURITY_HOLE_PASS_AUTHORIZATION.
  
  PR:		549
  Submitted by:	Marc Slemko
  Reviewed by:	Dean Gaudet, Paul Sutton
  
  Revision  Changes    Path
  1.584     +4 -0      apachen/src/CHANGES
  
  Index: CHANGES
  ===================================================================
  RCS file: /export/home/cvs/apachen/src/CHANGES,v
  retrieving revision 1.583
  retrieving revision 1.584
  diff -u -r1.583 -r1.584
  --- CHANGES	1998/01/21 22:27:17	1.583
  +++ CHANGES	1998/01/21 22:31:44	1.584
  @@ -1,5 +1,9 @@
   Changes with Apache 1.3b4
   
  +  *) If you define SECURITY_HOLE_PASS_AUTHORIZATION then the Authorization
  +     header will be passed to CGIs.  This is generally a security hole, so
  +     it's not a default.  [Marc Slemko] PR#549
  +
     *) Fix Y2K problem with date printing in suexec log.
        [Paul Eggert <eggert@twinsun.com>] PR#1343
     
  
  
  
  1.92      +7 -0      apachen/src/main/util_script.c
  
  Index: util_script.c
  ===================================================================
  RCS file: /export/home/cvs/apachen/src/main/util_script.c,v
  retrieving revision 1.91
  retrieving revision 1.92
  diff -u -r1.91 -r1.92
  --- util_script.c	1998/01/14 21:01:08	1.91
  +++ util_script.c	1998/01/21 22:31:46	1.92
  @@ -208,8 +208,15 @@
   	    table_set(e, "CONTENT_TYPE", hdrs[i].val);
   	else if (!strcasecmp(hdrs[i].key, "Content-length"))
   	    table_set(e, "CONTENT_LENGTH", hdrs[i].val);
  +	/*
  +	 * You really don't want to disable this check, since it leaves you
  +	 * wide open to CGIs stealing passwords and people viewing them
  +	 * in the environment with "ps -e".  But, if you must...
  +	 */
  +#ifndef SECURITY_HOLE_PASS_AUTHORIZATION
   	else if (!strcasecmp(hdrs[i].key, "Authorization"))
   	    continue;
  +#endif
   	else
   	    table_set(e, http2env(r->pool, hdrs[i].key), hdrs[i].val);
       }
  
  
  

Mime
View raw message